On 26 Nov 2013, at 22:45, Mark Benson <md.benson at gmail.com> wrote: We get them by the shedload on our work hosting server. We run CPHulk on there to keep them out. I'd suggest implementing some kind of 'block IP for 24 hrs after x failed logins' scheme if you can. That usually forces them to move on. Nah, they make good target practice and a real data source for my SIEM :)