The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cloudflare blocked in firewall alerts

Discussion in 'Security' started by scullydion, Jan 16, 2016.

  1. scullydion

    scullydion Member

    Joined:
    Nov 7, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello

    I've added CloudFlare ip ranges to my white list in the firewall. I recently ran an update on apache and now I'm getting a lot of alerts from what are actually CloudFlare IPs.

    How can I get the server to ignore these?
    Code:
    IP: 173.245.56.178 (US/United States/cf-173-245-56-178.cloudflare.com)
    Failures: 3 (mod_security)
    Interval: 3600 seconds
    Blocked: Permanent Block (IP match in csf.allow, block may not work)
    
    Log entries:
    Code:
    [Sat Jan 16 15:04:32.948415 2016] [:error] [pid 14108] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "VppcANWv0bMAADccxcQAAAAB"]
    [Sat Jan 16 15:04:37.501020 2016] [:error] [pid 14899] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "VppcBdWv0bMAADoz8voAAAAD"]
    [Sat Jan 16 15:04:40.912824 2016] [:error] [pid 14899] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "VppcCNWv0bMAADoz8vsAAAAD"]
    
    Thanks

    Clare
     
    #1 scullydion, Jan 16, 2016
    Last edited by a moderator: Jan 16, 2016
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Cloudflare and ModSecurity is an interesting situation. Beacuse ModSecurity looks at request headers before the logging phase, the CF IP is the "real" IP despite the presence of the header from CloudFlare indicating who they are forwarding the request for.

    Do not "Allow" cloudflare ranges. This only opens ports to them and is unnecessary. You need to add their ranges to /etc/csf/csf.ignore (NOT csf.allow) and fully restart both csf and lfd via WHM. This will stop CSF from blocking those IPs while still allowing ModSecurity to block individual bad requests.

    Obviously once that is done, audit csf.deny and remove any cloudflare IP addresses (or just remove any addresses which you did not add manually, and allow the blocks to repopulate).
     
  3. scullydion

    scullydion Member

    Joined:
    Nov 7, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Quizknows - thank you so much! Appreciate your time :)
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page