all should work fine in centos 7 including firewall, you need to specify all details (errors) when asking questions about some possible issue.
In CWP6-PRO CSF / LFD + MODSEC blocks attacks through logging in "/usr/local/apache/logs/error_log"
With this setting in "/etc/csf/csf.conf"
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "3"
LF_MODSEC_PERM = "1"
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"
MODSEC CWP6-PRO errors are mirrored in this way and blocks them perfectly in CSF + LDF
[Tue Apr 11 22:03:04 2017] [error] [client 171.5.3.224] ModSecurity: Access denied with code 403 (phase 2). Pattern match "/wp-login.php" at REQUEST_URI. [file "/usr/local/apache/userdata/pcrcl/pcready.cl/modsec.conf"] [line "1"] [id "17265002"] [hostname "www.pcready.cl"] [uri "/wp-login.php"] [unique_id "WO18yH8AAAEAACmefUIAAAAF"]
In CWP7-PRO I have exactly the same configuration as in CWP6-PRO in "/etc/csf/csf.conf", this is my configuration in CWP7-PRO
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "3"
LF_MODSEC_PERM = "1"
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"
But the CWP7-PRO errors of MODSEC are reflected in this way and do not block them
[Wed Apr 12 01:40:37.485934 2017] [:error] [pid 28383:tid 139994855077632] [client 201.214.115.114:30016] [client 201.214.115.114] ModSecurity: Access denied with code 403 (phase 2). Pattern match "/wp-login.php" at REQUEST_URI. [file "/usr/local/apache/userdata/instruva/instruvalve.cl/modsec.conf"] [line "15"] [id "17265002"] [hostname "www.instruvalve.cl"] [uri "/wp-login.php"] [unique_id "WO2vxQW9kbkAAG7fYFsAAABA"]
There is a clear difference in how the log is reflected in "/usr/local/apache/logs/error_log" maybe that's why it is not able to detect the errors and block them
The rule in CWP6-PRO and CWP7-PRO is exactly the same, but only works in CWP6-PRO.
Look for information and some people talked about the forna in which the text was read from the log, if it did not contain a recognizable "regex" for "CSF + LFD" it would not block it, since it would not be able to interpret it correctly to extract information.
But CSF + LFD if it is working because it blocks the SSH and FTP errors, the problem is only with MODSEC.
If you need any other information do not hesitate to ask me please.
Can you help me please, thank you.