Brute Force logs report all Cloudflare IPs

My security software is reporting brute force attempts and blocking the IPs. I did a WHOIS on these IPs today and realized 100% of them are Cloudflare. Why is Cloudflare brute forcing my Exchange server? If its a third party using Cloudflare as a proxy, how can I stop them? Because Cloudflare keeps giving them more IPs via proxy to use, the attacks continue from a new IP and so my IP blocking is much less effective and Cloudflare is helping the attackers more than they are helping me.

See if you can set your security software to use the HTTP header X-Forwarded-For or Cf-Connecting-Ip for the actual IP address of the user. As a proxy, CF will show up unless your server software or application software specifically gets the IP from one of those headers.

1 Like

is it a web form based bruteforce? you can have reCaptcha on the login page with less difficulty so existing users wont have any problem with new captcha thing.

My security software does not support X-Forwarded-For or Cf-Connecting-Ip.

It’s an exchange server, so it is likely they are using Exchange Active Sync. CAPTCHA won’t help.

I disabled the Cloudflare proxy. It’s just nutty that Cloudflare proxy is supposed to make things more secure, but instead it amplifies the attackers ability to brute force.

are you using Cloudflare? and when you disable Cloudflare the requests stopped coming?

1 Like

That’s not accurate. Those hits are routing to your server using a domain name, presumably yours. That’s how normal traffic works. Having it show Cloudflare IP addresses is also normal, as Cloudflare is a reverse proxy. But the headers mentioned before are how your server should track the source of these requests. What security software are you using?

If it’s an IIS server, there is a module that does this:

This topic was automatically closed after 30 days. New replies are no longer allowed.