Here's my thought,
Set a threshold like 30 times in a minute, then block this IP for a few minutes.
But If the attacker forge the source IP address, this could block legitimate user immediately.
And I'm confused now.
Here's my thought,
Set a threshold like 30 times in a minute, then block this IP for a few minutes.
But If the attacker forge the source IP address, this could block legitimate user immediately.
And I'm confused now.
a common way to block brute forces on all types of services, including http basic auth is fail2ban. Bots can't forge a source IP address for a full TCP connection(in your case a HTTP request), you don't have to worry about that. (see Are IP addresses "trivial to forge"? )