Currently, one of my websites is being subject to a brute force login attempt. The problem is that it is coming form multiple IP sources. I have a system that auto bans IP after 3 attempts and so far the attacker has tried/banned 800 different IPs. I am not really worried about the username/password list he is using since I can see it as they come in but I guess my only worry is system resources.
Still being somewhat new to this kind of thing, I am not sure if I have any other options. Is there anything else you can do against this kind of attack?
Server is running CentOS 6
Best Answer
As I understand you can detect attacks only on Application Layer (HTTP).
I recommend to use modsecurity for detection and blocking on this layer, also, it can generate dynamic blocks, block requests for some time, run external commands (i.e. add rule to iptables) etc.
Modsecurity will be most effective solution to detect, regarding blocking - you need to block requests on the firewall.
Some block requests with fail2ban, but from my personal point of view it's ineffective.