IP blocks & Cloudflare

  • Resolved A&C

    (@syedc)


    4 years, 4 months ago

    Sorry if this is a repeat question – didn’t find anything on this topic…surprisingly!

    Wondering how to configure Defender with reverse-proxies like Cloudflare. Currently, Defender is just picking up (and trying to block) Cloudflare’s IP ranges (on brute force attacks for example).

    This is because traffic via Cloudflare comes from the Cloudflare’s IPs. Cloudflare does however pass on the visitor’s IP via custom headers (think “X-forwarded-for” or something similar).

    Wondering how to get Defender to use those IPs for blocks.

    FYI, the server is configured with mod_cloudflare – so the server logs read and record the visitor IP addresses just fine. This is case of getting Defender’s PHP scripts to work with remote IPs.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Patrick – WPMU DEV Support

    (@wpmudevsupport12)

    Hi @syedc

    I hope you are doing well.

    Could you check if I’m missing anything?

    I enabled the Cloudflare proxies,
    Configured the Defender to protect the login,
    Locked me out of the website
    Using the VPN I accessed and checked the logs, the blocked IP match my ISP, not the Cloudflare IPs.

    Best Regards
    Patrick Freitas

    Thread Starter A&C

    (@syedc)

    Hmm, I’m not really sure what’s going on.

    So we’ve got Cloudflare Railgun running, could this be a reason? AND we have Jetpack’s Brute force enabled (it was our security solution before Defender. Left it on till we’re sure about Defender) – could this be causing a conflict?

    I attempted to lock myself out, but was unsuccessful (attempt 7 failed logins – when the threshold is set to 5 fails – and logged in correctly from that same IP on the 8th attempt).

    These unsuccessful attempts weren’t even logged by Defender (let alone block), but Jetpack’s activity log did record these. So I’m thinking a Jetpack – Defender conflict?

    Defender is however logging failed logins and blocks against IPs using banned usernames (but not any other username. Though in my test with a banned username, I didn’t get banned).

    Also to add to this mix, I just tried a new test – trigger the 404 lockout.

    The test:
    – On my phone, connected to mobile network (so different IP to my PC), tried to load the page domain.com/include.php and domain.com/include5.php
    – /include.php was recorded in the Defender logs, but not the /include5.php
    – What’s interesting is the IP. My phone’s current IP address is 82.xxx (UK, where I’m based). Defender logs show the hit as coming from 209.85.238.86 – a Google bot IP.
    – On my phone, I used Chrome (on Android) to load the site. But I’m sure Google isn’t supposed to proxy my traffic…are they?!

    Maybe I’m just an edge case? :/

    [to clarify, the site doesn’t use Google Cloud or Google CDN or anything…so really not sure why a Google IP came up]

    p.s. I know I’m not a paying customer yet, so understand that you guys have limited time to try and debug this for me. So no rush.

    Plugin Support Amin – WPMU DEV Support

    (@wpmudev-support2)

    Hello @syedc ,

    Can check if your IP is not added to Allowlist in IP banning. Defender when can adds the IP of the user that activated plugin, so admin user is not locked out.

    I’ve checked if we had any reports about Defender and Cloudflare Railgun and but so far nothing, so it should work fine.
    Can you disable Jetpack’s Brute force and see if there will be any difference?

    Also, would it be possible to share a link to your site so we could see this issue live?

    kind regards,
    Kasia

    Plugin Support Amin – WPMU DEV Support

    (@wpmudev-support2)

    Hello @syedc ,

    We haven’t heard from you for a while not, so it seems that this issue is resolved.

    If not, please feel free to re-open this ticket.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘IP blocks & Cloudflare’ is closed to new replies.

Tags