Yeah..
I didn't mind doing it, it was a lot of work but I learned a lot and was a bit of fun playing whack a mole :lol: Frustrating mostly due to the amount of time things take.. Like everything takes 100x longer than it should. I'm so far behind with everything it's unreal.
The logs end up so big that you can only spot the largest attacks first.. You deal with them, go back the next day and same again.. And again. And again..
It's why I used AI to write scripts to look though the logs for stuff which doesn't match predictable patterns. Like if there's millions of 404s from similar ip ranges then every IP range is checked to see how many other odd things are going on.. Long story short, I have a list of what was blocked and why plus what was flagged as suspect for me to decide manually.
What I mostly see is just a couple small number of ip addresses that only hit the server a couple times a day and just not worth bothering with. I'm blocking like 99℅ of all known attacks. If a attack isn't caught with the current rules then I get a list of suspect IP addresses to either do new rule or ignore them.
The server CPU is pretty much idle all the time now. Before it was maxing out a 4 core CPU trying to deal with all the traffic.
Only time the server may go down is during disk backups or kernel updates. It actually happens about once or twice a week.
I do keep an eye on things but people will have to let me know if the server is running slow constantly... It could mean something has got past my rules... But i haven't had to do any new rules for a while now. It's just a matter of "what's next" in the world of attacks..
