Block Mod Security Failures With Configserver Firewall

[Bikerman]

I want to block repeated wp-login failures via configserver firewall (csf).
I have them blocked via mod_security and have csf set up to monitor failure detection of repeated Apache mod_security rule triggers.
However, It does not seem to be working.

Is there anything specific to Litespeed that needs to be done?

 

[NiteWave]

is it working under apache ?
if it works with apache but not with litespeed, we'll look into it.

 

[Bikerman]

Yes

There is a setting on the csf firewall that monitors mod_security rule triggers.

I've attached a screenshot of my settings.

 

[Pong]

Which rule do you use? How did you enable it and how to reproduce your issue?
What Apache is used, what the log lines triggered by rule?

 

[Bikerman]

The rule is similar to the one here https://community.rapid7.com/thread/4958

here is a sample log line from /usr/local/apache/logs/error_log

[modsecurity] [Tue Jul 4 17:14:05 2017] [error] [client 5.21.250.64] ModSecurity: Access denied with code 401, [Rule: 'REQUEST_URI' 'wp-login.php'] [id "4784628"] [msg "BLOCKED: wp-login.php request blocked, no referer"]

The mod security rule is working fine, but for some reason csf is not blocking the ips via the firewall as it does when I set up the rule under a server running apache.

 

[Pong]

then, seems like it has nothing to do with LiteSpeed and should be a question to configserver firewall.