Multiple IP Brute Force Login Attack CentOS 6

Question

Currently, one of my websites is being subject to a brute force login attempt. The problem is that it is coming form multiple IP sources. I have a system that auto bans IP after 3 attempts and so far the attacker has tried/banned 800 different IPs. I am not really worried about the username/password list he is using since I can see it as they come in but I guess my only worry is system resources.

Still being somewhat new to this kind of thing, I am not sure if I have any other options. Is there anything else you can do against this kind of attack?

Server is running CentOS 6

Answer 1

As I understand you can detect attacks only on Application Layer (HTTP).

I recommend to use modsecurity for detection and blocking on this layer, also, it can generate dynamic blocks, block requests for some time, run external commands (i.e. add rule to iptables) etc.

Modsecurity will be most effective solution to detect, regarding blocking - you need to block requests on the firewall.

Some block requests with fail2ban, but from my personal point of view it's ineffective.

Answer 2

If they start coming at a rate that the attack rather is an DDoS than a brute force I would start blocking ranges of IPs in the firewall.

The problem with DDoS attacks is that you can't do that much about them but start filtering large ranges of IPs (That I know of). I guess the main problem with such an attack is that the source is often hacked computers from "normal" people. Resulting in a tricky filtering situation.

Coming from the IRC community we often had to pull the network cable on some server while kids attacked them.

PS: It was a couple of years ago I had to deal with this, and maybe there is a more clever way to bounce DDoS attacks these days. :-)