So I installed nodeworx a week or so ago (loving it…), but last night my server got some undeserved attention. Some 900 attempts to login to my user accounts. It was some script on a cracked box for sure.
I’ve been looking over APF, but I can’t seem to find a feature to watch for the same IP trying multiple accounts, then having that IP automatically added to the firewall for blocking.
I got tired of getting large emails from logwatch with thousands of SSHd login failures, so I moved the SSHd port… If you can’t/don’t want to do that, bfd (brute force detector) is a great tool
It’s made by the same people who make APF as it happens; http://www.rfxnetworks.com/bfd.php
I don’t use mod_security, as I only resell to friends or clients, who I make the websites for, and/or I know exactly what scripts they’re running.