Those are some very good and helpful insights, thank you very much for sharing. I was also hosting forgejo and used traefik as reverse proxy. However, my forgejo was locked down, which is probably why I had no bot attack.

Some thoughts:

• fail2ban works for malicious requests very good, meaning things that get logged somewhere.
• CrowdSec has an AI Bot Blocklist, which they offer for free if you host a FOSS project.
• I am developing a tool which blocks CIDR ranges based on country directly via ufw. Maybe blocking countries helps in such a case, but not everyone wants to block whole countries.