TooManyNon2xxStatus - how to tweak what is "too many"?

M

marcus123

Member
#7
#7
It's all there for the logs, thank you.

But it still doesn't address my question: I'm not looking why. That I know: way to many 403 of some bad bots.

How can I increase or lower the amount of let's say 403 before expediting a ban?
 
M

marcus123

Member
#9
#9
That would make sense. I did RTFM many times. But also failed finding any useful info on it.

I'll do that.

Thank you for your time. Much appreciated.
 
M

marcus123

Member
#12
#12
serpent_driver said:
Use CloudFlare WAF. It is always better to use any external service to filter unwanted traffic like bad bots.
Click to expand...
CloudFlare is probably the worst commercial proxy out there that I've tried over the years. All my DoS tools are going through it like a hot knife in butter. A totally useless service.

But yes, you basically stand correct: For a better proxy and support, I'll need to look elsewhere.
 
serpent_driver

serpent_driver

Well-Known Member
#13
#13
marcus123 said:
CloudFlare is probably the worst commercial proxy out there that I've tried over the years. All my DoS tools are going through it like a hot knife in butter. A totally useless service.
Click to expand...
This is probably because you are using the standard filters provided by CF. These actually do not work as expected. However, with a little brainpower and without paid plan, you can set up custom filters that work 100%.

I filter about 7500 requests every day.
 
M

marcus123

Member
#14
#14
Maybe it's true. But what you said could be done using CSF in a one-liner without having to share any private data with a third-party alongside with a much better integration support.
 
serpent_driver

serpent_driver

Well-Known Member
#15
#15
You are right, but in this specific case private data is relative. Ultimately, it is your decision.

CSF may be more effective, but CSF filters at a deep network layer. This allows you to filter IP addresses very well, but filtering specific IP addresses is like fighting windmills.
 
M

marcus123

Member
#16
#16
Very true that solely chasing /32 IP is a waste of energy.

That's why it need to be done using visitors patterns, origins, user agents, referrers, type of requests and rates of it.

Right now we have a script that read the logs in real-time and take action when a visitor match specific rules.

Still, this doesn't fix the current LiteSpeed dev team approach of pushing out an undocumented half-baked feature that can block visitors and none have anything to say about it.
 
serpent_driver

serpent_driver

Well-Known Member
#17
#17
Don't make life so difficult for yourself. It's much easier and, above all, requires very little effort. However, this requires a WAF such as CF WAF. With CSF you don't have the same options as with a WAF. I could describe to you in detail how you can get a much better result without CSF but with a WAF, but that would require you to fundamentally change your filter methodology.

btw. LiteSpeed or ADC is a web server or a load balancer and not a firewall, so don't expect that a car can also fly. ;)
 
You must log in or register to reply here.
Top