On 12/16/23 02:47, Stephen J. Turnbull wrote:
You say elsewhere that you know which IP addresses are currently causing the problem. I'm with Dmitri, just use iptables (or whatever native packet filter is available if it's so old it doesn't have iptables). I assume you just want them to go away period, right? For iptables, just su or sudo and
/usr/sbin/iptables -A INPUT -p tcp -j DROP -s 999.888.777.666/32
does the trick for the various bots that were hammering on my Django site.
I don't think centos existed back iptables didn't. ;) Firewalld is an attempt to add a "windows defender"-type UI to iptables, it's a wrong tool for this job.
Iptables has a "recent" module (usually is an "extensions" package) that can be used to auto-block IPs that create too many connections too fast (DoS pattern), see e.g. https://unix.stackexchange.com/questions/110453/how-to-block-ssh-brute-force...
Fail2ban monitors log files and can potentially detect more/smarter patterns than just too many connections per time quantum, as the above. It comes with a couple of pre-defined pattern matches for apache (never used those myself): https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-se...
The main problem with either of the above in this case, is that several subscription requests will get through before the pattern is detected and the bot is blocked.
Captcha would be my first line of defense. I keep hearing about bots getting smarter than humans at solving captchas, and I am getting increasingly more skeptical about captcha "services" by the likes of Google and Cloudflare, so I'd go "belt and suspenders" and add fail2ban for the smart bots that get past captcha.
Dima