Dynamically Deny spammy IPs

[profjsb]

Use crowdsec.net or fail2ban + bouncer to dynamically deny access to IP addresses that are scanning and/or trying to hack baselayer apps.

[stefanv]

I looked into it a bit, but this is not entirely straightforward to set up. We can potentially inspect the X-Forwarded-For header from the Google Cloud Load Balancer, but then we'd still need to serve those requests from nginx, albeit with something like a 403 Forbidden.

(Easier without cloud load balancer: then we can just run fail2ban as-is.)