Protect from web attacks like WAF does?

[ra-at-diladele-com]

If a client sends requests like this - can we block them?

 [22/Jan/2026:13:00:52 +0000] 195.201.233.183 "GET /root/.env HTTP/1.1" 404 134 "-" "curl/8.7.1"
 [22/Jan/2026:13:00:52 +0000] 195.201.233.183 "GET /.env.bak HTTP/1.1" 404 134 "-" "curl/8.7.1"
 [22/Jan/2026:13:00:52 +0000] 195.201.233.183 "GET /marketing/.env.staging HTTP/1.1" 404 134 "-" "curl/8.7.1"
 [22/Jan/2026:13:00:52 +0000] 195.201.233.183 "GET /.env_backup HTTP/1.1" 404 134 "-" "curl/8.7.1"
 [22/Jan/2026:13:00:52 +0000] 195.201.233.183 "GET /.git/logs/refs/heads/master HTTP/1.1" 404 134 "-" "curl/8.7.1"