It’s set up on the same box as my caddy install. I believe it’s getting passed the real IP because that’s what gets banned, and what I type in to unban it.

It just sees normal operations as http probing. Like if some other service goes down, my GetHomepage will then 404 and that’s seen as probing. It bans surprisingly quick. Even after just one or two events (normal for someone just visiting the homepage) it’ll just kick em right out

I’ve been having to inspect every alert and hand write whitelist parsers to whitelist 404s or whatever it may be for that app. Slowly accumulating a workable collection… but seems like I’m missing something as no one else seems to complain about this in threads like these