I noticed the other day I had someone trying to brute for logins to my website. The easiest way to prevent this was grab the ips from the weblogs, and then black hole their routes. So first thing I did was stop nginx, reset the log files, restart nginx, let the logs run for 30 seconds, then place those ips in a file.
/usr/local/etc/rc.d/nginx stop cd /var/log rm nginx* /usr/local/etc/rc.d/nginx stop cat nginx-access.log | grep login | cut -d ' ' -f 1 | sort | uniq > /root/ips_bad.txt
At this point I strongly suggest you edit the ips file, and make sure your ip, or no other ip you wanted listed there is in the file. The next step was to use this file with a simple bash for loop
for e in `cat /root/ips_bad.txt` ; do route add $e 127.0.0.1 -blackhole; done
If I want to quickly remove these routes, I just do
for e in `cat /root/ips_bad.txt` ; do route delete $e -blackhole; done