mlex

Got it. Perhaps there's any additional info. I could provide to CF support about the attack, so they will have a better chance to neutralize it?

So why not just remove the cpanel.* functionality from the domains/subdomains? Is that possible? Or perhaps there's indeed people(Helio's members) who use it?

CloudFlare support: Is it https://tommy.heliohost.org:2083/ or I'm getting it wrong?

OMG... Thanks for sharing that log, Krydos. Isn't it's just a matter of time till Ricky will get the same? You obviously can't unblock IPs of the bruteforce like that, so I'll need to think what to do with that if there's no other options. I wonder if the tools CF support mentioned could make any difference:

Have no idea(do you know how to check it?). I basically experience a 522 error for some files on a server - that's how I can tell that IP/IPs are blocked. I asked CF support yesterday to check what IPs are blocked and if they can tell if it's blocked for HTTP/s, and received an answer that they can't run checks like that.

That would be great if you could filter it like that, I probably need only HTTP and HTTPs, but it didn't solve it. I still have it blocked for some reason - any ideas why?

What info should I provide them? Last time I was talking to them about it, it was a long-long conversation resulting in a fact the IP's are blocked at origin server and they can't do nothing. I honestly felt today was something special - I usually don't experience anything like that - I couldn't enter a single webpage without something to fall off.

It's blacklisted once again :/

I feel the irony, but could you suggest what should I do next time this happens(instead of giving up on CF)? I can think of two main solutions from my perspective: Increase a bit the amount of attempts needed for the above regions(UK, France, and Poland). Remove banned IPs after some period of time (day-two/week - depend on frequency) automatically.

Didn't get it: If I(for example - can be anyone) access your cPanel, I access it directly, avoiding CF: user - origin. When I connect to Tommy(my website), I do go around CF, but that's another story - no cPanel here. I do can think of that someone hiding behind CF and hitting the cPanel - is that what it is about? - if not, how actually CF involved in this process?

Thanks once again, Wolstech! It solved it. Is there any data on this attempts? Are they try to brute force it or anything alike? If they're harmless, perhaps there's a way to increase the amount of attempts needed till IP gets blocked. As for the Tommy - it's awesome But CloudFlare is a must for me. For many reasons. BTW: CF does improve performance and security.

space2018, try to check the following: Go to: cPanel => SSL/TLS => Generate, view, upload, or delete SSL certificates => Click "Install" on your active certificate (the one you're talking about) => Scroll to the "Manage Installed SSL Websites" => Check if all FQDNs have green lock icon => Check if your problematic domain with "www" is listed too.

Is there anyway to white-list CloudFlare's IPs, perhaps? I'm getting problems with it again . Recently related topic about it https://www.cloudflare.com/ips/

Alright then. Thanks for quick response, Wolstech.

Hey folks, Is there a way to install CloudFlare's Authenticated Origin Pulls? Info: 1) About Authenticated Origin Pulls 2) Setting up Apache to use TLS Authenticated Origin Pulls