When a brute-force rule is triggered in Litespeed, it appears like this in the cPanel interface:
230000: COMODO WAF: Brute Force Attack Identified|Source %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)
As you can see, the IP and counter is not displayed. I hope this can be fixed in the next release.
Also, how long does the block last?
Looks like LiteSpeed doesn’t support ModSecurity variable expansion in msg field, so the most suitable solution would be to request bug fix at LiteSpeed support.
Will do, and reference this thread.
How long does the block last?
By default brute_force_block_timeout=300 seconds.
LiteSpeed just released a fix for this in version 5.1.12 and I can confirm that it’s working.
It’s a definitely good news )