Page 1 of 1
litespeed login fail,will csf/lfd block the ip ?
Posted: 10 Apr 2023, 16:52
by tim
Hi,
on my cpanel/litespeed server.
i try to type wrong login at host:7080 many times,
but my ip still does not be blocked by csf,
is it normal ?
how can i let csf/lfd detect it and blcok the ip as ftp/cpanel login fail.
thanks
Re: litespeed login fail,will csf/lfd block the ip ?
Posted: 11 Apr 2023, 00:26
by Sergio
I assume that LiteSpeed uses a different log file where it saves all its info.
If you know the log file where LiteSpeed saves its data, then you can create a rule to block wrong logins from that logs.
Sergio
Re: litespeed login fail,will csf/lfd block the ip ?
Posted: 12 Apr 2023, 01:00
by tim
Hi,
may i ask how can i create the rule ?
i check the log,it is similar as following
/usr/local/lsws/admin/logs/error.log
Code: Select all
2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n
thanks
Re: litespeed login fail,will csf/lfd block the ip ?
Posted: 14 Apr 2023, 05:08
by Sergio
Hi.
Accordingly to your Log Line, a rule like this could be used, use it at your own risk as I don't assume any responsibility:
Code: Select all
# BLOCKING LiteSpeed attacks by Sergio
if (($lgfile eq $config{CUSTOM_LOG1}) and ($line =~ /^\S+\s+\S+\s\[NOTICE\].*Failed Login Attempt \- username: (\S+) ip: (\S+)/i)) {
return ("$1",$2,"SECMAS_LiteSpeed","1","1");
}
Note:
The CUSTOM_LOG1 should be set at CSF config file, it should contain the URL of the LOG that reports the failed logins.
The rule will block any IP defined as $2 on my rule and that enters a wrong username, defined as $1 in my rule.
Care should be taken if you or any of your customers writes a wrong password as the IP will be blocked at the first attempt, you can modify the rule to set your own level of blocking. Read the help lines inside regex.custom.pm to know how to change that.
Sergio