Hello, on the server with Apache are hosted several websites. One websites login form is the target of some kind of distributed attack/bruteforce password cracking. I see like 5000 IPs accessing that login page politely, not aggressively. I am sure these are not humans. A few visits per IP and slowly growing. I can firewall deny manually some subnets like 123.45.*.* etc. and i can also ban many hundred IPs directly in firewall, but i am afraid of high memory usage of the kernel because too many iptables rules. Is there any better way to prevent server overloading. Like mod security way, i am running CSF firewall too. All visits seems to have same user agent: IPHERE - - [28/Jun/2016:13:41:50 +0000] "GET /user/login HTTP/1.0" 200 18666 "https://MYDOMAIN.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0" I remember im using mod security rule to block wp-login.php accesses without referrer: SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,log,chain,msg:'wp-login request blocked, no referer'" SecRule &;HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "wp-login.php" So maybe i can use similar rule? Or a rule that blocks if there is match of mentioned user agent and login url? Any better way? Thank you
You can try with the mod_sec rule or similar rule. But i will suggest that you can give a try by doing a file name change.
Im not mod security expert, but filename change is interesting idea, but this will only tell attacker that im involved and he will update/begin trying other methods which is not much effective.