It is possible/probable the attackers are using a referring URL. If you can post some of the domlogs (you can remove identifying domains or IPs) I can take a look. Logins with no referrer should be blocked by the first rule, the 2nd rule will only work if certain IPs are hitting the server repeatedly.I've attempted adding these to the file:
/usr/local/apache/conf/modsec2.user.conf however I am not seeing any effect. I have some earlier logs from mod_security from earlier this morning, however there is an ongoing bruteforce attack going, and adding this rule has had no effect. I have restarted the webserver (running Litespeed). I have confirmed the there is a huge number of login attempts on the same site from the same IP address.
The rules show up (although not as one but several) in the ModSecurity Tools rules list. I use CSF and cpHulk is disabled.
Any idea why this is not working as intended?
It's also worth noting that litespeed has its own engine for processing modsecurity rules which is not always 100% functional. Unfortunately, the documentation on litespeed's implementation of ModSecurity is non-existent last I checked.