Firewal Rules are not applied

Hello there,
I have configured CloudFlare some time ago with firewall rules as the following:

(http.host contains "secureserver.net") or (http.host contains "cloudwaysapps.com") or (http.host contains "googleusercontent.com") or (http.host contains "vps.ovh.net") or (http.host contains "bluehost.com")

These are the most common hostnames that appear in logs of login attempts to my WP website. They all usually hit /wp-admin/admin.php page. I had really peaceful time for a long time thanks to CloudFlare. However those rules suddenly stopped to work for whatever reason and I am not able to identify why. I started to receive logs (on my server, NOT CloudFlare) about login attempts using those hosts, especially the ones coming from `secureserver.net’ (the full host name is p3nlhg1262.shr.prod.phx3.secureserver.net but it differs with the time as I believe those are different VPS instances from secureserver.net).

EDIT:
I Must mention that I have another domain using cloudflare firewall with the same settings for hostnames and its all good there. Login attempts get blocked. i can see those blocked requests on cloudflare Firewall Dashboard. I see no logs on my server whatsoever, so it means it works properly. I tried comparing those rules with the domain I am having problem with and I can spot no differences.

Is there something wrong with those rules? Does anybody have any idea how to approach this problem?

Thank you.

The hostname in your rules refers to the requested hostname, which will always be your domain name. So this rule can’t work in the first place.

You are probably rather after the referrer field instead.

1 Like

@sandro Thank you for your reply.

I am not sure if this is the case here? These are the logs from the WordFence I receive:

A user with IP addr 184.168.152.201 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
The duration of the lockout is 2 months.
User IP: 184.168.152.201
User hostname: p3nlhg627.shr.prod.phx3.secureserver.net
User location: United States

Thats why I concluded I can use hostname to create firewall rules.

EDIT:

OR maybe I misuderstood the Hostname option in CloudFlare page rules.

That’s the resolved hostname of the client IP address in question in this case. Neither the referrer nor the host field will help you in this case.

You best block by IP address or by full IP ranges and/or AS numbers. Depending on how many requests you get and where they come from. Can you post a few examples here?

For example, for 184.168.152.201 you could block 184.168.0.0/16 or the ASN 26496.

OK, you are right. It makes sense now that you mention it.

They happen at most 3req/min in intervals ranging in 1min - 10min.

Here are some examples:
User IP: 50.62.208.165
User hostname: p3nlwpweb173.shr.prod.phx3.secureserver.net
User location: United States

User IP: 50.63.196.149
User hostname: p3nlhg1262.shr.prod.phx3.secureserver.net
User location: United States

User IP: 184.168.152.163
User hostname: p3nlhg592.shr.prod.phx3.secureserver.net
User location: United States

User IP: 184.168.152.201
User hostname: p3nlhg627.shr.prod.phx3.secureserver.net
User location: United States

User IP: 132.148.106.7
User hostname: p3nlhg2148.shr.prod.phx3.secureserver.net
User location: United States

So it looks like different network IDs. I am afraid that I will block normal users with IP ranges firewals.

With these examples you best block the ASN 26496 altogether.

1 Like

I did not know about ASN before. But it looks like a solution. Thank you @sandro . I will give it a try!

Is there anything I should watch out when using ASN firewall rules in order not to block normal users? I think there should be no harm in blocking AS num of cloud providers from whose I get most of the attempted login failures.

You could try challenging them instead of outright blocking them. These address blocks are not from regular ISPs, so you wouldn’t block normal visitors. You might block people using VPNs, for that reason a challenge might be a better approach.

Good advice. Thank you once again for such a prompt response!

My pleasure :slight_smile:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.