As $work is a hosting provider we have lots of cPanel servers, so naturally they come under bruteforce attempts by bots/hacked sites. At first I wanted to create a script to monitor how many IPs were attempting to bruceforce login pages of sites on our shared servers, but it was soon changed to deny IPs with over a set number of connections (with csf) due to the large amount. It has also been modifed to block connections to xmlrpc.php and wp-comment-post.php (also favorites for bots).
The script runs every 5 minutes via cron (puppet ensured!) and has cut down on the amount of load alerts on the shared servers greatly.
It also checks that the IP requesting isn't in one of our ranges, or in cloudflares ranges (the example below only has the cloudflare check) to avoid blocking false positives.
The script is (commented for setting notifications/what each bit does):
Instead of hammering cloudflares IP range file from every server every five minutes, I have placed it on an internal server with a cron to update every 24 hours.
It "spams" me every five minutes with emails of what has been blocked on which servers (yay for filters), it also logs to a central file.
The log entries look like so:
It has been running for just under three months on our shared servers, and the stats look like:
Unique IPs blocked:
IPs blocked (preceeded by the amount):
156 220.127.116.11 170 18.104.22.168 179 22.214.171.124 194 126.96.36.199 198 188.8.131.52/24 232 184.108.40.206/24 251 220.127.116.11/24 292 18.104.22.168 341 22.214.171.124/24 843 126.96.36.199/24
Netblocks (preceeded by the amount):
342 MEDIATEMPLE-102 364 FR-ILIAD-ENTREPRISES-CUSTOMERS 375 HEART-INTERNET 394 MEDIATEMPLE-106 470 1AN1-NETWORK 532 GLUBINA-NET 544 LEASEWEB 551 FR-OVH-20120320 694 SCHLUND-CUSTOMERS 5975 OVH
Highest connection amounts (the limit is 180!).
8473 8550 8772 8886 8918 9270 9951 9983 11646 15196