Attacks still getting through

I enabled WAF on my domain, and last night, we got some bot attacks.
In the server logs i see stuff like this:

/_conf/?action=delsettings&group=…%252F…%252F…%252F…%252F…%252F…%252F…%252F…%252F…%252F…%252Fetc/passwd%2500.jpg&picdir=Sample_Gallery&what=descriptions
/phpmygallery/_conf/?action=delsettings&group=…%252F…%252F…%252F…%252F…%252F…%252F…%252F…%252F…%252F…%252Fetc/passwd%2500.jpg&picdir=Sample_Gallery&what=descriptions

Now if i go to the same url with my browser, i get blocked, and no entry in the log was made.

How is it possible that I get blocked, but the user trying this is not? I’m confused :S

Edit: I did some more testing… I tried to add a fireall rule to block all requests to /cgi-bin/, bit it seems not to work. Request don’t get blocked…

Screen Shot 2018-11-16 at 11.29.27.png1006×626 34.8 KB

The requests you posted do not contain cgi.

that’s true, but i tested it by going to www.mydomain.com/cgi-bin/test.cgi, which is not blocking my request.
It was just to point out that for some reason, the firewall is not working for some requests.

A lot can depend on other firewall rules and on your access rules. Can you post a screenshot of both rulesets?

Thanks to your comment, I found the issue. In the access rules, there was an entry to whitelist all trafic from Belgium. I removed this entry, and now it works as expected.

It does’nt explain why those entries in my server logs got through as they originated from switserland.

I also don’t remember adding the whitelist rule for belgium. There are also around 30 other IP rules that i did not add.

Is Cloudflare sometimes adding access rules automatically? As nobody else has access to my Cloudflare account

No, that should not be the case. In case of doubt I’d open a support ticket.

This topic was automatically closed after 30 days. New replies are no longer allowed.