CSF banning cloudflare ip
Hello,
I'm experiencing a bug using CSF on cpanel CENTOS 7.7 [srv] v86.0.18 that is banning cloudflare ips.
I have enabled mod_cloudflare and it's working because I can see the real ip address of requests on Apache Status, but CSF is always banning cloudflare ip.
I also have enabled for the website that is getting flood and ddos attack cloudflare ban ip but I can't see that any ip address was added from the firewall.
How can I fix this issue because it's making me crazy, cloudflare doesn't block the attackers.
-
It does not good to ban the attacker, the network level will never see the origin IP and as such, blocking them would do not good. If you want to block based on origin IP you have to do that at the cloudflare level. 0 -
Csf takes action by reading netstat data. mod_cloudflare/mod_remoteip is a webserver module, csf cannot process IP addresses read by mod_cloudflare/mod_remoteip. Also, since the traffic in to your server comes via cloudflare, it is useless to banning your real ip addresses from the server, you should ban these ip addresses via cloudflare. 0 -
You also may want to look at switching from mod_cloudflare since it's no longer supported or maintained by CloudFlare [QUOTE=https://support.cloudflare.com/hc/en-us/articles/200170916-Restoring-original-visitor-IPs-Option-1-Installing-mod-cloudflare]Cloudflare no longer updates and supports mod_cloudflare, starting with versions Debian 9 *and *Ubuntu 18.04 LTS of the Linux operating system. We now support from GitHub.
mod_remoteip is the recommended method for this now and I wrote a pretty detailed how-to on this not very long ago which you can find here: https://download.configserver.com/csf/readme.txt] 27. CloudFlare ############## This features provides interaction with the CloudFlare Firewall. As CloudFlare is a reverse proxy, any attacking IP addresses (so far as iptables is concerned) come from the CloudFlare IP's. To counter this, an Apache module (mod_cloudflare) is available that obtains the true attackers IP from a custom HTTP header record (similar functionality is available for other HTTP daemons. However, despite now knowing the true attacking IP address, iptables cannot be used to block that IP as the traffic is still coming from the CloudFlare servers. CloudFlare have provided a Firewall feature within the user account where rules can be added to block, challenge or whitelist IP addresses. Using the CloudFlare API, this feature adds and removes attacking IPs from that firewall and provides CLI (and via the UI) additional commands. There are several restrictions to using this feature: 1. All lfd blocks will be temporary blocks so that csf/lfd can keep blocks in sync with CloudFlare 2. Automatic blocks via lfd are limited to LF_MODSEC and LF_CXS triggers as only through these can the domain name be determined. Any users that own domains that are involved in the trigger will get a block in their CloudFlare Firewall. Additionally, any users with the special case "any" will also get blocks 3. The temporary/permanent config of the lfd settings are ignored and CF_TEMP is used instead 4. LF_TRIGGER must not be used, the feature will not work with it enabled 5. mod_cloudflare or similar must be used to report real IP in the Apache logs 6. URLGET must be set to 2 (i.e. LWP) must be used 7. If PERMBLOCK is used, the last tempblock will remain and never be cleared. So any CloudFlare Firewall entries must be manually cleared in CloudFlare or via CLI 8. There are restrictions imposed by CloudFlare to the number of rules that can be created depending on the type of account used. See All CloudFlare users for the domains that are involved in LF_MODSEC and LF_CXS triggers will have a CloudFlare rule added. Any CloudFlare account configured to use the special case "any" field value in csf.cloudflare will have a CloudFlare rule added regardless of domain. NOTE: You should always list the CloudFlare IP addresses in /etc/csf/csf.ignore to prevent them from being blocked by lfd from0 -
Csf takes action by reading netstat data. mod_cloudflare/mod_remoteip is a webserver module, csf cannot process IP addresses read by mod_cloudflare/mod_remoteip. Also, since the traffic in to your server comes via cloudflare, it is useless to banning your real ip addresses from the server, you should ban these ip addresses via cloudflare.
I wanted to configure it automaticaly with the cloudflare api. I just need the CSF to get the real ip address so it will send it to the cloudflare firewall. I couldn't figure it out because it was always reading only cloudflare ips. Is there any way for the csf to get the real attacker ip address so I can ban him through the cloudflare firewall using their API?0 -
I am facing the exact same issue, Was pulling my hair and my host too as well since the server was down for 2 days. Only thing i could figure out at the end was it that it was CSF blocking the Cloudflare IPS when its enabled. Can you guys suggest me solution.Except whitelisting the IPS. 0 -
@khnaz35 - cPanel doesn't provide support for the CSF software, so the only idea I would have would be to whitelist those IP addresses. If you think this is an issue with CSF in general, it would be best to reach out to their team at Support " ConfigServer Services to make them aware of this issue. 0 -
Thanks will do that. 0
Please sign in to leave a comment.
Comments
10 comments