jim.thornton
Verified User
- Joined
- Jan 1, 2008
- Messages
- 334
So... I have CSF/LFD setup to block brute force attacks. If a user fails a login like 15 times or something like that, I have it set to send the IP address to the CSF Blacklist. Everything works with it fine. I get an email sent to me saying that IP address has been added to the blacklist because of X failed attempts.
In each email address it will have 5 or 6 different usernames that have been attempted but that the IP has been blocked.
Now... The nice thing is that all of these attempts seem to be on usernames that don't exist. They've maybe tried some of the email address, or a full email address, but not the correct system username.
My questions are this:
1. Do I need to worry about these attempts with successful blacklists? I'm getting probably 100+ emails per day of these attempts, and each email has multiple attempts.
2. Can I setup CSF to only send me the updates if the username that they are trying to brute-force attack actually exists in the system? So, for example, if they try to bruteforce username <johnsmith> but that is not a username in my system (maybe jsmith197 is). Can I have CSF ignore any attempts to <johnsmith> because that isn't actually in the system?
3. If I install modsecurity, will that stop some of these attacks? Is there anything else I can do?
FYI: I do have DA setup to also blacklist any failed attempts into the DA system. And this works as well.
In each email address it will have 5 or 6 different usernames that have been attempted but that the IP has been blocked.
Now... The nice thing is that all of these attempts seem to be on usernames that don't exist. They've maybe tried some of the email address, or a full email address, but not the correct system username.
My questions are this:
1. Do I need to worry about these attempts with successful blacklists? I'm getting probably 100+ emails per day of these attempts, and each email has multiple attempts.
2. Can I setup CSF to only send me the updates if the username that they are trying to brute-force attack actually exists in the system? So, for example, if they try to bruteforce username <johnsmith> but that is not a username in my system (maybe jsmith197 is). Can I have CSF ignore any attempts to <johnsmith> because that isn't actually in the system?
3. If I install modsecurity, will that stop some of these attacks? Is there anything else I can do?
FYI: I do have DA setup to also blacklist any failed attempts into the DA system. And this works as well.