wp-login.php Flood in Acces Logs

Question

I noticed that in my access logs these records are flooding. I'm not sure is this a brute force attack because the IP address is my server's IP.

How can I figure what's going on?

185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"

Answer 1

The Solution was to Create a mod_security rule to block such offending IP address.

1. Create file name “wpbrute.conf” in /usr/local/apache/conf/modsec_rules and add following to it.

SecRule REQUEST_LINE "POST .wp-login." "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:35011" SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350111,msg:'wp-bruteforce: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"

2. Open file /usr/local/apache/conf/modsec2.user.conf and add include path as below and save the file.

Include /usr/local/apache/conf/modsec_rules/wpbrute.conf

Now all the attacked to the “wp-login.php” should be stopped