Greetings. I'm looking for some help regarding brute force attacks that specify certain usernames associated with the server's various services. For example, for the past 24 hours some a**hole has been continually trying to log in to these usernames:
vyatta
PIcmSpIp
ubnt
Nothing else, just those three. But, repeatedly every few minutes over the past 24 hours and using different IP's through proxy servers around the globe for each one. So, blocking the IP is worthless against this and so is blocking the country.
I have CPHulk Brute Force protection activated which is catching all these. Plus, CSF installed as well.
I'm a believer in preventive tactics. This is the not the first attempt at some of these server services but it is the most consistent. While writing this I just received two more notifications:
5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 85.25.195.189
Reverse DNS: astra1636.startdedicated.net
Origin Country: Germany (DE)
5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 207.106.176.151 Origin Country: United States (US)
As you can see, same username attempted but completely different sources. These came 2 minutes apart.
My questions is this. Is there a way via modsecurity rules or other method to immediate 'ban' someone who attempts to log in under those names regardless of the number of attempts? Essentially a 'rule' that would detect that as a protected username and immediately throw a 401 page?
Or, some other example of how we can make it less worthwhile for these bozos to keep trying? As it is right now, there's nothing stopping this guy from just continuing forever. It's obvious he's running some automated program (most likely) but if he keeps getting slammed with 401's then maybe (hopefully) he'll move on to someone else.
Is there such a thing? Any help would be GREATLY appreciated! Thanks in advance.
vyatta
PIcmSpIp
ubnt
Nothing else, just those three. But, repeatedly every few minutes over the past 24 hours and using different IP's through proxy servers around the globe for each one. So, blocking the IP is worthless against this and so is blocking the country.
I have CPHulk Brute Force protection activated which is catching all these. Plus, CSF installed as well.
I'm a believer in preventive tactics. This is the not the first attempt at some of these server services but it is the most consistent. While writing this I just received two more notifications:
5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 85.25.195.189
Reverse DNS: astra1636.startdedicated.net
Origin Country: Germany (DE)
5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 207.106.176.151 Origin Country: United States (US)
As you can see, same username attempted but completely different sources. These came 2 minutes apart.
My questions is this. Is there a way via modsecurity rules or other method to immediate 'ban' someone who attempts to log in under those names regardless of the number of attempts? Essentially a 'rule' that would detect that as a protected username and immediately throw a 401 page?
Or, some other example of how we can make it less worthwhile for these bozos to keep trying? As it is right now, there's nothing stopping this guy from just continuing forever. It's obvious he's running some automated program (most likely) but if he keeps getting slammed with 401's then maybe (hopefully) he'll move on to someone else.
Is there such a thing? Any help would be GREATLY appreciated! Thanks in advance.
