Brute Force, Same User, All Different IPs

  • Hello there,

    I am experiencing a constant failed login attempt from a spam (now deleted) username from all different IPs. This isn’t a threat I suppose, just an annoyance and waste of resources.

    I am using CloudFlare & Fail2Ban. The server runs high from time to time and I get notifications when it does.

    Any advice on what else I could do? Should I just get over it?

    I’d be interested in something that targets this specific username – for example if someone attempts to login with “exampleuser” then their IP gets auto blocked or a dinosaur shows up on their screen. ^_^

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    Jetpack has a “Brute Force Attack Protection” option. Basically, this relays sign in attempts to the WordPress.com servers, where they can monitor all those attempts and pre-emptively block them from your site (as well as everybody else’s). Sort of a distributed bot block protection thing. It works fairly well, although it won’t much reduce your server load.

    I have not used WordFence in awhile but I seem to recall it will block logins by specific username.

    Or … You could try using a CloudFlare page rule to block bad login bots at the reverse proxy so they don’t even hit your server. This is what I use …
    *mysite.com/wp-login*
    Browser Integrity Check: On, Security Level: I’m Under Attack, Cache Level: Bypass

    If you’re out of page rules a firewall rule should also work. I have not done it this way but I think it would be something like (again – I have not tested this) …
    Field: URI Full
    Operator: contains
    Value: mysite.com/wp-login
    Action: JS Challenge

    Thread Starter ckheaton

    (@ckheaton)

    Thank you both! @otto42 This site unfortunately already has the Jetpack Brute Force Protection enabled and Akismet too.

    I used to use WangGuard with great success on user management in general, haven’t found anything comparable since the service went down.

    I’ll try the Cloud Flare page rule for bots – that seems like it should help block more than this one persistent username… either way I’ll know within 48 hours and will let you know!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Brute Force, Same User, All Different IPs’ is closed to new replies.