NGINX Brute Force Detection of devices hiding behind NAT. Block only specific device and not all devices sharing the same IP

Question

I have a AWS EC2 Ubuntu instance with NGINX server configured to listen on IP address 50.0.0.1 (Example) on port 80.

I have a login page in index.php. I want to configure nginx for brute force detection and prevention (active blocking) for this page.

But if a client end node is hiding behind a NAT as shown in my architecture: Architecture, according to my simple script which blocks the IP addresses after 5 unsuccessful attempts, it blocks the IP 1.2.3.4 (Refer Architecture) so the other legitimate users sharing the IP 1.2.3.4 with the attacker also get blocked.

Is there any way I can block only the attacker's requests and not other legitimate requests? Some solutions come to mind are:

Blocking IP-SourcePort combination instead of only IP, but attacker can randomize source ports for each request.
Implementing a STUN server or TURN server

What can be the best solution to achieve this?

google can help you with "nginx rate limit" – c4f4t0r Nov 04 '17 at 13:34 — c4f4t0r, Nov 04 '17 at 13:34

score 1 · Accepted Answer · answered Nov 04 '17 at 14:57

1

Unless there is some specific fingerprint for each attack request (which is unlikely since they want to hide themselves), you cannot do anything except rate limiting, which also affects all legitimate clients.

answered Nov 04 '17 at 14:57

Tero Kilkanen

34,499
3
38
58

NGINX Brute Force Detection of devices hiding behind NAT. Block only specific device and not all devices sharing the same IP

1 Answers1