How do you calculate the times an ip is accesing a website to blacklist it?

Question

I have a customer that has their website under a brute force attack. I detect many fradulent ip access to the site using:

echo $_SERVER['HTTP_REFERER'] . " - " . getIp() . date("Y-m-d H:i:s");

I can see that ips is accessing the website many times like 10 times per seconds.

I need to block all ips with that behavior, what do you recommend to do?

(is a simple Wordpress blog)

Answer 1

This rule probably works: More than 10 (consider yourself) request per second is a signal of fraudulent IP, this maybe controlled.

MySQL:

DROP TABLE IF EXISTS `tbl_request`;
CREATE TABLE `tbl_request` (
  `codigo_request` bigint(11) NOT NULL AUTO_INCREMENT,
  `ipnumber` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  `date` datetime DEFAULT NULL,
  `is_hacking` varchar(40) COLLATE utf8_unicode_ci DEFAULT NULL,
  `milliseconds` varchar(40) COLLATE utf8_unicode_ci DEFAULT NULL,
  `blacklisted` int(11) NOT NULL DEFAULT '0',
  PRIMARY KEY (`codigo_request`)
) ENGINE=InnoDB AUTO_INCREMENT=541192 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

Fraudulent Ips:

select *, SUM(count) AS totalCount from (

select *, count( ipnumber ) as count from tbl_request group by ipnumber, date HAVING count >= 10 order by count DESC 

) AS T GROUP by T.ipnumber order by totalCount DESC

PHP:

$request = new Request();
$request->setIpnumber( get_client_ip() );
$request->setDate(getDateForDatabase());
$request->insert();

$fips = $request->getFraudulentIps();
foreach ($fips as $k => $v) {
    $v->blacklist();
}

Answer 2

"brute force" attack is if someone is trying to submit username/password in the hope of gaining access to your site's restricted area. To handle this you can set rule as to how many times an IP can attempt to submit incorrect login credentials before being blocked. You can record the details in the DB and use it. For WP you can use plugins to restrict login attempts. https://www.wpoptimus.com/912/ban-ip-addresses-login-wordpress-dashboard/

A "DoS" attack on the other hand is to overwhelm your server with requests. This kind of attack cannot be handled by code and need to be done at the service provider level.

Also you will have options in your cpanel to blacklist ips.