Brute Force Attack Using Specific Server Services Usernames

Greetings. I'm looking for some help regarding brute force attacks that specify certain usernames associated with the server's various services. For example, for the past 24 hours some a**hole has been continually trying to log in to these usernames:

vyatta
PIcmSpIp
ubnt

Nothing else, just those three. But, repeatedly every few minutes over the past 24 hours and using different IP's through proxy servers around the globe for each one. So, blocking the IP is worthless against this and so is blocking the country.

I have CPHulk Brute Force protection activated which is catching all these. Plus, CSF installed as well.

I'm a believer in preventive tactics. This is the not the first attempt at some of these server services but it is the most consistent. While writing this I just received two more notifications:

5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 85.25.195.189

Reverse DNS: astra1636.startdedicated.net

Origin Country: Germany (DE)

5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 207.106.176.151 Origin Country: United States (US)

As you can see, same username attempted but completely different sources. These came 2 minutes apart.

My questions is this. Is there a way via modsecurity rules or other method to immediate 'ban' someone who attempts to log in under those names regardless of the number of attempts? Essentially a 'rule' that would detect that as a protected username and immediately throw a 401 page?

Or, some other example of how we can make it less worthwhile for these bozos to keep trying? As it is right now, there's nothing stopping this guy from just continuing forever. It's obvious he's running some automated program (most likely) but if he keeps getting slammed with 401's then maybe (hopefully) he'll move on to someone else.

Is there such a thing? Any help would be GREATLY appreciated! Thanks in advance.

 

Thanks for your response! I pretty much felt the same way, that it's just some bot bouncing around until it runs its course. However, I can't help but think that somehow some way they'll eventually have success even though the possibility is unlikely. Call it paranoia as we've been successfully hacked before and it sucked royally.

So, if there's no real way to protect the 'system' with the exceptions of brute force prevention, CSF and also we've deployed the Host Access Control in WHM, then we'll just have to let those do the work.