You're right, something like fail2ban or crowdsec would probably be more effective here. Crowdsec has made it apparent to me how much vulnerability probing is done, its a bit shocking for a low-traffic host.

▲

ajsnigrutin 2 hours ago | parent [-]

And you'd ban the ip, their one day lease on the VM+IP would expire, someone else will get the same IP on a new VM and be blocked from everywhere.

Would be usable to ban the ip for a few hours to have the bot cool down for a bit and move onto a next domain.

	▲	holysoles 2 hours ago \| parent [-]
		I was referring to the rules/patterns provided by crowdsec rather than the distribution of known "bad" IPs through their Central API. The default ban for traffic detected by your crowdsec instance is 4 hours, so that concern isn't very relevant in that case. The decisions from the Central API from other users can be quite a bit longer (I see some at ~6 days), but you also don't have to use those if you're worried about that scenario.