I’m running Alma Linux and CSF on Cpanel
mirrors.almalinux.org uses Amazon service and I have a serious problem with Amazon bots (not only Amazon’s but lots of their users as well).
As Alma Linux mirrors IPs changes all the time, I always have issues with updates, Nginx Manager access pages and so on.
So I have to check what currently IPs mirrors and include them in csf.allow.
It’s works for a week or two but as soon as IPs change again, it’s a time consuming to whitelist new IPs and it hurts when you need to quickly clear Nginx cache or apply an important update and see mirrors error lines.
I also include mirrors.almalinux.org at the bottom of csf.dyndns but it seems there’s no effect for outbound Curl calls.
Any idea of how to whitelist those mirrors for good? But not open CSF again to Amazon bots?
I’m not sure as to a good solution for you. Blocking vast chunks of the internet (AWS in this case) via relatively generic blocklists isn’t generally good practice as you end up with unintended consequences just like this.
1 Like
Hi @jonathan
I was reluctant in doing that due same thought as you. But AWS Bots (essentially hosted bad bots) where flooding my server with tons of requests, so I gave up and I had to do it.
Nowadays when automations are getting easier to get and use, for good and bad intentions, I’m sure “tough blocking” will be necessary, otherwise we’ll have to pay for extra hardware just to support this internet behavior.
Despite of almalinux mirrors issue, no regrets at all. Even on huge visitors peaks server is efficiency is fantastic after that.
Just need to find a decent way to clear outbound calls on almalinux mirrors and I’ll be happy.