#FediBlock #MastoAdmin: most Fedi instance servers announce their software in their HTTP user agent string. some instance servers are used mostly by assholes. using nginx? try adding this to your Mastodon site config's server block:

if ( $http_user_agent ~* Pleroma ) {
# close connection immediately
return 444;
}
if ( $http_user_agent ~* Soapbox ) {
return 444;
}

etc. to stop inbound HTTP requests from such instances.

you should still suspend hostile instances in the Mastodon federation controls so your server doesn't try to send data out to them, and so your users know why they can't interact with them.

it probably won't work forever and definitely won't work once people start sending fake UAs or not sending UAs at all, which is trivial. meanwhile, it might save you a little annoyance. keep an eye on your nginx logs for new variants and spoofing.

here are UA fragments for a few Fediverse scanners i know about. they're not necessarily hostile, but you may not want to show up on every mapping tool:

FediDB
FediList agent
fediverse's servers stats
fediverse's stats
fediverse.network crawler

consider also blocking UA fragments for common HTTP libraries to deal with low-effort bots. new or unusual legitimate Fedi software may still use one of these default UAs (such as your users' own bots, if permitted), and of course, not all HTTP libraries send a UA by default:

aiohttp
curl
Faraday
Go-http-client
hackney
http.rb
python-httpx
python-requests
Python-urllib

this is bandaid level stuff; real HTTP client fingerprinting and bot detection is a pretty hard problem, and there aren't a lot of open-source attempts at it, although there are plenty of commercial tools of varying quality.