Brute force monitor not block all ips

[Yasham]

Hello,
Attachments show settings I had set in my admin panel. But some IPs are notified but not blocked, And also I had noticed for example an IP "103.185.243.3" Notified and blocked but after a few minutes had unlocked without a clear reason. Is there somewhere else I should change the settings to avoid IP automatic unblocking?

I want any IP within 72 hour have more than 100 attempts to block it permanently.

Note: wordpress5 is not an orginal brute force monitor I just create it for Open Cart.

A part of my /custom/brute_filter.list:

wordpress1=ip_after=&ip_until= -&text=] "POST /&text2=/wp-login.php&text3=" 200%20
wordpress2=ip_after=&ip_until= -&text=] "POST /&text2=/xmlrpc.php&text3=" 200%20&count_multiplier=8
wordpress3=ip_after=&ip_until= -&text=] "POST /&text2=/wp-login.php&text3=" 302%20&count_multiplier=50
wordpress4=ip_after=&ip_until= -&text=] "POST /&text2=/xmlrpc.php&text3=" 302%20
wordpress5=ip_after=&ip_until= -&text=] "POST /&text2=/admin/ HTTP/&text3=" 200%20

regards

 

[Yasham]

Hello,
For everyone who faces this kind of error. Just check "DENY_IP_LIMIT" in CSF configurations. The default is just 200 ip. It's too low as a default option.

I just changed it to 10000 and everything goes fine.

 

[Yasham]

Hope this helps.

The default value in DENY_IP_LIMIT is 200. so if 500 IPs start an attack to a server just last 200 will be blocked.

 

[Zhenyapan]

@Yasham last 200 ips, if there 200 ips already blocked when you block next IP - it will remove from block first one (oldest blocked).
Depend's on server/websites activity I have 10k-15k limits, on one servers with 10k limit it keeps blocked ips 6 months, on another 15k enough for 20-25 days only. More blocklist size - less server response speed. So if you care TTFB - don't set 30k+ blocklists or tune manually your network/kernel to make impact less, or better - block by CountryCode/ASN/Subnets from provider's side and from server side keep less limit.