Mod_Evasive + Cloudflare Issue

[MajorLancelot]

We often use mod_evasive as part of our sec. measures and also have customers running through Cloudflare (Full DNS).

We have noticed that once mod_evasive installed, customers on Cloudflare will start having issues.

Has anyone else encountered this?

Thanks!

 

[Jcats]

Are you using mod_cloudflare and/or have the CloudFlare plugin installed? If not, all the traffic will look to come from only several IP's being the CloudFlare IP's which proxy the traffic so it will look like only those few IP's are making tons and tons of requests when in fact they are requests from many different sources. With mod_cloudflare, it will allow Apache to see the actual IP's of the traffic which should allow mod_evasive to chill and act as normal.

One easy way to test to ensure its working is look at the access logs of a domain behind CloudFlare, look at the IP's and whois them, if they are owned by CloudFlare then mod_cloudflare isn't installed / working.

Getting Started with Cloudflare Partners

Learn how to partner with Cloudflare and get started with the Partner platform. Overview Become a partner Get started with the provisioning API Related resources OverviewCloudflare’s partner netwo...

www.cloudflare.com

 

[MajorLancelot]

Hello, Jcats!

The response below is in no particular order.

mod_evasive is installed at the root level.

And because of the mod_remoteip vs mod_cloudflare conflict, mod_cloudflare is not installed as we opt for the former.

They essentially do the same thing.

The Cloudflare cPanel/Plesk plugin though is installed and that is what customers use.

On your suggestion, I took a look at the /var/log/apache2/mod_evasive dir and noticed that there are tons of blocked Cloudflare IPs there.

Most often these abusers hide behind services like CF and that may account for this.

Whitelisting the entire Cloudflare IP range in mod_evasive.conf may not even be the best approach.

Any ideas would be much welcome.

Thanks for pitching in.

 

[Jcats]

Most often these abusers hide behind services like CF and that may account for this.

I don't think thats it at all honestly, I think that Apache can just only see the CloudFlare IP's, being that mod_evasive is an Apache module, it see's what Apache see's. When you look in the access logs for these sites, what IP's do you see?

 

[cPanelMichael]

We have noticed that once mod_evasive installed, customers on Cloudflare will start having issues.

Hello

Can you provide more information about the specific issues your customers experience? Are there any specific errors logged to the Apache error log when an issue is reproduced?

Note the following document is a good place to start when understanding and configuring Mod_Evasive:

Apache Module: Evasive - EasyApache 4 - cPanel Documentation

documentation.cpanel.net

Thank you.