To all customers of ours, who using we offering protection from hammering on a few (most important, like login page) URLs.
The solution is simple, and it involves using fail2ban.
Here and afterwards we will take a Wordpress as example.
Rules we apply
If single IP address failing to login successfully into Wordpress dashboard 3 times - it will be banned for next 72 hours, starting from last failed login attempt.
Q: How to detect, if I get blocked?
A: Website will return 404 page, if accessed from device with IP address, which received ban.
Q: Did my website received block for all visitors?
A: No. For everyone else, website will be available in normal mode.
Q: How to avoid ban?
A: Do not forget your passwords, and use password managers (browser's built-in or external)
Q: I got banned, and I need access. What shall I do?
A: Open a ticket to email@example.com. There are two things we do need -- your website name and your IP address. We will handle the rest ASAP.
Q: I submitted unban request, but get banned again. Why?
A: Your ISP using dynamic IP addresses. This means you are getting new IP address each period of time, chosen by your ISP. Ususally ISP offering IP addresses leases from same subnet. We can whitelist whole subnet. In such case submit ticket, specifying in it your website name, IP address and note, does we need whitelist single IP or whole subnet.