Here's a version of the block list you can dump in your nginx to get rid of the bots:

https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2#file-naughty_list_nginx-conf

The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.

#mastoadmin

cc @Gargron