Assuming my boss walked in and said "we're getting hit with suspicious traffic and I need you to build something that detects and responds to it automatically," I had two choices: reach for Fail2Ban like everyone else, or build something I actually understood from the ground up. I chose to build it from scratch. This post explains exactly how I did it β in plain English, with real code, and without assuming you've ever touched security tooling before. By the end of this post you will understand: What the system does and why it matters How a sliding window works (and why it's not just "count requests per minute") How the system learns what normal traffic looks like How it decides something is an attack How it uses iptables to cut off an attacker at the firewall level Let's go. What This Project Does and Why It Matters We run a cloud storage platform built on Nextcloud. It's public-facing, which means anyone on the internet can send requests to it β including bots, scanners, and attackers.β¦
