On Fri, Aug 23, 2024 at 12:54:20PM +0200, Joel Carnat wrote: > I have a server which gets flooded with unsolicited HTTP requests. So far, I > use relayd filters to identify those requests and block them, at relayd > level. It works as they never reach the web server but relayd is still > working to block them. > > I thought of parsing relayd logs to get those IPs and add them to a pf block > table, using an automated script.
If the problem is that there are a lot of requests from the same hosts coming in rapid-fire, it is possible that state tracking rules with overloading could be the thing to try. The other thing that comes to mind is to put together something that parses the logs and adds offenders to a table of addresses that PF will block. Something along the lines of what is described in https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html (also prettified but tracked at https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html) could be what you need (some assembly required, obviously). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
