Module to limit login access to your site to only certain users, protect against "lazy" brute force attack and malicious malformed requests to the login form.
A "lazy" brute-force attack can use a large number of non-duplicate IP addresses with relatively infrequent requests (one or two in a few minutes) and cannot be prevented by IP blocking.
This module reacts to such behavior by returning error 404 or 403 (you can select which) to an attacker for any user login related activity
An example of such attack, we block known bad User-Agent string:
Typical log event:
Configuration page is available via menu Administration > Configuration > User accounts > Login allowlist (admin/config/people/login_allowlist).
Additionally, User-Agent strings used by attackers (also can be collected from the module log) can be stored in block-list to reject further login requests.