I recommend fail2ban to set a block after some number of 408s for a single IP. There are a lot of forum/QA posts about this specific filter - example: https://security.stackexchange.com/questions/155941/blocking-slowloris-using-fail2ban-what-are-the-correct-parameters
- Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Fri, Feb 6, 2026, 4:13 PM Knute Johnson <[email protected]> wrote: > I'm thinking of putting them all on the naughty list. Any reason I > shouldn't? > > Thanks, > > Knute... > > On 2/6/26 14:42, Yehuda Katz wrote: > > HTTP 408 means the client opened a connection but didn't send a request. > > This could be caused by anything from a misconfigured or buggy program > > on the client side, to a malicious actor trying to overwhelm your server > > with fake connections. > > > > - Y > > > > Sent from a device with a very small keyboard and hyperactive > autocorrect. > > > > On Fri, Feb 6, 2026, 3:18 PM Knute Johnson <[email protected] > > <mailto:[email protected]>> wrote: > > > > From my access.log > > > > 181.215.169.144 - - [06/Feb/2026:20:10:38 +0000] "-" 408 7240 "-" "-" > > 194.180.179.107 - - [06/Feb/2026:20:10:47 +0000] "-" 408 7240 "-" "-" > > 194.180.179.107 - - [06/Feb/2026:20:10:47 +0000] "-" 408 7240 "-" "-" > > 194.180.179.107 - - [06/Feb/2026:20:10:47 +0000] "-" 408 7240 "-" "-" > > > > > > -- > > > > Knute Johnson > > [email protected] <mailto:[email protected]> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > <mailto:[email protected]> > > For additional commands, e-mail: [email protected] > > <mailto:[email protected]> > > > > > -- > > Knute Johnson > [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
