litespeed login fail,will csf/lfd block the ip ?

Post Reply
tim
Junior Member
Posts: 4
Joined: 27 Jul 2022, 09:15

litespeed login fail,will csf/lfd block the ip ?

Post by tim »

Hi,

on my cpanel/litespeed server.

i try to type wrong login at host:7080 many times,

but my ip still does not be blocked by csf,

is it normal ?

how can i let csf/lfd detect it and blcok the ip as ftp/cpanel login fail.

thanks
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: litespeed login fail,will csf/lfd block the ip ?

Post by Sergio »

I assume that LiteSpeed uses a different log file where it saves all its info.
If you know the log file where LiteSpeed saves its data, then you can create a rule to block wrong logins from that logs.

Sergio
tim
Junior Member
Posts: 4
Joined: 27 Jul 2022, 09:15

Re: litespeed login fail,will csf/lfd block the ip ?

Post by tim »

Hi,

may i ask how can i create the rule ?

i check the log,it is similar as following

/usr/local/lsws/admin/logs/error.log

Code: Select all

2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n
thanks
Last edited by tim on 12 Apr 2023, 08:12, edited 1 time in total.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: litespeed login fail,will csf/lfd block the ip ?

Post by Sergio »

Hi.
Accordingly to your Log Line, a rule like this could be used, use it at your own risk as I don't assume any responsibility:

Code: Select all

# BLOCKING LiteSpeed attacks by Sergio

	if (($lgfile eq $config{CUSTOM_LOG1}) and ($line =~ /^\S+\s+\S+\s\[NOTICE\].*Failed Login Attempt \- username: (\S+) ip: (\S+)/i)) {
		return ("$1",$2,"SECMAS_LiteSpeed","1","1");
	}
Note:
The CUSTOM_LOG1 should be set at CSF config file, it should contain the URL of the LOG that reports the failed logins.
The rule will block any IP defined as $2 on my rule and that enters a wrong username, defined as $1 in my rule.

Care should be taken if you or any of your customers writes a wrong password as the IP will be blocked at the first attempt, you can modify the rule to set your own level of blocking. Read the help lines inside regex.custom.pm to know how to change that.

Sergio
Post Reply