Help stop brute force

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

The last four months I have been noticing a large amount of bots trying to brute force wordpress on domains that do not run wordpress.
They use a very unknown Perl web framework that has a login of its own (with absolutely no brute force protection in any way unless you count captcha), but since the brute force was just for wordpress the Perl system's are left unscathed.

The first course of action was to ban it from the sites, that was easy. But after a few months of reviewing the logs and finding this IP constantly trying the same thing. Well, that made me a little mad so I started redirecting this IP to a 34 terabyte file. That slowed it's requests to about 8 per day instead of 50 a day.
When I searched the IP and find out more information. There was a few reports on the reason why they try to brute force wordpress is to hold the website for ransom.

I don't expect any of your answers to be like mine. How to slow brute force with spam. But by redirecting the IP to another server with a huge file did increase the servers resources that where being attacked.

Ideally i would like a solution that could slow the brute force requests and reduce the load the attacks have on the servers.
Could sleep(9000000); work better?
Could captcha in the login form be reliable enough to stop brute force ?

Comment on Help stop brute force Download Code

Replies are listed 'Best First'.
Re: Help stop brute force by haukex (Archbishop) on May 20, 2016 at 13:36 UTC
Hi Anonymous, If it's always the same IP, then you should definitely talk to your ISP about blocking it before it even reaches your server. Stopping it at that layer is much more efficient. Since you say you're already capable of redirecting the attacker's IP, then redirecting it to as small a file as possible should reduce your bandwidth consumption. Also, 50 times a day isn't really that much, I've had a far worse number of requests on one of my servers - and if the attacker isn't getting anywhere with their attempts, then the only thing to worry about is the attacker getting smarter :-) Hope this helps, -- Hauke D	[reply]
Re: Help stop brute force by FreeBeerReekingMonk (Deacon) on May 20, 2016 at 18:42 UTC
Don't get angry at the originating machine. Usually it is part of a botnet. Sometimes a grandma with an infected machine, sometimes a payed blade in an obscure land. very occasionally a scriptkiddy running things locally. This is why I recommend not bothering others (those with 34Gb files) nor redirecting to government agencies. Certainly keeping the thread alive and not responding is a way of your retaliation, but the other side does not care. As such, detect and drop communications is the best way to go forward... I do not know your OS, nor your firewall availability (can you install one?) You can search, for example, for "iptables block ip" In the past, I used snort successfully, but it seems to be deeply dis-troned... it might be also too complex for what you want. You want: 1. To automatically detect you are being brute forced 2. To add a firewall rule to drop all traffic from that IP adress Just detect you are being brute forced (either a grep in your log or directly through the perl webserver software, if you are allowed to modify it). Then run a command to add the IP to the firewall rules. Make sure it is not your own IP address... Other options: Now, usually these bots do a portsweep first. You can try a reverse port-knocking scheme: If an IP address accesses/sniffs a certain port... deny access to it for a certain period of time. If you have more time, you might entertain a honeypot (simulate access to the WP). I assume that once they have the password, they stop brute forcing? Only they will then repeatedly send email to your host (the ransom note)... not sure if you want that... Tell us more about your setup so we can suggest software and options.	[reply]
Re: Help stop brute force by afoken (Chancellor) on May 20, 2016 at 16:17 UTC
If you know the IP, and it does not change, simply block it at the OS level, i.e. add a firewall rule to drop all requests from the malicious IP. If you have no clue of what I wrote, contact the technical support of your hoster. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply]
Re: Help stop brute force by akanai (Novice) on May 20, 2016 at 17:26 UTC
Do not use the sleep(). It can easily lead to a DOS attack	[reply]