Many IPs browsing login page/maybe bruteforce attack, what to do?

P

postcd

Guest
Hello,
on the server with Apache are hosted several websites. One websites login form is the target of some kind of distributed attack/bruteforce password cracking.

I see like 5000 IPs accessing that login page politely, not aggressively. I am sure these are not humans.
A few visits per IP and slowly growing.

I can firewall deny manually some subnets like 123.45.*.* etc. and i can also ban many hundred IPs directly in firewall, but i am afraid of high memory usage of the kernel because too many iptables rules. Is there any better way to prevent server overloading. Like mod security way, i am running CSF firewall too.

All visits seems to have same user agent:
IPHERE - - [28/Jun/2016:13:41:50 +0000] "GET /user/login HTTP/1.0" 200 18666 "https://MYDOMAIN.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"

I remember im using mod security rule to block wp-login.php accesses without referrer:
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,log,chain,msg:'wp-login request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

So maybe i can use similar rule? Or a rule that blocks if there is match of mentioned user agent and login url? Any better way?

Thank you
 
Last edited:


Top