fail2ban is good for preventing spam and DDOS on authenticated endpoints, but it’s harder to prevent attacks on public endpoints against a botnet or even a lazy proxy chain spam, which is why cloudflare adds some cookies and a buffer to handle a wave of new connections and maintain an address rank to drop any bad clients.
Although that being said, cloudflare can be bypassed via other timing tricks and even just using a specific request chain to get fresh cf cookies to avoid getting blocked.
Honest question, why the /s?
fail2ban is good for preventing spam and DDOS on authenticated endpoints, but it’s harder to prevent attacks on public endpoints against a botnet or even a lazy proxy chain spam, which is why cloudflare adds some cookies and a buffer to handle a wave of new connections and maintain an address rank to drop any bad clients.
Although that being said, cloudflare can be bypassed via other timing tricks and even just using a specific request chain to get fresh cf cookies to avoid getting blocked.
There was a pretty bad CVE a while back I vaguely recall
The fact that a CVE was found doesn’t make it bad
In fact I’d say if it is handled well, fixed in an appropriate way & communicated correctly, having a fixed CVE should be seen as a good thing.
The alternative, lying to yourself and all your users that your code is perfectly sculpted and reviewed by each godly entity, is not the way.