stefanv
commented
2 years ago I looked into it a bit, but this is not entirely straightforward to set up. We can potentially inspect the X-Forwarded-For header from the Google Cloud Load Balancer, but then we'd still need to serve those requests from nginx, albeit with something like a 403 Forbidden.
(Easier without cloud load balancer: then we can just run fail2ban as-is.)
Use crowdsec.net or fail2ban + bouncer to dynamically deny access to IP addresses that are scanning and/or trying to hack baselayer apps.