Cloudflare blocked in firewall alerts
Hello
I've added CloudFlare ip ranges to my white list in the firewall. I recently ran an update on apache and now I'm getting a lot of alerts from what are actually CloudFlare IPs.
How can I get the server to ignore these?
Log entries:
Thanks Clare
IP: 173.245.56.178 (US/United States/cf-173-245-56-178.cloudflare.com)
Failures: 3 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block (IP match in csf.allow, block may not work)
Log entries:
[Sat Jan 16 15:04:32.948415 2016] [:error] [pid 14108] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "20"> [id "950107"> [msg "URL Encoding Abuse Attack Attempt"> [severity "WARNING"> [hostname "domain.com"> [uri "/xmlrpc.php"> [unique_id "VppcANWv0bMAADccxcQAAAAB">
[Sat Jan 16 15:04:37.501020 2016] [:error] [pid 14899] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "20"> [id "950107"> [msg "URL Encoding Abuse Attack Attempt"> [severity "WARNING"> [hostname "domain.com"> [uri "/xmlrpc.php"> [unique_id "VppcBdWv0bMAADoz8voAAAAD">
[Sat Jan 16 15:04:40.912824 2016] [:error] [pid 14899] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "20"> [id "950107"> [msg "URL Encoding Abuse Attack Attempt"> [severity "WARNING"> [hostname "domain.com"> [uri "/xmlrpc.php"> [unique_id "VppcCNWv0bMAADoz8vsAAAAD">
Thanks Clare
-
Cloudflare and ModSecurity is an interesting situation. Beacuse ModSecurity looks at request headers before the logging phase, the CF IP is the "real" IP despite the presence of the header from CloudFlare indicating who they are forwarding the request for. Do not "Allow" cloudflare ranges. This only opens ports to them and is unnecessary. You need to add their ranges to /etc/csf/csf.ignore (NOT csf.allow) and fully restart both csf and lfd via WHM. This will stop CSF from blocking those IPs while still allowing ModSecurity to block individual bad requests. Obviously once that is done, audit csf.deny and remove any cloudflare IP addresses (or just remove any addresses which you did not add manually, and allow the blocks to repopulate). 0 -
Quizknows - thank you so much! Appreciate your time :) 0 -
Hello :) Note that for others visiting this thread, you can find a list of CloudFlare IP addresses at: CloudFlare IP Ranges | CloudFlare | The web performance & security company Thank you. 0
Please sign in to leave a comment.
Comments
3 comments