Author Topic: lfd: (WPLOGIN) WP Login Attack (false positives)  (Read 285 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
lfd: (WPLOGIN) WP Login Attack (false positives)
« on: May 11, 2022, 09:03:58 AM »
Hi, since a couple of months i have been getting this issue, probably since centos webpanel added new features or made excisting features more strict.

I use CWP pro on different servers variating from CentOS 7-8.

Whenever a user or admin for a wordpress website reauthenticate it's login or resets it's password the users ip address gets blocked with the following rule.

lfd: (WPLOGIN) WP Login Attack 123.123.123.123 (XX/Country/-): 5 in the last 3600 secs - ##Timestamp##

I tried raising the max allowed failed logins but all settings that used "5" in the config file don't affect the setting.
Changing the period of time to check from 3600 to 60 gives same result, changing it to 1 sec seems to solve the false positives but also makes the solution worthless..

So how can i raise the max failed login's for wordpress sites in CSF/LFD so these false positives will stop blocking real customers.....

If this isn't an option i allrdy have a superb block/allow list which basicly makes this whole wordpress LFD solution obsolete since the only thing it blocks now is real customers.

I rather keep this part of CSF/LFD runnning correctly as intended with let's say a higher number then "5" instead of turning it off completely.

Thanks in advance for your replies!

Offline
*
Re: lfd: (WPLOGIN) WP Login Attack (false positives)
« Reply #1 on: May 11, 2022, 02:03:46 PM »
Hi, since a couple of months i have been getting this issue, probably since centos webpanel added new features or made excisting features more strict.

I use CWP pro on different servers variating from CentOS 7-8.

Whenever a user or admin for a wordpress website reauthenticate it's login or resets it's password the users ip address gets blocked with the following rule.

lfd: (WPLOGIN) WP Login Attack 123.123.123.123 (XX/Country/-): 5 in the last 3600 secs - ##Timestamp##

I tried raising the max allowed failed logins but all settings that used "5" in the config file don't affect the setting.
Changing the period of time to check from 3600 to 60 gives same result, changing it to 1 sec seems to solve the false positives but also makes the solution worthless..

So how can i raise the max failed login's for wordpress sites in CSF/LFD so these false positives will stop blocking real customers.....

If this isn't an option i allrdy have a superb block/allow list which basicly makes this whole wordpress LFD solution obsolete since the only thing it blocks now is real customers.

I rather keep this part of CSF/LFD runnning correctly as intended with let's say a higher number then "5" instead of turning it off completely.

Thanks in advance for your replies!

https://wiki.centos-webpanel.com/csflfd-firewall-prevent-blocking-for-your-country

This could help you.
Partner de CWP

Hosting de calidad en Espaņa con soporte en Espaņol para CWP - https://www.coriaweb.hosting

Offline
*
Re: lfd: (WPLOGIN) WP Login Attack (false positives)
« Reply #2 on: May 14, 2022, 12:18:55 PM »
I have the same problem.  My wordpress has an additional security of 2fa.  Therefore, each login generates two entries.  Just log in-> log out-> log in again to be blocked.  Preventing my country from being blocked is not a good solution.

Offline
*
Re: lfd: (WPLOGIN) WP Login Attack (false positives)
« Reply #3 on: May 16, 2022, 05:39:09 AM »
edit config
Code: [Select]
/usr/local/csf/bin/regex.custom.pm
fist number in return line under quotes is limit, so if it is 5-7 you can set it to 10.
after changes restart csf
Code: [Select]
csf -r
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.