Activate CSF Brute Force Protection for CWP Login and customize according to you needs.
Replace in: /etc/csf/csf.conf (somewhere at the end of the file)
CUSTOM1_LOG = "/var/log/customlog"
replace with
CUSTOM1_LOG = "/var/log/cwp_client_login.log"
Add in: /usr/local/csf/bin/regex.custom.pm
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {
return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","1");
}
Now restart CSF & LFD
csf -r
Example in LFD Logs
Apr 6 22:50:29 server1 lfd[17676]: (cwplogin) Failed CWP-Login login for User: root from IP: 99.138.135.52 URL: http://75.4.159.85:2030/login.php?login=failed
Instructions for configuration
$2 = the offending IP address
"cwplogin" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
"5" = the trigger level for blocking (Block IP after 5 failed login attempts)
"2030,2031" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
"1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled
How to test ?
Simple, try to login 5 times with invalid password and you will be blocked by the firewall.
More detailed info for CSF/LFD configration can be found here.
CSF/LFD firewall configuration