I have a AWS EC2 Ubuntu instance with NGINX server configured to listen on IP address 50.0.0.1 (Example) on port 80.
I have a login page in index.php. I want to configure nginx for brute force detection and prevention (active blocking) for this page.
But if a client end node is hiding behind a NAT as shown in my architecture: Architecture, according to my simple script which blocks the IP addresses after 5 unsuccessful attempts, it blocks the IP 1.2.3.4 (Refer Architecture) so the other legitimate users sharing the IP 1.2.3.4 with the attacker also get blocked.
Is there any way I can block only the attacker's requests and not other legitimate requests? Some solutions come to mind are:
- Blocking IP-SourcePort combination instead of only IP, but attacker can randomize source ports for each request.
- Implementing a STUN server or TURN server
What can be the best solution to achieve this?