MajorLancelot

Well-Known Member
Dec 17, 2014
64
5
133
Shinjuku-ku, Tokyo, Japan
cPanel Access Level
Root Administrator
We often use mod_evasive as part of our sec. measures and also have customers running through Cloudflare (Full DNS).

We have noticed that once mod_evasive installed, customers on Cloudflare will start having issues.

Has anyone else encountered this?

Thanks!
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
Are you using mod_cloudflare and/or have the CloudFlare plugin installed? If not, all the traffic will look to come from only several IP's being the CloudFlare IP's which proxy the traffic so it will look like only those few IP's are making tons and tons of requests when in fact they are requests from many different sources. With mod_cloudflare, it will allow Apache to see the actual IP's of the traffic which should allow mod_evasive to chill and act as normal.

One easy way to test to ensure its working is look at the access logs of a domain behind CloudFlare, look at the IP's and whois them, if they are owned by CloudFlare then mod_cloudflare isn't installed / working.

 

MajorLancelot

Well-Known Member
Dec 17, 2014
64
5
133
Shinjuku-ku, Tokyo, Japan
cPanel Access Level
Root Administrator
Hello, Jcats!

The response below is in no particular order.

mod_evasive is installed at the root level.

And because of the mod_remoteip vs mod_cloudflare conflict, mod_cloudflare is not installed as we opt for the former.

They essentially do the same thing.

The Cloudflare cPanel/Plesk plugin though is installed and that is what customers use.

On your suggestion, I took a look at the /var/log/apache2/mod_evasive dir and noticed that there are tons of blocked Cloudflare IPs there.

Most often these abusers hide behind services like CF and that may account for this.

Whitelisting the entire Cloudflare IP range in mod_evasive.conf may not even be the best approach.

Any ideas would be much welcome.

Thanks for pitching in.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
Most often these abusers hide behind services like CF and that may account for this.
I don't think thats it at all honestly, I think that Apache can just only see the CloudFlare IP's, being that mod_evasive is an Apache module, it see's what Apache see's. When you look in the access logs for these sites, what IP's do you see?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
We have noticed that once mod_evasive installed, customers on Cloudflare will start having issues.
Hello :)

Can you provide more information about the specific issues your customers experience? Are there any specific errors logged to the Apache error log when an issue is reproduced?

Note the following document is a good place to start when understanding and configuring Mod_Evasive:


Thank you.