From 51d09b08d57b9a9f623d287b1dbc84c1d078a499 Mon Sep 17 00:00:00 2001
From: Matthias Johnson <matthias@opennomad.com>
Date: Thu, 5 Mar 2026 21:27:59 -0700
Subject: [PATCH] first step in protecting against crawlers

---
 roles/fail2ban/files/filter.d/caddy-crawler.conf | 2 ++
 roles/fail2ban/files/jail.d/caddy.conf           | 8 ++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 roles/fail2ban/files/filter.d/caddy-crawler.conf

diff --git a/roles/fail2ban/files/filter.d/caddy-crawler.conf b/roles/fail2ban/files/filter.d/caddy-crawler.conf
new file mode 100644
index 0000000..f528578
--- /dev/null
+++ b/roles/fail2ban/files/filter.d/caddy-crawler.conf
@@ -0,0 +1,2 @@
+[Definition]
+failregex = .*"remote_ip":"<HOST>".*
diff --git a/roles/fail2ban/files/jail.d/caddy.conf b/roles/fail2ban/files/jail.d/caddy.conf
index 412d730..484b3e7 100644
--- a/roles/fail2ban/files/jail.d/caddy.conf
+++ b/roles/fail2ban/files/jail.d/caddy.conf
@@ -14,3 +14,11 @@ filter = caddy-auth
 maxretry = 40
 findtime = 10m
 bantime = 1h
+
+[caddy-crawler]
+enabled = true
+journalmatch = CONTAINER_NAME=caddy
+filter = caddy-crawler
+maxretry = 200
+findtime = 1m
+bantime = 6h