3

I'm using fail2ban to block web vulnerability scanners. It is working correctly when visiting the site if CloudFlare is bypassed, but a user can still access it if going through it. I have mod_cloudflare installed.

Is it possible to block users with IPtables when using Cloudflare?

Ubuntu Server 12.04 32-bit

Access.log:

112.64.89.231 - - [29/Aug/2012:19:16:01 -0500] "GET /muieblackcat HTTP/1.1" 404 469 "-" "-"

Jail.conf

[apache-probe]

enabled  = true
port     = http,https
filter   = apache-probe
logpath  = /var/log/apache2/access.log
action   = iptables-multiport[name=apache-probe, port="http,https", protocol=tcp]
maxretry = 1
bantime  = 30 # Test

Apache-probe.conf

[Definition]

failregex   = ^<HOST>.*"GET \/muieblackcat HTTP\/1\.1".*
ignoreregex =
Blake Renton
  • 33
  • 7

2 Answers2

1

We actually should be honoring whatever you have in iptables.

Did you try blocking that IP in your CloudFlare threat control panel? It actually might be easier blocking IPs in our Threat Control panel than on your server.

damoncloudflare
  • 471
  • 2
  • 5
  • The issue is, that the IP changes frequently, most likely from compromised machines. I started out with blocking IPs in the CloudFlare control panel, but they always change. – Blake Renton Aug 30 '12 at 19:26
1

The reason this isn't working (and isn't going to work) is that iptables operates on the IP address of the machine that directly connected to yours. If you're using CloudFlare, this means you are receiving connections from CloudFlare, not directly from the end users.

Here's an example, taken from one of my sites on CloudFlare:

::ffff:108.162.221.19 www.yes-www.org - [05/Sep/2012:21:50:50 +0000] "GET / HTTP/1.1" 200 9585 "http://no-www.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.8 (KHTML, like Gecko) Chrome/23.0.1251.2 Safari/537.8" "64.244.153.130"

Here we see that the connection was received from 108.162.221.19, one of CloudFlare's servers. If this were blocked in iptables, then CloudFlare would not be able to reach us (from that address; fortunately they have many others). The connection to CloudFlare actually came from 64.244.153.130, which is what appeared in the X-Forwarded-For and CF-Connecting-IP headers.

Unfortunately in this sort of setup, this means you can't really use iptables to block visitors. You do have a couple of options, though:

  • Use CloudFlare's Threat Control panel, as Damon mentioned. This gets painful if you have a lot of IP addresses you want to block, or they change frequently.
  • Block the requests at the application level. Tools such as my own Bad Behavior can accomplish this sort of thing.
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940