fail2ban is good for preventing spam and DDOS on authenticated endpoints, but it’s harder to prevent attacks on public endpoints against a botnet or even a lazy proxy chain spam, which is why cloudflare adds some cookies and a buffer to handle a wave of new connections and maintain an address rank to drop any bad clients.
Although that being said, cloudflare can be bypassed via other timing tricks and even just using a specific request chain to get fresh cf cookies to avoid getting blocked.
Honest question, why the /s?
There was a pretty bad CVE a while back I vaguely recall
The fact that a CVE was found doesn’t make it bad
In fact I’d say if it is handled well, fixed in an appropriate way & communicated correctly, having a fixed CVE should be seen as a good thing.
The alternative, lying to yourself and all your users that your code is perfectly sculpted and reviewed by each godly entity, is not the way.
fail2ban is good for preventing spam and DDOS on authenticated endpoints, but it’s harder to prevent attacks on public endpoints against a botnet or even a lazy proxy chain spam, which is why cloudflare adds some cookies and a buffer to handle a wave of new connections and maintain an address rank to drop any bad clients.
Although that being said, cloudflare can be bypassed via other timing tricks and even just using a specific request chain to get fresh cf cookies to avoid getting blocked.