A while back I wrote a little daemon that blocks, at the firewall level, any IP address that makes a request to it. Useless, unless there's a reverse proxy like Varnish in front of it with some rules that detect some kinds of bogus requests.
It was pretty hackish but has been working well for over a year. HTTP logs are a lot easier to digest now.
I spent some time today cleaning it up and changing it to use ipset(8) instead of ufw, so that more people can use it.
Blocking each IP address individually with ufw is pretty slow (it takes ~1s to block/unblock a single address!), so it's been pretty nice to use ipset and block tens of thousands of addresses and networks (hundreds of thousands of IP addresses!) by leveraging a bunch of blocklists. Ipset also has a timeout feature, so I don't have to take care of that either.
My idea is to use some kind of P2P network so that multiple servers can share what they learned from each other.
I'm not sure if I'll see this project to its conclusion, however; I've been taking a long break from tech in general.
But it's been a fun couple of hours I spent today working on this. I needed the distraction after all the shit that has been going on in the world recently. :|
L. Pereira
Alexandre Y. Harano