Most probably the domain under attack should top the list.
If you get enough data, then either suspend/terminate that user. You can even change the ‘A’ record of that domain to loopback address (127.0.0.1) if the attack is that severe.
Also if you are using CSF firewall,
Open the CSF configuration file /etc/csf/csf.conf
In that search for option called CT_LIMIT, by default it will be like CT_LIMIT=0 , change this to CT_LIMIT=60 ,here 60 is the max no.of connections from an IP to your server ( choose this value according to your server usage )
SupportExpertz.com - the name says it all!
Managed Cloud Servers
Server Management and Monitoring
24x7 outsourced customer support
Initially, against what service the attack is going on? If it is against apache and hitting any particular domain hardly, it doesn't come under brute-force attack; it comes under DOS or DDOS based on the severity if attack. Brute-force is normally a "password guess" attack against any encrypted system.
Ok, now..if you know the source IP address which is hitting hard, the simple solution is to block them in CSF. To do that, login to SSH as root user and run the following commands
#csf -d <IP>
That will add the particular IP address to permanent IP block.
If the source is a group of IPs, you can use PORTFLOOD , CT_LIMIT , CT_INTERVAL , CT_SKIP_TIME_WAIT settings in csf.conf file. Also it is good to increase the value of DENY_IP_LIMIT in csf.conf. And to mitigate the attack rate, you can also place a reverse proxy ( like nginx or varnish http accelerator ) infront of apache ( there are some plugins available that works with cPanel ). Additionally you have an option to enable mod_qos apache module and integrate it with CSF, which will provide some means to mitigate DDOS attack against your server.
To know which domain is under attack ( if it is HTTP ), you can look into the apache status page.
The reason why the blocked IP can connect to the server again will be one of the followings,
1. Either the IP has been removed from the CSF DENY list due to DENY_IP_LIMIT threshold has been hit.
2. You have done the block manually using iptables command, which will not persists after CSF rule reload. Use the commands given above to block an IP.