First of all I love Caddy and it has been very good so far !
Some (bad) bots regularly scan my public IP address or try to access HTTPS websites with broken SSL versions. Caddy handles them nicely but I wish I could put an end to it and keep my logs beautiful. I am using the ipfilter plugin but it only blocks IPs on existing websites, not for the public IP address for example.
I want to create a plugin with the following ideas:
- Store bad recurring remote IP addresses in a SQLite database
- Ban bad recurring remote IP addresses (permanently or temporarily)
- Evaluate how bad an IP address is depending on:
- How often does it try to access unlisted SNI (such as with wildcard DNS or public IP)?
- How often does it try to access unlisted HTTP hostname (such as with wildcard DNS or public IP)?
- Is it static or dynamic: same pattern of attack?
- How often does it try to access a website with a broken SSL version?
And I have the following questions:
- Does this plugin idea make any sense?
- If it does, do you have additional ideas on how to block/evaluate bad IP addresses?
- If it does, do you think it would be rather a HTTP Middleware plugin or a Listener Middleware or even an Event Hook plugin?
- If it does not make sense, what would you use instead as an alternative to solve this problem?
Thank you !