Hi John,

I have follow all the steps of your BFD installation and all seems to be working great!

Do you know how to set a custom rule on BFD for the Nodeworx/SiteWorx default login page? This way we could prevent brute-force attacks on Nodeworx+SiteWorx login pages.

Or does the APF firewall already does that? Any extra advice to protect the Nodeworx/Siteworx login pages?


Hi Nqservices
I had a look, and to be honest, I could not see any unqiue value to use for criteria. there are no 404 or 401 shown.
I do not believe it is needed though, as repeated attempts forces the user to anwser a robot question, so if it is scripted attack, then if would fail, if it was a himan attack, any ban on IP would most likely make the user change IP,so again would fail
I hope that helps
Many thanks

Coincidentally, I came across this thread after attempting a custom BFD rule for Interworx based on what I saw in the default cpanel rule.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="10"

# uncomment to disable alerting for this rule 

# file must exist for rule to be active

if [ -f "$REQ" ]; then

 ## nodeworx, siteworx, webmail?
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | egrep '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/FAILED LOGIN/s/\([^ ]*\) \(.*\)- \([^ ]*\).*/\1:\3/p'`

But John’s explanation and screen shot answers most questions I was about to ask. A graphical CAPTCHA is a strong feature I didn’t know Interworx offered until now.

Edit: It occurs to me the CAPTCHA is Google authentication.


Is the captcha auto-enable by default in Interworx or do we have to manually install and setup? Im asking this because i did not know Interworx had this feature.

Also to @sysnop your rule seems ok. Do you confirm it works properly with InterWorx login pages?


Hi nqservices and sysnop

Many thanks, and yes, it is installed by default, which you can test on your servers by giving wrong login details 3 or 4 times.

@sysnop, yes I believe it is google captcha

I looked at cpanel rule in BFD, but I do not think IW have the same logs, therefore thought it may not work, and access shows no real info

I hope that helps but sorry if I’m wrong

Many thanks


No, sorry. I haven’t confirmed the rule works and like John mentioned, the log file in the rule may not be correct. For now I have removed the interworx rule but I can give it a whirl later, although CAPTCHA would be a better option I think.

The interworx rule for BFD I posted doesn’t work as it is. I set the trigger to 3 and entered bad credentials 6 times and no IP ban. The built-in CAPTCHA didn’t kick in either. Do I first need to setup two-factor auth with Google authenticator?

Hi sysnop

Many thanks

No, Google authentication is not needed

I would try 10 times as it may kick in earlier, which I think on our servers, it around 6 times - sorry I did not count the number but will try tommorow to see

Are you running the latest IW version

I believe the login log only holds successful logins for IW-cp and this is used for the session history but could be wrong

Many thanks


Hi sysnop

The captcha kicks in on 3 attempt for me

What IW version are you using and which browser

I’ll pm you a server you can try for yourself

Many thanks


CAPTCHA didn’t work at first with Firefox but a second try worked with Chrome then third time with FF was a charm. Likewise with your test server also with Firefox. This is a cool feature that offers a little peace of mind. I’ll probably take another look at the BFD rule once I pin down the correct logs to use. But if anybody knows for a fact BFD won’t work for Nodeworx logins I’d appreciate a heads-up.

Thanks again John!

Hi sysnop

I believe BFD may not work for nodeworx failed logins

There are 2 logs, login as my thoughts above and access.

If you look at access log, you can track the failed logins by time stamp, but there is no unique value to use for grep

You can even see the additional size passed back to the PC attempting to login, which is the captcha screen, but this size keeps changing in value, so my original idea of using this as a grep value would fail

I do not think there are any other logs to use, and I always set debug to on, on all our servers

I hope that helps

Many thanks