After my success with a script to hunt down intruders on POP and IMAP, I wrote a second script to look through my Apache logs for excessive attempts to login to Wordpress. I had already had one attack that almost crashed my system in the first week of being on Linode, and I see daily attempts at with some strange parameters included. Now that the basic scripting is done for POP and IMAP, it was easy to adapt that to Apache. Took about ten minutes, put it live, and it promptly starting blocking IP addresses. I've blocked about 10 already. The pattern seems to be someone makes 5 attempts from one IP address, waits 5 minutes, then makes another 5 attempts from the next sequential IP address. The five appear the same, but they are attempting different passwords:
18.104.22.168 - - [30/Jul/2012:15:53:57 -0400] "POST /wp-login.php" 22.214.171.124 - - [30/Jul/2012:15:53:58 -0400] "POST /wp-login.php" 126.96.36.199 - - [30/Jul/2012:15:53:59 -0400] "POST /wp-login.php" 188.8.131.52 - - [30/Jul/2012:15:54:00 -0400] "POST /wp-login.php" 184.108.40.206 - - [30/Jul/2012:15:54:00 -0400] "POST /wp-login.php"
These five attempts all meet my thresholds, so the IP address is locked out.
I discovered one problem. Some of these IP addresses try a POP attack first, then an IMAP attack, then the Wordpress attack. So the IP address gets added three times to my firewall. I hadn't considered that this could happen. This is not optimal. Tomorrow I will make it more sophisticated and avoid duplicates.
But overall, I am very happy with the extra security measures.