litespeed login fail,will csf/lfd block the ip ?

[tim]

Hi,

on my cpanel/litespeed server.

i try to type wrong login at host:7080 many times,

but my ip still does not be blocked by csf,

is it normal ?

how can i let csf/lfd detect it and blcok the ip as ftp/cpanel login fail.

thanks

[Sergio]

I assume that LiteSpeed uses a different log file where it saves all its info.
If you know the log file where LiteSpeed saves its data, then you can create a rule to block wrong logins from that logs.

Sergio

[tim]

Hi,

may i ask how can i create the rule ?

i check the log,it is similar as following

/usr/local/lsws/admin/logs/error.log

Code: Select all

2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n

thanks

[Sergio]

Hi.
Accordingly to your Log Line, a rule like this could be used, use it at your own risk as I don't assume any responsibility:

Code: Select all

# BLOCKING LiteSpeed attacks by Sergio

	if (($lgfile eq $config{CUSTOM_LOG1}) and ($line =~ /^\S+\s+\S+\s\[NOTICE\].*Failed Login Attempt \- username: (\S+) ip: (\S+)/i)) {
		return ("$1",$2,"SECMAS_LiteSpeed","1","1");
	}

Note:
The CUSTOM_LOG1 should be set at CSF config file, it should contain the URL of the LOG that reports the failed logins.
The rule will block any IP defined as $2 on my rule and that enters a wrong username, defined as $1 in my rule.

Care should be taken if you or any of your customers writes a wrong password as the IP will be blocked at the first attempt, you can modify the rule to set your own level of blocking. Read the help lines inside regex.custom.pm to know how to change that.

Sergio