1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Many IPs browsing login page/maybe bruteforce attack, what to do?

Discussion in 'Apache' started by postcd, Jun 28, 2016.

  1. #1
    Hello,
    on the server with Apache are hosted several websites. One websites login form is the target of some kind of distributed attack/bruteforce password cracking.

    I see like 5000 IPs accessing that login page politely, not aggressively. I am sure these are not humans.
    A few visits per IP and slowly growing.

    I can firewall deny manually some subnets like 123.45.*.* etc. and i can also ban many hundred IPs directly in firewall, but i am afraid of high memory usage of the kernel because too many iptables rules. Is there any better way to prevent server overloading. Like mod security way, i am running CSF firewall too.

    All visits seems to have same user agent:
    IPHERE - - [28/Jun/2016:13:41:50 +0000] "GET /user/login HTTP/1.0" 200 18666 "https://MYDOMAIN.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"

    I remember im using mod security rule to block wp-login.php accesses without referrer:
    SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,log,chain,msg:'wp-login request blocked, no referer'"
    SecRule &;HTTP_REFERER "@eq 0" "chain"
    SecRule REQUEST_URI "wp-login.php"

    So maybe i can use similar rule? Or a rule that blocks if there is match of mentioned user agent and login url? Any better way?

    Thank you
     
    Last edited: Jun 28, 2016
    postcd, Jun 28, 2016 IP
  2. 24x7servermanagement

    24x7servermanagement Greenhorn

    Messages:
    18
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    23
    #2
    You can try with the mod_sec rule or similar rule. But i will suggest that you can give a try by doing a file name change.
     
    24x7servermanagement, Jun 29, 2016 IP
  3. postcd

    postcd Well-Known Member

    Messages:
    1,037
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    190
    #3
    Im not mod security expert, but filename change is interesting idea, but this will only tell attacker that im involved and he will update/begin trying other methods which is not much effective.
     
    postcd, Jun 29, 2016 IP