mlex

Got it.

Perhaps there's any additional info. I could provide to CF support about the attack, so they will have a better chance to neutralize it?

So why not just remove the cpanel.* functionality from the domains/subdomains? Is that possible?

Or perhaps there's indeed people(Helio's members) who use it?

CloudFlare support:

 

Can you confirm what the full URL is for this attack? If you can provide us with more information we may be able to come up with a solution here.

Is it https://tommy.heliohost.org:2083/ or I'm getting it wrong?

OMG... Thanks for sharing that log, Krydos.

Isn't it's just a matter of time till Ricky will get the same?

You obviously can't unblock IPs of the bruteforce like that, so I'll need to think what to do with that if there's no other options.

I wonder if the tools CF support mentioned could make any difference:

 

Cloudflare IPs are going to show in your server logs until you install something on your server to restore original visitor IP, such as mod_cloudflare for Apache servers

Have no idea(do you know how to check it?).

I basically experience a 522 error for some files on a server - that's how I can tell that IP/IPs are blocked.

I asked CF support yesterday to check what IPs are blocked and if they can tell if it's blocked for HTTP/s, and received an answer that they can't run checks like that.

 

Could you please tell me what are exact IPs (CloudFlare IPs) that my origin server is blocking?

 

I am afraid we do not have the data on that. However if you wish to know what you are blocking through Cloudflare, you may visit Firewall tab under our dashboard: How do I control IP access to my site?

 

 

 

My Origin server is attacked(bruteforced) daily from your servers(IPs), mostly from Poland, UK and France regions. Is there anything you can do about it, please? I'm in a contact with admins of the server and they're willing to solve this issue as well, as they're bombarded by it daily and users like me are suffering from it.

 

Cloudflare helps protect sites, and accelerate them. We do not attack sites, and our network can't be used to generate attack traffic.

There are two circumstances where it might appear that Cloudflare is attacking your site.

1. You're a Cloudflare customer for your website(s). Since Cloudflare is a reverse proxy for our customers' sites, Cloudflare IPs are going to show in your server logs until you install something on your server to restore original visitor IP, such as mod_cloudflare for Apache servers. Solutions for seeing original visitor IP for Apache, nginx and other servers and applications are listed here: https://support.cloudflare.com/hc/en-us/sections/200038166-How-do-I-restore-original-visitor-IP-to-my-server-logs-
2. You're getting attacks from Cloudflare's IPs because they are being spoofed. Cloudflare does not send traffic over anything other than http:// (ports 80 and 443), so getting attacked by UDP requests means you are likely seeing a DNS amplification attack, see this article for more information.

 

 

That would be great if you could filter it like that, I probably need only HTTP and HTTPs,  but it didn't solve it. I still have it blocked for some reason - any ideas why?

What info should I provide them?

Last time I was talking to them about it, it was a long-long conversation resulting in a fact the IP's are blocked at origin server and they can't do nothing.

I honestly felt today was something special - I usually don't experience anything like that - I couldn't enter a single webpage without something to fall off.

It's blacklisted once again :/ 

I feel the irony, but could you suggest what should I do next time this happens(instead of giving up on CF)? 

I can think of two main solutions from my perspective:

Increase a bit the amount of attempts needed for the above regions(UK, France, and Poland).

Remove banned IPs after some period of time (day-two/week - depend on frequency) automatically.

Didn't get it:

If I(for example - can be anyone) access your cPanel, I access it directly, avoiding CF: user - origin. When I connect to Tommy(my website), I do go around CF, but that's another story - no cPanel here.

I do can think of that someone hiding behind CF and hitting the cPanel - is that what it is about? - if not, how actually CF involved in this process?

Thanks once again, Wolstech! 

It solved it.

Is there any data on this attempts?

Are they try to brute force it or anything alike?

If they're harmless, perhaps there's a way to increase the amount of attempts needed till IP gets blocked.

As for the Tommy - it's awesome  

But CloudFlare is a must for me. For many reasons. 

BTW: CF does improve performance and security. 

space2018, try to check the following:

Go to:

cPanel => SSL/TLS => Generate, view, upload, or delete SSL certificates => Click "Install" on your active certificate (the one you're talking about) => Scroll to the "Manage Installed SSL Websites" => Check if all FQDNs have green lock icon => Check if your problematic domain with "www" is listed too.

Is there anyway to white-list CloudFlare's IPs, perhaps? I'm getting problems with it again .

Recently related topic about it

https://www.cloudflare.com/ips/

Alright then.

Thanks for quick response, Wolstech.

Hey folks,

Is there a way to install CloudFlare's Authenticated Origin Pulls?

Info:

1) About Authenticated Origin Pulls

2) Setting up Apache to use TLS Authenticated Origin Pulls

Thanks for clarifying this.

Everything works great now.

I've noticed I'm getting "error_log" with the following message, and I think it's related to the above subject:

PHP Warning:  Module 'apcu' already loaded in Unknown on line 0

Did it by modifying the .htaccess :

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php72 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

Tried to edit the .htaccess from:

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php56 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

to

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-php72 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

For some weird reason, I can't change PHP version on Tommy. 

Tried with different browsers, etc - all the same.

Oh, it went to the spam dir. 

Thanks a lot once again, wolstech. Everything works great.

Any updates?

Thank a lot, wolstech, I appreciate it.

I've just deleted it.

Can I PM you with my new email, so you could send me a link?

Take a look at Sublime. My favorite one. Extremely awesome

I wish it would be true, but unfortunately registrations are closed even when the reset is in place(the Ricky and Johnny are open).

However,  could any of the admin/moderator/relevant staff confirm that there is indeed an extra open slots when you delete an account?