Yesterday someone started sending me dozens of login requests per second, probably a brute force attack.
I added a captcha to verify if it’s human or not and I was able at least not to allow him to check whether login details is correct or not but to return status 400 right away.
But I want to blacklist his IPs, he uses hundreds of IPs that change every request.
I blocked around 7-10 of his ASNs and IP & user agents but somehow he’s still able to do post request (every 1-3 seconds) to login even though I have enabled Rate Limiting for the login route (POST) and it doesn’t seem to block him.
How does it work then? I’m new to this so I might be missing something.
Rate Limiting is for a single IP address. If that address tries to access a URL too many times in a time period, they will be rate limited.
If you are the only person who uses that login, or it’s a limited number of users, you can create an Access Policy to block off your login page.
I have users who need to login too, but I created that one “Protect my login
5 requests per 5 minutes, Block for 15 minutes , Methods: POST”. When I run my server logs, I can see his requests still bypassing the firewall even though I blocked his ASNs and specific IPs. How can I make it automated so his IPs will get blacklisted? just to mention that last 40 minutes he does not bypass the firewall, logs are clear and cloudflare statistics are showing his requests are blocked.