Ban all the attackers. Easier said than done. A website is constantly under attack as the whole server. One day I decided it was too difficult to maintain every single server and ban those attackers. Blocking IPs on the website level is too late. Also, it consumes a lot of resources. So I went for iptables. You can find it on github/JBlond/ban_em_all
DROP vs REJECT. Well, DROP is a bad option for debugging. Also, it is not the default behavior of the OS itself. Nothing is listing on a port? The OS sends a reject. Sadly I haven’t found a way to use REJECT when it comes to IPs. Using DROP on the other hand the automatic server/website scanners assume a firewall and it is more likely to continue the scan.