CloudFlare?

HostBob
Junior Member
Posts: 53
Joined: 20 Feb 2013, 18:34

CloudFlare?

Post by HostBob »

Because much of my server's traffic is coming through CloudFlare, and I've whitelisted CloudFlare's IP addresses, have I rendered CSF and LFD less effective at blocking repeat attacks from the same IP?

Is there a way around this other than by taking CloudFlare out of the equation?

TY
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CloudFlare?

Post by ForumAdmin »

You would have to ask those questions of CloudFlare.
HostBob
Junior Member
Posts: 53
Joined: 20 Feb 2013, 18:34

Re: CloudFlare?

Post by HostBob »

CloudFlare say they do send the original IP address in the headers under parameter "CF-Connecting-IP".

Is there some way to modify my environment such that the REMOTE_ADDR (assuming that's what CFS and LFD look at) is modified to hold the value of CF-Connecting-IP if that latter parameter is present? Before CFS/LFD start processing?
HostBob
Junior Member
Posts: 53
Joined: 20 Feb 2013, 18:34

Re: CloudFlare?

Post by HostBob »

You were right, needed to ask CloudFlare. They have it covered:

https://support.cloudflare.com/hc/en-us ... he-cPanel-

TY!
nics
Junior Member
Posts: 1
Joined: 10 Aug 2015, 00:15

Re: CloudFlare?

Post by nics »

Hello,

We are using cloudflare to also serve cpanel/whm for a domain. In this case the lfd logs/emails with the cloudflare ips instead of the real user ip.

I can see that in the cpanel access logs the "X-Forwarded-For: REALIP" is correctly logged but lfd still alerts with the cloudflare IPs.

Obviously cpsrvd should write the correct IP in the logs.. Still with a few mods lfd.pl could also alert with the real IP...

Is there something else we can do about this? (please point to the right direction)
The option to csf.ignore cloudflare ips won't help since we would like to monitor the ips that use the account.

Thank you in advance
HostBob
Junior Member
Posts: 53
Joined: 20 Feb 2013, 18:34

Re: CloudFlare?

Post by HostBob »

See link in my last post. CloudFlare provide an Apache module to resolve this issue.

Note however that in my experience, installing the module and restarting Apache made matters worse - but a server reboot solved it.

The remote IP now is correctly reported in all places I believe.
HostBob
Junior Member
Posts: 53
Joined: 20 Feb 2013, 18:34

Re: CloudFlare?

Post by HostBob »

Hi nics,

in fact you were right and I was wrong. Despite having mod_cloudflare installed the problem was not resolved. It did mean LFD was seeing, reporting and blocking the true IP via CSF... but mod_cloudflare was not affecting the IP seen by CSF at the firewall. So the blocks were totally ineffective for domains fronted by CloudFlare!

Only solution was I found was to use the CloudFlare API to mirror blocked IPs from CSF to CloudFlare. I found these two articles helpful in achieving that.

Adding IP bans from CSF to CloudFlare:
http://www.aetherweb.co.uk/automaticall ... loudflare/

Expiring those IP bans in a timely manner:
http://www.aetherweb.co.uk/automaticall ... ks-by-age/

Cheers,

Bob
doken1313
Junior Member
Posts: 2
Joined: 03 Apr 2019, 22:08

Re: CloudFlare?

Post by doken1313 »

HostBob wrote: 26 Feb 2016, 09:21 Hi nics,

in fact you were right and I was wrong. Despite having mod_cloudflare installed the problem was not resolved. It did mean LFD was seeing, reporting and blocking the true IP via CSF... but mod_cloudflare was not affecting the IP seen by CSF at the firewall. So the blocks were totally ineffective for domains fronted by CloudFlare!

Only solution was I found was to use the CloudFlare API to mirror blocked IPs from CSF to CloudFlare. I found these two articles helpful in achieving that.

Adding IP bans from CSF to CloudFlare:
http://www.aetherweb.co.uk/automaticall ... loudflare/

Expiring those IP bans in a timely manner:
http://www.aetherweb.co.uk/automaticall ... ks-by-age/

Cheers,

Bob
This is definitely not working!
HostBob
Junior Member
Posts: 53
Joined: 20 Feb 2013, 18:34

Re: CloudFlare?

Post by HostBob »

If you're referring to the fact that mod_cloudflare does not have the end result that CSF blocks are effective then you are correct, and the linked articles may be of use (though they're now possibly out of date if the API has changed).

Or did you mean something else?
doken1313
Junior Member
Posts: 2
Joined: 03 Apr 2019, 22:08

Re: CloudFlare?

Post by doken1313 »

Hello, I meant that despite all efforts I did, there is no way to ban these IPs in cf's firewall with these scripts provided in those 2 links (1 for banning and the other for cleaning). Syntax of the curl command for calling cf's API and eventually add a "block" rule there, is correct but I think extracting real IP from header is kind of impossible in this level.
If you try manually this command from shell:
"curl -s -X POST "https://api.cloudflare.com/client/v4/us ... ules/rules" \
-H "X-Auth-Email: CloudFlare-username" \
-H "X-Auth-Key: CloudFlare-API-Key" \
-H "Content-Type: application/json" \
--data '{"mode":"block","configuration":{"target":"ip","value":"1.2.3.4"},"notes":"Test"}'"
replacing your UN and API key you will see that a rule will be successfully created in cf's firewall.
Post Reply