I implemented a haproxy in front of the environment to split traffic across different hosts and restrict access to the environment for legitimate sources only
example:
#Frontends
frontend fe_http
bind :80
#blocking start
#deny http 1.0 as there is mostly used by bad guys
acl is-allowed-ip src -f /etc/haproxy/allowed.ips
http-request silent-drop if HTTP_1.0
http-request silent-drop if HTTP_1.1 !is-allowed-ip
http-request silent-drop if HTTP_1.2 !is-allowed-ip
only ip listed in allowed.ips can access the environment
same way to block or allow tcp connections:
example block bad sources:
frontend fe_imaps
mode tcp
option tcplog
bind :993 name imaps
#reject bad guys sending to imap continously
acl is-blocked-tcp src -f /etc/haproxy/isblocktcp.ips
tcp-request connection reject if is-blocked-tcp
default_backend be_imaps