This is why I recommend not bothering others (those with 34Gb files) nor redirecting to government agencies.
Certainly keeping the thread alive and not responding is a way of your retaliation, but the other side does not care. As such, detect and drop communications is the best way to go forward...
I do not know your OS, nor your firewall availability (can you install one?) You can search, for example, for "iptables block ip"
In the past, I used snort successfully, but it seems to be deeply dis-troned... it might be also too complex for what you want.
You want:
1. To automatically detect you are being brute forced
2. To add a firewall rule to drop all traffic from that IP adress
Just detect you are being brute forced (either a grep in your log or directly through the perl webserver software, if you are allowed to modify it). Then run a command to add the IP to the firewall rules. Make sure it is not your own IP address...
Other options:
Now, usually these bots do a portsweep first. You can try a reverse port-knocking scheme: If an IP address accesses/sniffs a certain port... deny access to it for a certain period of time.
If you have more time, you might entertain a honeypot (simulate access to the WP). I assume that once they have the password, they stop brute forcing? Only they will then repeatedly send email to your host (the ransom note)... not sure if you want that...
Tell us more about your setup so we can suggest software and options.
In reply to Re: Help stop brute force
by FreeBeerReekingMonk
in thread Help stop brute force
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |