Being attacked from CloudFlare whitelisted IP Range

I am getting brute force attacks but Config Server Security and Firewall cannot permanently block because the IP is part of the Cloudflare whitelisted IP Ranges.

162.158.0.0/15

[Sat Jul 06 09:08:38.729155 2019] [:error] [pid 32363:tid 47513237976832] [client 162.158.103.146:18616] [client 162.158.103.146] ModSecurity: Access denied with code 406 (phase 2). Operator GE matched 1 at TX:brute. [file “/etc/apache2/conf.d/imh-modsec/40_wordpress.conf”] [line “27”] [id “13052”] [msg “POST to wp-login.php without redirect_to”] [severity “WARNING”] [tag “WEB_ATTACK/SHELL ACCESS”] [hostname “www.snaggolf.com”] [uri “/wp-login.php”] [unique_id “[email protected]”]
Blocked: Permanent Block [LF_MODSEC] (IP match in csf.allow, block may not work)

You are not being attacked by that IP address but by somebody else. That other IP address does not show up because you do not seem to be rewriting IP addresses

https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

2 Likes

Okay I will work on updating stack with mod_Cloudflare. Thanks

Better mod_remoteip.

1 Like

Great. Thank you for your help.

This topic was automatically closed after 30 days. New replies are no longer allowed.