Proxima Gateway
Proxima Gateway
Firewall

Auto-ban

Sliding-window automatic banning for abusive IPs

Auto-ban watches request volume per IP and adds a temporary ban when an IP crosses a threshold within a configurable window. It's the brute-force protection layer that sits above rate limiting: rate limits slow attackers down, auto-ban kicks them off the network for a while.

How it works

For every request, the firewall:

  1. Increments a counter for the source IP, scoped to the configured window
  2. If the counter exceeds the threshold, adds the IP to the banned list with expiresAt = now + banDurationMinutes
  3. Drops the request with 403 Forbidden

Banned IPs are checked on the request hot path before any backend work — banned traffic costs the proxy almost nothing.

Configuration

Sidebar → Firewall → Auto-ban card:

FieldNotes
EnabledMaster toggle
ThresholdRequests-in-window that trigger a ban (e.g. 100)
Window secondsSliding window length (e.g. 60)
Ban duration minutesHow long the ban lasts (e.g. 30)

Sane defaults for a login-form attack: threshold=10, window=60, ban=30. For a password-spray on a public API: threshold=200, window=10, ban=60.

Whitelist

IPs in the firewall whitelist are exempt from auto-ban (and rate-limiting). Use this for known internal IPs, monitoring, or penetration test sources.

Manual bans

Auto-ban writes to the same banned-IP list as the dashboard's manual ban form. You can:

  • View the live list at Sidebar → Firewall → Banned IPs
  • Filter by reason, source (auto vs. manual), expiry
  • Unban an IP early
  • Add a permanent ban (expiresAt = 0) for known attackers

Persistence

The banned-IP list is in-memory on the proxy box. A systemctl restart proxima-gateway clears it. This is intentional — it lets auto-ban heal naturally after a config change without leaving stale bans in place.

If you want bans to survive restarts, watch this space — persistence to disk is on the roadmap.

Tuning

If you're seeing false positives (legitimate users getting banned):

  • Raise threshold — most real users don't make 100+ requests/sec
  • Add their IP/CIDR to the whitelist if they're a known good actor
  • Reduce banDurationMinutes so the impact is smaller per false positive

If you're seeing false negatives (attackers slipping through):

  • Lower threshold and windowSeconds to catch slow probes
  • Raise banDurationMinutes to keep them out longer

Rate Limiting

Cap requests per IP, globally or per path

VPN & proxy detection

Block requests originating from anonymous proxy networks

On this page

How it worksConfigurationWhitelistManual bansPersistenceTuning