Replace in: /etc/csf/csf.conf (somewhere at the end of the file)

CUSTOM1_LOG = "/var/log/customlog"

replace with

CUSTOM1_LOG = "/var/log/cwp_client_login.log"

Add in: /usr/local/csf/bin/regex.custom.pm

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {
               return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","1");
}

Now restart CSF & LFD

csf -r

Example in LFD Logs

Apr  6 22:50:29 server1 lfd[17676]: (cwplogin) Failed CWP-Login login for User: root from IP: 99.138.135.52 URL: http://75.4.159.85:2030/login.php?login=failed

Instructions for configuration
$2 = the offending IP address

"cwplogin" = a unique identifier for this custom rule, must be alphanumeric and have no spaces

"5" = the trigger level for blocking (Block IP after 5 failed login attempts)

"2030,2031" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp

"1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled

How to test ?
Simple, try to login 5 times with invalid password and you will be blocked by the firewall.

More detailed info for CSF/LFD configration can be found here.
CSF/LFD firewall configuration