this post was submitted on 14 Dec 2025
53 points (96.5% liked)
Selfhosted
53767 readers
319 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Right, but if it has to stay public would you simply do nothing?
Nah. But if what you want is to prevent rather than palliate or delay (AIs will get throug Anubis, in fact from what I read some of them already do), then pretty much your only option is real-person authentication, so that if stuff does get leaked, you have a discrete list of people who to hold accountable.
I shut down one of my sites once I realized the massive traffic spike was all AI.
Currently Anubis seems to be the standard for slowing down scrapers
https://github.com/TecharoHQ/anubis
There are also various poison and tarpit systems which will serve scrapers infinite garbage text or data designed to aggressively corrupt the models they're training. Basically you can be as aggressive as you want. Your site will get scraped and incorporated into someone's model at the end of the day, but you can show them down and make it hurt.
@potatopotato @selfhosted Black Ice exists. Software is hand-to-hand combat. The most #cyberpunk sentence I’ve read today:
“There are also various poison and tarpit systems which will serve scrapers infinite garbage text or data designed to aggressively corrupt the models they’re training. “
You could put your website behind a cloudflare anti bot check. But realistically, your website is public facing and these bots are scraping the public web. They will eventually get the data from your website.
You can always go the Tarpit route as well https://zadzmo.org/code/nepenthes/
Another one; https://iocaine.madhouse-project.org/
But yeah, OP. You can't reliably stop web scrapers from stealing your data. You can only make more difficult and costly to do so, at the expense of your own server, and in the case of anubis, at the expense of your real users.
I plan on switching to a RPI hosted website at some point, so I can add either iocaine or nepanthes to my website. Might as well make most of the data from my website poison to all the scrapers when I get the chance.
Another option to reduce (but not eliminate) this traffic is a country limit. In cloudflare you can set a manual security rule to do this. There are self hosted options too but harder to setup. It depends what country you are and where your users are based. My website is a business one so I only allow my own country (and if on holiday I might open that country if I need to check it's working, although usually I just use a paid vpn back to my country so no need). You can also block specific countries. So many of my blocked requests are from USA, China, Russia etc
I'm wondering if you could run CrowdSec on the server and manually block the offenders if they are not already in the community blocklists.
Isn't fail2ban a possibility too? I created a filter for chatgpt and some others, and it feels like its working. My radicale server is my only free acessable service but it comes with a small webgui and so the bots showed up. I have no clue if the bot gets a fraction of your site each time it shows up, but seemingly the ban happens within 300ms when I remember correct. So it wouldn't be that much of information...
When setting the retry to 1 it will ban at the first sight.
A big issue is that this works for bots that announce themselves as such, but there's lots that pretend to be regular users, with fake user agents and ips selected from a random pool with each ip only sending like 1-3 request/day, but overall many thousands of requests. In my experience a lot of them are from huawei and tencent cloud/ASN
Yes, if that is true (and I am not that suprised about it) it is nearly impossible to block them this way.
Anubis is your friend