3

Here's my thought,

Set a threshold like 30 times in a minute, then block this IP for a few minutes.

But If the attacker forge the source IP address, this could block legitimate user immediately.

And I'm confused now.

daisy
  • 747
  • 4
  • 13
  • 28

1 Answers1

4

a common way to block brute forces on all types of services, including http basic auth is fail2ban. Bots can't forge a source IP address for a full TCP connection(in your case a HTTP request), you don't have to worry about that. (see Are IP addresses "trivial to forge"? )

Gryphius
  • 2,710
  • 1
  • 18
  • 19
  • AFAIK, _fail2ban_ scans logs for offending IP addresses. I'm gonna google it up, but for other googlers... it would be nice to read abou it right here: when does it do so? Periodically? Or constantly monitoring the log stream? So, does it get triggered by suspicious activity real-time, as the attack happens, or does it ban the IP when it gets a go of reading the logs, _after the fact_? Thx. – Sz. Jun 10 '19 at 21:48