Cloudflare blocked in firewall alerts

scullydion

Member
Nov 7, 2015
8
0
1
UK
cPanel Access Level
Root Administrator
Hello

I've added CloudFlare ip ranges to my white list in the firewall. I recently ran an update on apache and now I'm getting a lot of alerts from what are actually CloudFlare IPs.

How can I get the server to ignore these?
Code:
IP: 173.245.56.178 (US/United States/cf-173-245-56-178.cloudflare.com)
Failures: 3 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block (IP match in csf.allow, block may not work)
Log entries:
Code:
[Sat Jan 16 15:04:32.948415 2016] [:error] [pid 14108] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "VppcANWv0bMAADccxcQAAAAB"]
[Sat Jan 16 15:04:37.501020 2016] [:error] [pid 14899] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "VppcBdWv0bMAADoz8voAAAAD"]
[Sat Jan 16 15:04:40.912824 2016] [:error] [pid 14899] [client 173.245.56.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "VppcCNWv0bMAADoz8vsAAAAD"]
Thanks

Clare
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Cloudflare and ModSecurity is an interesting situation. Beacuse ModSecurity looks at request headers before the logging phase, the CF IP is the "real" IP despite the presence of the header from CloudFlare indicating who they are forwarding the request for.

Do not "Allow" cloudflare ranges. This only opens ports to them and is unnecessary. You need to add their ranges to /etc/csf/csf.ignore (NOT csf.allow) and fully restart both csf and lfd via WHM. This will stop CSF from blocking those IPs while still allowing ModSecurity to block individual bad requests.

Obviously once that is done, audit csf.deny and remove any cloudflare IP addresses (or just remove any addresses which you did not add manually, and allow the blocks to repopulate).