Blocking wordpress/joomla brute force attempts on cPanel.

As $work is a hosting provider we have lots of cPanel servers, so naturally they come under bruteforce attempts by bots/hacked sites. At first I wanted to create a script to monitor how many IPs were attempting to bruceforce login pages of sites on our shared servers, but it was soon changed to deny IPs with over a set number of connections (with csf) due to the large amount. It has also been modifed to block connections to xmlrpc.php and wp-comment-post.php (also favorites for bots).

The script runs every 5 minutes via cron (puppet ensured!) and has cut down on the amount of load alerts on the shared servers greatly.

It also checks that the IP requesting isn't in one of our ranges, or in cloudflares ranges (the example below only has the cloudflare check) to avoid blocking false positives.

The script is (commented for setting notifications/what each bit does):

Instead of hammering cloudflares IP range file from every server every five minutes, I have placed it on an internal server with a cron to update every 24 hours.

It "spams" me every five minutes with emails of what has been blocked on which servers (yay for filters), it also logs to a central file.

The log entries look like so:

It has been running for just under three months on our shared servers, and the stats look like:

IPs blocked:
51378

Unique IPs blocked:
6947

Top 10s.

IPs blocked (preceeded by the amount):

156    188.40.112.146
170    198.71.54.209
179    91.200.12.72
194    108.59.12.73
198    46.105.127.0/24
232    46.105.120.0/24
251    37.187.241.0/24
292    91.200.12.21
341    213.251.182.0/24
843    46.105.113.0/24

Netblocks (preceeded by the amount):

342    MEDIATEMPLE-102
364    FR-ILIAD-ENTREPRISES-CUSTOMERS
375    HEART-INTERNET
394    MEDIATEMPLE-106
470    1AN1-NETWORK
532    GLUBINA-NET
544    LEASEWEB
551    FR-OVH-20120320
694    SCHLUND-CUSTOMERS
5975   OVH

Highest connection amounts (the limit is 180!).

8473
8550
8772
8886
8918
9270
9951
9983
11646
15196