Because much of my server's traffic is coming through CloudFlare, and I've whitelisted CloudFlare's IP addresses, have I rendered CSF and LFD less effective at blocking repeat attacks from the same IP?
Is there a way around this other than by taking CloudFlare out of the equation?
TY
CloudFlare?
-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: CloudFlare?
You would have to ask those questions of CloudFlare.
Re: CloudFlare?
CloudFlare say they do send the original IP address in the headers under parameter "CF-Connecting-IP".
Is there some way to modify my environment such that the REMOTE_ADDR (assuming that's what CFS and LFD look at) is modified to hold the value of CF-Connecting-IP if that latter parameter is present? Before CFS/LFD start processing?
Is there some way to modify my environment such that the REMOTE_ADDR (assuming that's what CFS and LFD look at) is modified to hold the value of CF-Connecting-IP if that latter parameter is present? Before CFS/LFD start processing?
Re: CloudFlare?
You were right, needed to ask CloudFlare. They have it covered:
https://support.cloudflare.com/hc/en-us ... he-cPanel-
TY!
https://support.cloudflare.com/hc/en-us ... he-cPanel-
TY!
Re: CloudFlare?
Hello,
We are using cloudflare to also serve cpanel/whm for a domain. In this case the lfd logs/emails with the cloudflare ips instead of the real user ip.
I can see that in the cpanel access logs the "X-Forwarded-For: REALIP" is correctly logged but lfd still alerts with the cloudflare IPs.
Obviously cpsrvd should write the correct IP in the logs.. Still with a few mods lfd.pl could also alert with the real IP...
Is there something else we can do about this? (please point to the right direction)
The option to csf.ignore cloudflare ips won't help since we would like to monitor the ips that use the account.
Thank you in advance
We are using cloudflare to also serve cpanel/whm for a domain. In this case the lfd logs/emails with the cloudflare ips instead of the real user ip.
I can see that in the cpanel access logs the "X-Forwarded-For: REALIP" is correctly logged but lfd still alerts with the cloudflare IPs.
Obviously cpsrvd should write the correct IP in the logs.. Still with a few mods lfd.pl could also alert with the real IP...
Is there something else we can do about this? (please point to the right direction)
The option to csf.ignore cloudflare ips won't help since we would like to monitor the ips that use the account.
Thank you in advance
Re: CloudFlare?
See link in my last post. CloudFlare provide an Apache module to resolve this issue.
Note however that in my experience, installing the module and restarting Apache made matters worse - but a server reboot solved it.
The remote IP now is correctly reported in all places I believe.
Note however that in my experience, installing the module and restarting Apache made matters worse - but a server reboot solved it.
The remote IP now is correctly reported in all places I believe.
Re: CloudFlare?
Hi nics,
in fact you were right and I was wrong. Despite having mod_cloudflare installed the problem was not resolved. It did mean LFD was seeing, reporting and blocking the true IP via CSF... but mod_cloudflare was not affecting the IP seen by CSF at the firewall. So the blocks were totally ineffective for domains fronted by CloudFlare!
Only solution was I found was to use the CloudFlare API to mirror blocked IPs from CSF to CloudFlare. I found these two articles helpful in achieving that.
Adding IP bans from CSF to CloudFlare:
http://www.aetherweb.co.uk/automaticall ... loudflare/
Expiring those IP bans in a timely manner:
http://www.aetherweb.co.uk/automaticall ... ks-by-age/
Cheers,
Bob
in fact you were right and I was wrong. Despite having mod_cloudflare installed the problem was not resolved. It did mean LFD was seeing, reporting and blocking the true IP via CSF... but mod_cloudflare was not affecting the IP seen by CSF at the firewall. So the blocks were totally ineffective for domains fronted by CloudFlare!
Only solution was I found was to use the CloudFlare API to mirror blocked IPs from CSF to CloudFlare. I found these two articles helpful in achieving that.
Adding IP bans from CSF to CloudFlare:
http://www.aetherweb.co.uk/automaticall ... loudflare/
Expiring those IP bans in a timely manner:
http://www.aetherweb.co.uk/automaticall ... ks-by-age/
Cheers,
Bob
Re: CloudFlare?
This is definitely not working!HostBob wrote: ↑26 Feb 2016, 09:21 Hi nics,
in fact you were right and I was wrong. Despite having mod_cloudflare installed the problem was not resolved. It did mean LFD was seeing, reporting and blocking the true IP via CSF... but mod_cloudflare was not affecting the IP seen by CSF at the firewall. So the blocks were totally ineffective for domains fronted by CloudFlare!
Only solution was I found was to use the CloudFlare API to mirror blocked IPs from CSF to CloudFlare. I found these two articles helpful in achieving that.
Adding IP bans from CSF to CloudFlare:
http://www.aetherweb.co.uk/automaticall ... loudflare/
Expiring those IP bans in a timely manner:
http://www.aetherweb.co.uk/automaticall ... ks-by-age/
Cheers,
Bob
Re: CloudFlare?
If you're referring to the fact that mod_cloudflare does not have the end result that CSF blocks are effective then you are correct, and the linked articles may be of use (though they're now possibly out of date if the API has changed).
Or did you mean something else?
Or did you mean something else?
Re: CloudFlare?
Hello, I meant that despite all efforts I did, there is no way to ban these IPs in cf's firewall with these scripts provided in those 2 links (1 for banning and the other for cleaning). Syntax of the curl command for calling cf's API and eventually add a "block" rule there, is correct but I think extracting real IP from header is kind of impossible in this level.
If you try manually this command from shell:
"curl -s -X POST "https://api.cloudflare.com/client/v4/us ... ules/rules" \
-H "X-Auth-Email: CloudFlare-username" \
-H "X-Auth-Key: CloudFlare-API-Key" \
-H "Content-Type: application/json" \
--data '{"mode":"block","configuration":{"target":"ip","value":"1.2.3.4"},"notes":"Test"}'"
replacing your UN and API key you will see that a rule will be successfully created in cf's firewall.
If you try manually this command from shell:
"curl -s -X POST "https://api.cloudflare.com/client/v4/us ... ules/rules" \
-H "X-Auth-Email: CloudFlare-username" \
-H "X-Auth-Key: CloudFlare-API-Key" \
-H "Content-Type: application/json" \
--data '{"mode":"block","configuration":{"target":"ip","value":"1.2.3.4"},"notes":"Test"}'"
replacing your UN and API key you will see that a rule will be successfully created in cf's firewall.