mlex Posted June 2, 2018 Posted June 2, 2018 Is there anyway to white-list CloudFlare's IPs, perhaps? I'm getting problems with it again . Recently related topic about it https://www.cloudflare.com/ips/
wolstech Posted June 2, 2018 Posted June 2, 2018 I unblocked the UK, France, and Poland data centers again (same ones that were blocked last time). They're getting blocked for bad passwords against cPanel. I'm not sure why, but it's always these 3 data centers. Most blocks are from the 162.158.0.0/15 range. You're on Tommy anyway, is there a reason you need CF? The performance should be just fine without it. Johnny and Ricky users are the ones who really benefit most from using CF... 1
mlex Posted June 2, 2018 Author Posted June 2, 2018 Thanks once again, Wolstech! It solved it. Is there any data on this attempts?Are they try to brute force it or anything alike? If they're harmless, perhaps there's a way to increase the amount of attempts needed till IP gets blocked. As for the Tommy - it's awesome But CloudFlare is a must for me. For many reasons. BTW: CF does improve performance and security.
wolstech Posted June 2, 2018 Posted June 2, 2018 It just shows them as Failed cPanel Login, which means someone connected to a site through CF is entering bad usernames and passwords. It could be anybody that region of thje world, accessing any site that has CF on it. Doesn't even need to be your account being hit since all the traffic comes from the same source in our eyes. At the end of the day, CF basically amounts to a really large distributed caching reverse proxy...the firewall is so basic that it has no understanding of such things and thinks its just seeing a user from the internet at large, not a network with hundreds of thousands of users that ultimately share an IP address when it comes to visiting your site. 1
mlex Posted June 2, 2018 Author Posted June 2, 2018 Didn't get it: If I(for example - can be anyone) access your cPanel, I access it directly, avoiding CF: user - origin. When I connect to Tommy(my website), I do go around CF, but that's another story - no cPanel here.I do can think of that someone hiding behind CF and hitting the cPanel - is that what it is about? - if not, how actually CF involved in this process?
wolstech Posted June 2, 2018 Posted June 2, 2018 Yep, someone hiding behind CF is hammering away at cPanel. Its worth noting that CF offers app hosting too, so it could be malware that someone made and is using CF to run. Similarly, it could be someone beating on cPanel through a domain that’s protected by CF. Every domain hosted on a server can access cPanel via port 2083, so its a matter of flooding such a domain with POST requests (actually trying to view cP through such a domain should redirect to the server domain). TL;DR: someone is causing CF’s servers to send us bad login attempts. It could even be multiple people considering the limit is only 5 tries in an hour...
Krydos Posted June 3, 2018 Posted June 3, 2018 But CloudFlare is a must for me. For many reasons. BTW: CF does improve performance and security.The benefit for HelioHost of accounts using cloudflare is if mlex or someone manages to upset a hacker who owns a botnet cloudflare protects our servers from taking the inevitable ddos.
wolstech Posted June 3, 2018 Posted June 3, 2018 Forgot about that. Yeah, it definitely helps in that scenario. CF will stand there and take abuse all day long...our servers just fall over. I personally use it since I have domains that need more some of the more advanced DNS types than what cP offers.
mlex Posted June 3, 2018 Author Posted June 3, 2018 I feel the irony, but could you suggest what should I do next time this happens(instead of giving up on CF)? I can think of two main solutions from my perspective:Increase a bit the amount of attempts needed for the above regions(UK, France, and Poland).Remove banned IPs after some period of time (day-two/week - depend on frequency) automatically.
wolstech Posted June 3, 2018 Posted June 3, 2018 The block does expire on its own already when the IP falls off the bottom of the block list. Right now that takes just over a week. The next one to expire is from 5/25, so 9 days. Whether we could make these expire sooner is a good question.
wolstech Posted June 4, 2018 Posted June 4, 2018 Unsolved. Let's see if Krydos can do something about this.
Krydos Posted June 4, 2018 Posted June 4, 2018 What does cloudflare say about blocking the source of this bruteforce?
mlex Posted June 4, 2018 Author Posted June 4, 2018 What info should I provide them? Last time I was talking to them about it, it was a long-long conversation resulting in a fact the IP's are blocked at origin server and they can't do nothing. I honestly felt today was something special - I usually don't experience anything like that - I couldn't enter a single webpage without something to fall off.
Recommended Posts