[Solved] CloudFlare's IP blocked

[Krydos]

Well, which ip(s) is blocked and I'll check the logs for you?

[wolstech]

@Krydos: These ranges are the ones I've been seeing a lot over and over again. All of the blocked IPs in these ranges just say failed cPanel login.

 

• 141.101.64.0/18 - UK
• 162.158.0.0/15 - Germany
• 172.64.0.0/13 - Country of origin varies (I see US and Hong Kong in the list now)

Bold is the ones that most often end up blocked. He's posting from Israel according to his forum posts, but I think I've seen him post with a UK IP as well. Note that when he's blocked, it still works fine for the USA.

 

(Seen here: https://www.cloudflare.com/ips/)

[Krydos]

Since they all appear to be cpanel/whm bruteforces I've whitelisted those IPs for http/https only. They will still get blocked for cpanel, whm, imap, pop3, ftp, etc abuse. Let us know if that helps at all.

[mlex]

That would be great if you could filter it like that, I probably need only HTTP and HTTPs,  but it didn't solve it. I still have it blocked for some reason - any ideas why?

[Krydos]

Which IP is blocked now?

[mlex]

Have no idea(do you know how to check it?).

I basically experience a 522 error for some files on a server - that's how I can tell that IP/IPs are blocked.

 

I asked CF support yesterday to check what IPs are blocked and if they can tell if it's blocked for HTTP/s, and received an answer that they can't run checks like that.

 

 

 

 

Could you please tell me what are exact IPs (CloudFlare IPs) that my origin server is blocking?

 

I am afraid we do not have the data on that. However if you wish to know what you are blocking through Cloudflare, you may visit Firewall tab under our dashboard: How do I control IP access to my site?

 

 

 

 

 

 

 

My Origin server is attacked(bruteforced) daily from your servers(IPs), mostly from Poland, UK and France regions. Is there anything you can do about it, please? I'm in a contact with admins of the server and they're willing to solve this issue as well, as they're bombarded by it daily and users like me are suffering from it.

 

Cloudflare helps protect sites, and accelerate them. We do not attack sites, and our network can't be used to generate attack traffic.

There are two circumstances where it might appear that Cloudflare is attacking your site.

1. You're a Cloudflare customer for your website(s). Since Cloudflare is a reverse proxy for our customers' sites, Cloudflare IPs are going to show in your server logs until you install something on your server to restore original visitor IP, such as mod_cloudflare for Apache servers. Solutions for seeing original visitor IP for Apache, nginx and other servers and applications are listed here: https://support.cloudflare.com/hc/en-us/sections/200038166-How-do-I-restore-original-visitor-IP-to-my-server-logs-
2. You're getting attacks from Cloudflare's IPs because they are being spoofed. Cloudflare does not send traffic over anything other than http:// (ports 80 and 443), so getting attacked by UDP requests means you are likely seeing a DNS amplification attack, see this article for more information.

 

 

Edited June 5, 2018 by mlex

[wolstech]

I've been checking them manually by CTRL+Fing through the listed IPs in the Admin->IPs->Tommy list.

 

I'm still seeing blocks for these ranges in the IP tab for Tommy, and the past two times I've fixed this for mlex, unblocking everything I can find in these two ranges for Tommy restores the access until they get blocked again. Did the whitelist not work (or did you forget to unblock him after whitelisting)?

• 141.101.64.0/18
• 162.158.0.0/15

[Krydos]

I intentionally didn't unblock anything. I was testing it to see if the whitelist for ports 80/443 would override the block on the rest of the ports.

 

Example:

[2018-06-04 22:18:54 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:54 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:55 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:56 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:57 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:57 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:58 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:18:59 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:19:00 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:19:01 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)
[2018-06-04 22:19:01 +0000] info [cpaneld] 141.101.107.89 - predents "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user predents (loadcpdata failed)

Perhaps if you insist on using cloudflare you should move to Ricky where the cloudflare ips aren't blocked?

[wolstech]

Are most/all of the hits for user predents or is that just a small portion of the list? Asking because that particular user still hosts here...he recreated his account a while back and changed the username though.

[Krydos]

No, that was just one section. That same ip has other username failed logins too.

[mlex]

OMG... Thanks for sharing that log, Krydos.

 

Isn't it's just a matter of time till Ricky will get the same?

You obviously can't unblock IPs of the bruteforce like that, so I'll need to think what to do with that if there's no other options.

 

I wonder if the tools CF support mentioned could make any difference:

 

Cloudflare IPs are going to show in your server logs until you install something on your server to restore original visitor IP, such as mod_cloudflare for Apache servers

[Krydos]

That module is already installed. The problem is cpanel/whm is hosted separately from websites on it's own version of apache. This is so you can still access cpanel/whm if there is a problem with the apache that hosts user's sites. Unfortunately you can't install modules on this internal webhost like you can the user webhost. It's the internal webhost for cpanel/whm that is being bruteforced. If it was the user webhost the mod_cloudflare would do its job and report the proper ip.

[mlex]

CloudFlare support:

 

 

Can you confirm what the full URL is for this attack? If you can provide us with more information we may be able to come up with a solution here.

 

Is it https://tommy.heliohost.org:2083/ or I'm getting it wrong?

[Krydos]

No, cloudflare only operates on port 80 and port 443. It's more likely that it is something like cpanel.yourdomain.com where yourdomain.com uses cloudflare.

[mlex]

So why not just remove the cpanel.* functionality from the domains/subdomains? Is that possible?

 

Or perhaps there's indeed people(Helio's members) who use it?