i would like to stop attacks against some user's WordPress-installations on my server.
This is an example of an attack:
91.208.65.12 - - [20/Oct/2015:10:33:08 +0200] "POST /wp-login.php HTTP/1.0" 403 1317 "-" "-"
91.208.65.12 - - [20/Oct/2015:10:33:08 +0200] "POST /wp-login.php HTTP/1.0" 200 4114 "-" "-"
91.208.65.12 - - [20/Oct/2015:10:33:09 +0200] "POST /wp-login.php HTTP/1.0" 200 4114 "-" "-"
91.208.65.12 - - [20/Oct/2015:10:33:09 +0200] "POST /wp-login.php HTTP/1.0" 200 4114 "-" "-"
91.208.65.12 - - [20/Oct/2015:10:33:09 +0200] "POST /wp-login.php HTTP/1.0" 200 4114 "-" "-"
91.208.65.12 - - [20/Oct/2015:10:33:09 +0200] "POST /wp-login.php HTTP/1.0" 403 1317 "-" "-"
91.208.65.12 - - [20/Oct/2015:10:33:09 +0200] "POST /wp-login.php HTTP/1.0" 200 4114 "-" "-"
As you can see there is a 403-response from time to time but the attacker can continue the attacks on the next request.
This is the output of cat /etc/apache2/conf.d/mod_evasive.conf
DOSEmailNotify myaddress@example.com
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 300
DOSLogDir "/var/log/mod_evasive"
DOSSystemCommand "sudo /usr/local/bin/ddos_system.sh %s"
In my log-directory there are some entries:
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:36 dos-176.148.93.14
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:30 dos-176.31.49.45
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:31 dos-192.163.238.218
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:30 dos-66.135.55.206
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:36 dos-79.249.19.235
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:32 dos-85.93.30.190
-rw-r--r-- 1 www-data www-data 6 Mai 2 22:02 dos-85.93.3.55
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:33 dos-89.40.221.197
-rw-r--r-- 1 www-data www-data 6 Okt 20 10:30 dos-91.208.65.12
An example of the content of these entries:
cat dos-176.148.93.14
20774
Well, my question is: How can I block these attackers for a longer time and how can I improve my mod_evasive configuration?
