P
postcd
Guest
Hello,
on the server with Apache are hosted several websites. One websites login form is the target of some kind of distributed attack/bruteforce password cracking.
I see like 5000 IPs accessing that login page politely, not aggressively. I am sure these are not humans.
A few visits per IP and slowly growing.
I can firewall deny manually some subnets like 123.45.*.* etc. and i can also ban many hundred IPs directly in firewall, but i am afraid of high memory usage of the kernel because too many iptables rules. Is there any better way to prevent server overloading. Like mod security way, i am running CSF firewall too.
All visits seems to have same user agent:
IPHERE - - [28/Jun/2016:13:41:50 +0000] "GET /user/login HTTP/1.0" 200 18666 "https://MYDOMAIN.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"
I remember im using mod security rule to block wp-login.php accesses without referrer:
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,log,chain,msg:'wp-login request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"
So maybe i can use similar rule? Or a rule that blocks if there is match of mentioned user agent and login url? Any better way?
Thank you
on the server with Apache are hosted several websites. One websites login form is the target of some kind of distributed attack/bruteforce password cracking.
I see like 5000 IPs accessing that login page politely, not aggressively. I am sure these are not humans.
A few visits per IP and slowly growing.
I can firewall deny manually some subnets like 123.45.*.* etc. and i can also ban many hundred IPs directly in firewall, but i am afraid of high memory usage of the kernel because too many iptables rules. Is there any better way to prevent server overloading. Like mod security way, i am running CSF firewall too.
All visits seems to have same user agent:
IPHERE - - [28/Jun/2016:13:41:50 +0000] "GET /user/login HTTP/1.0" 200 18666 "https://MYDOMAIN.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"
I remember im using mod security rule to block wp-login.php accesses without referrer:
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,log,chain,msg:'wp-login request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"
So maybe i can use similar rule? Or a rule that blocks if there is match of mentioned user agent and login url? Any better way?
Thank you
Last edited: