Here's my thought,
Set a threshold like 30 times in a minute, then block this IP for a few minutes.
But If the attacker forge the source IP address, this could block legitimate user immediately.
And I'm confused now.
Asked
Active
Viewed 3,164 times
1 Answers
4
a common way to block brute forces on all types of services, including http basic auth is fail2ban. Bots can't forge a source IP address for a full TCP connection(in your case a HTTP request), you don't have to worry about that. (see Are IP addresses "trivial to forge"? )
-
AFAIK, _fail2ban_ scans logs for offending IP addresses. I'm gonna google it up, but for other googlers... it would be nice to read abou it right here: when does it do so? Periodically? Or constantly monitoring the log stream? So, does it get triggered by suspicious activity real-time, as the attack happens, or does it ban the IP when it gets a go of reading the logs, _after the fact_? Thx. – Sz. Jun 10 '19 at 21:48