I thought I would share this as it is nothing I have ever come across before..
All of our webservers have bruteforce detection installed and of course send the logs to me everynight. Well.. This morning I received a total of 399 seperate emails with a slew of login attempts in each email..
The remote system wsip-70-183-11-252.lu.dl.cox.net was found to have exceeded acceptable login failures.
I just thought since this person is very dilligent that others might want to be pro-active and add him/her to your firewalls.
Hello guys, I would suggest setting up a simple script to keep checking continous login failures and keep adding the ip to the firewall everytime....
I'm sure some of the servers develop a pretty long list after a month or so. It looks like almost all web servers are targetted very frequently.
SupportExpertz.com - the name says it all!
Managed Cloud Servers
Server Management and Monitoring
24x7 outsourced customer support
The attacker's IP is probably someone's infected system and won't be the same IP tomorrow. If you tried to block every IP out there that attacked someone's system, you'd have so many that all available memory on the system would be completely exhausted. There's several ways/methods to deal with this fairly effectively.
Put in some rules to auto-block any IP that accesses the server over so-many times per minute or something, and drops the chain after so-many hours or days. Also, implement rate limiting to control how many times any IP can access and implement a time wait for one's that are within reason, but too often. Any IP that' a repeat offender, keep on a blocked list for longer and (auto, if possible) notify the abuse department of the ISP in question so you can unblock it later.