Activate Rack::Attack, add /system limits

config/application.rb

@@ -8,6 +8,8 @@
 # require "action_mailbox/engine"
 # require "action_text/engine"
 
+require 'rack/attack'
+
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
 Bundler.require(*Rails.groups)
@@ -39,6 +41,8 @@ class Application < Rails::Application
     config.active_job.queue_adapter     = :delayed_job
     config.active_job.queue_name_prefix = "decidim_zuerich_#{Rails.env}"
 
+    config.middleware.use Rack::Attack
+
     Raven.configure do |config|
       config.dsn = ENV['SENTRY_DSN']
       config.current_environment = ENV['SENTRY_CURRENT_ENV']

config/initializers/rack-attack.rb → config/initializers/rack_attack.rb

@@ -1,7 +1,9 @@
 require 'rack/attack'
 require 'ipaddr'
 
-Rack::Attack.enabled = ENV.fetch('ENABLE_RACK_ATTACK', Rails.env.production?.to_s).in?(%w[true 1])
+# Rack::Attack.enabled = ENV.fetch('ENABLE_RACK_ATTACK', Rails.env.production?.to_s).in?(%w[true 1])
+Rack::Attack.enabled = true
+
 
 safelist_ips = ENV.fetch('RACK_ATTACK_SAFELIST_IPS', '').split(',').map(&:strip)
 
@@ -12,10 +14,17 @@
   Rack::Attack.safelist_ip(ip_or_subnet)
 end
 
+Rack::Attack.blocklist('secure admin logins') do |req|
+  Rack::Attack::Allow2Ban.filter(req.ip, maxretry: 5, findtime: 10.minutes, bantime: 1.hour) do
+    req.post? && req.path.include?('system')
+  end
+end
+
 ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, request_id, payload|
   # request object available in payload[:request]
   request = payload[:request]
-  Rails.logger.warn "RACK ATTACK #{name} - #{request.ip} - #{request.url}"
+  # require 'pry'; binding.pry
+  Rails.logger.warn "RACK ATTACK MATCH: #{name}: #{request.env['rack.attack.matched']} | ip: #{request.ip} | url: #{request.url}"
 end
 
 # Used for rack-attack throttling debugging