@prologic@twtxt.net I’d say give crowdsec a try but I know for sure you prefer your own WAF … 😅

@aelaraji@aelaraji.com Tell me more? How does this work?

@prologic@twtxt.net The main thing that I tought of is that whomever is abusing your services must be a well known actor (by range/set of IPs) that got reported by other Crowdsec users. So to my simpleton’s understanding, your reverse-proxy/web server passes the requests by crowdsec for processing, they get banned for $N hours if the source has already been blacklisted by the community or violates any of a set of behavior base rules (and even more hours for repeat offenders); otherwise the requests/responses go as per usual. Not sure if I got things right but this might help paint a better picture of the process.

@aelaraji@aelaraji.com Yeah and I think I can basically pull the crowssec rules every N interval right and use this to make blocking decisions? – I’ve actually considered this part of a completely new WAF design that I just haven’t built yet (just designing it).

@prologic@twtxt.net The periodic blacklists updates will be done automatically in the background, as for the different processing mechanisms (rules, collections of rules, remediation …etc) you just install/add the pre-made ones from the hub and call it a day, they’ll get periodic updates when needed. But you could easily create and add your own in case you want to block or white-list a specific behavior

@aelaraji@aelaraji.com I think I’ll just end up using the Official CrowdSec Go library 🤔