Control Web Panel

Security => CSF Firewall => Topic started by: JeroenL on May 11, 2022, 09:03:58 AM

Title: lfd: (WPLOGIN) WP Login Attack (false positives)
Post by: JeroenL on May 11, 2022, 09:03:58 AM
Hi, since a couple of months i have been getting this issue, probably since centos webpanel added new features or made excisting features more strict.

I use CWP pro on different servers variating from CentOS 7-8.

Whenever a user or admin for a wordpress website reauthenticate it's login or resets it's password the users ip address gets blocked with the following rule.

lfd: (WPLOGIN) WP Login Attack 123.123.123.123 (XX/Country/-): 5 in the last 3600 secs - ##Timestamp##

I tried raising the max allowed failed logins but all settings that used "5" in the config file don't affect the setting.
Changing the period of time to check from 3600 to 60 gives same result, changing it to 1 sec seems to solve the false positives but also makes the solution worthless..

So how can i raise the max failed login's for wordpress sites in CSF/LFD so these false positives will stop blocking real customers.....

If this isn't an option i allrdy have a superb block/allow list which basicly makes this whole wordpress LFD solution obsolete since the only thing it blocks now is real customers.

I rather keep this part of CSF/LFD runnning correctly as intended with let's say a higher number then "5" instead of turning it off completely.

Thanks in advance for your replies!
Title: Re: lfd: (WPLOGIN) WP Login Attack (false positives)
Post by: CoriaWeb Hosting on May 11, 2022, 02:03:46 PM
Hi, since a couple of months i have been getting this issue, probably since centos webpanel added new features or made excisting features more strict.

I use CWP pro on different servers variating from CentOS 7-8.

Whenever a user or admin for a wordpress website reauthenticate it's login or resets it's password the users ip address gets blocked with the following rule.

lfd: (WPLOGIN) WP Login Attack 123.123.123.123 (XX/Country/-): 5 in the last 3600 secs - ##Timestamp##

I tried raising the max allowed failed logins but all settings that used "5" in the config file don't affect the setting.
Changing the period of time to check from 3600 to 60 gives same result, changing it to 1 sec seems to solve the false positives but also makes the solution worthless..

So how can i raise the max failed login's for wordpress sites in CSF/LFD so these false positives will stop blocking real customers.....

If this isn't an option i allrdy have a superb block/allow list which basicly makes this whole wordpress LFD solution obsolete since the only thing it blocks now is real customers.

I rather keep this part of CSF/LFD runnning correctly as intended with let's say a higher number then "5" instead of turning it off completely.

Thanks in advance for your replies!

https://wiki.centos-webpanel.com/csflfd-firewall-prevent-blocking-for-your-country

This could help you.
Title: Re: lfd: (WPLOGIN) WP Login Attack (false positives)
Post by: tomkolp on May 14, 2022, 12:18:55 PM
I have the same problem.  My wordpress has an additional security of 2fa.  Therefore, each login generates two entries.  Just log in-> log out-> log in again to be blocked.  Preventing my country from being blocked is not a good solution.
Title: Re: lfd: (WPLOGIN) WP Login Attack (false positives)
Post by: studio4host on May 16, 2022, 05:39:09 AM
edit config
Code: [Select]
/usr/local/csf/bin/regex.custom.pm
fist number in return line under quotes is limit, so if it is 5-7 you can set it to 10.
after changes restart csf
Code: [Select]
csf -r