Blocked some IPs which had a lot of failed log in attempts

It seems we need a more permanent/ongoing solution for this...

select count(*) as count, hostname from watchdog where type = 'user' and
-> message like '%Login attempt failed%' group by hostname order by count desc limit 10
-> ;
+-------+-----------------+
| count | hostname |
+-------+-----------------+
| 29206 | 60.176.106.86 |
| 110 | 46.17.97.28 |
| 105 | 188.163.66.75 |
| 81 | 220.161.150.114 |
... snipped some for privacy concerns... those who need to know can run the query.

10 rows in set (0.40 sec)

To find which account they are after see this:

select distinct hostname, variables from watchdog where hostname = '60.176.106.86' and type = 'user' and message like '%Login attempt failed%'

Blocked a couple more IPs. Seems that the accounts they are trying to log in to don't even exist.

Narayan is working on something that uses mod_sec to block these.

Narayan thinks this shoud be handled inside of Drupal. It could potentially set a special http return code which would then be caught by mod_sec and the IP blocked there.

429 looks like a good code for this:

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#429

Status?

We now have the CDN and don't block IPs so I'm closing this issue.