Firewall Rule Seems to Not Work On Some Requests

Sorry i’m getting frustrated.

And I did show you proof that they are not requests via two methods.

Htaccess and PHP

I’ll post here later when I do the firewall. It’s not something that is easy with my configs. It’s going to take a few hours

I don’t know what that sentence is supposed to mean.

Anyhow, post the most recent log entry of a request with that user agent.

It just means that I showed you two ways that are easiest for me to implement.

With .htaccess and with PHP.

I will post later with firewall rules added,

It will be whole different ips now to post an example for you. I just woke up, please give me a little while

And neither way is the correct way I am afraid and you will still run into the issue.

But again, make sure your server does not accept any other connections that the mentioned ones (and that has to be implemented via a firewall, not the web server configuration) and the issue should be most likely fixed

In a DDOS Attack, one could still connect to the IP without a firewall… yes. But they can’t request pages. They receive a default cpanel page and never even get to PHP. I tested myself. I don’t want to argue and I will do the firewall later.

I am not sure what a denial of service has to do with any of that.

The point is (and what we’ve been discussing for close to twelve hours at this point) is that your server is open for direct requests. As long as that is the case you can never have a guarantee that requests will be handled by Cloudflare.

Hence, make sure only Cloudflare can connect and your issue should be fixed. Should you still receive requests, that will be a different issue.

Also, if you challenge requests they can always reach your server. You need to block them if you don’t want that.

Do you work for cloudflare? If these are direct requests, won’t they show in my apache logs? There is nothing there either. I’m just trying to avoid the firewall, it’s something I may not be able to do.

Yes, really badly LOL ;/

All requests will show in your server log. This is what you have been talking about all along.

Again, you first need to make sure you are not getting direct requests. Once that is verified, we can take a look at anything else.

No, it should show that request that bypassed Cloudflare in my logs. It should have a NON CLOUDFLARE IP, aka the IP that got passed the cloudflare detection should be in my apache logs.

It just happened again, IP address 73.245.61.x

I check my apache logs. Nothing.

Yes, my apache logs normally save Cloudflare ips and I can’t determine much from logs.

Are you saying you are not rewriting IP address and all requests in your log files contain Cloudflare addresses?

And again, challenged requests will still show in your logs anyhow.

It just happened again, IP address 73.245.61.x

I check my apache logs. Nothing.

Yes, my apache logs normally save Cloudflare ips and I can’t determine much from logs.

Post the log entry of that request.

I still have not setup a firewall (it’s going to be hard for me), but I am still investigating and was able to find the requests in my apache logs:

The only way that I can find them is by searching for the old user agents.

Here are a few:

172.70.254.161 - - [11/Jul/2023:08:13:00 -0700] “GET /sweepstakes/children/ HTTP/1.1” 200 14072 “-” “Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.1992.1136 Mobile Safari/537.36”
172.70.254.161 - - [11/Jul/2023:08:13:00 -0700] “GET /sweepstake/144766-Melissa-Doug-Star-Diner.html HTTP/1.1” 301 803 “-” “Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.1992.1136 Mobile Safari/537.36”
172.70.54.233 - - [11/Jul/2023:05:58:29 -0700] “GET /sweepstakes/?page=13 HTTP/1.1” 200 15087 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.3982.1011 Mobile Safari/537.36”
162.158.142.213 - - [11/Jul/2023:06:52:42 -0700] “GET /sweepstake/132384-Pleasant-Hearth-Mothers-Day-Giveaway.html HTTP/1.1” 301 816 “-” “Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.7683.1339 Mobile Safari/537.36”
162.158.142.200 - - [11/Jul/2023:07:24:46 -0700] “GET /sweepstake/143404-Cohens-Fashion-Optical-End-Of.html HTTP/1.1” 301 834 “-” “Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.1267.1791 Mobile Safari/537.36”

The firewall rule I have setup in cloudflare has issued 303 javascript challenges and 3 have passed, yet there are 48 requests in the past 24 hours with useragent chrome/40 - Chrome/50 accessing the website through a Cloudflare IP address (see apache logs above).

The .ca version in another cloudflare account has issued 155 Challenges for old user agents and 0 have solved it.

Yet, in my apache logs doing a search for chrome/4 or chrome/5 shows 47 requests that ALL have a Cloudflare IP address attached to them (see above).

I will keep investigating and setup firewall if all else fails. It’s going to be difficult for me to firewall, as there are other websites on that IP address (but I will do it temporarily to see if it works and if so figure something out).

Basically the apache logs should confirm something is happening. The 47 requests that bypassed cloudflare challenge, yet requested a page with Cloudflare’s IP address are from only the past 8 hours (not 24 hours).

The only thing I can think of that is happening here, is requests are coming from a Cloudflare Worker and spoofing a CF_CLIENT_IP header

Well, as you just confirmed that you usually have Cloudflare IP addresses in your logs (which suggests you are not rewriting addresses) but get the actual client addresses here, that essentially confirms that these are direct requests. As mentioned, with direct requests Cloudflare is not involved at all.

I suggest you follow through with what we discussed originally and properly secure your server. Once it only acceps Cloudflare requests, the issue should be fixed.

1 Like

These will be follow-up requests using the already passed challenge.

The requests you posted here presumably did go via the proxies and will have been challenged according to your firewall rule. They either passed the challenge or were challenged before and re-used that.

Then where’s the Cloudflare Firewall Event Logs?

Then how’s it still requesting the pages and not passing a challenge? That essentially makes a javascript challenge pointless, if Cloudflare is still requesting the page even if they failed.

I have my passage time on 4 hours, it was on 2.

it’s like they are using Cloudflare Workers and spoofing aCF_CLIENT_IP header or passing the cloudflare challenge on 1 IP address, leaving the browser open and using a bad IP address with the headers to bypass. But that scenario should still log because the user agent is still bad.

Are you saying you do not have any challenge events?

Yes that’s what i’ve been saying…

There are many requests that are coming through Cloudflare (cloudflare’s ip address) with a bad user agent that I have a firewall rule setup for and still getting through.

The strange part is these requests, don’t show the actual request that was made in the logs. So it’s like there are TWO GET /page/ parameters or something. Some h reader buffer exploit. I don’t know.

Somethings not right. The logs are through Cloudflare.

Post a screenshot of https://dash.cloudflare.com/?to=/:account/infinitesweeps.com/security/events

There are 5,000 challenges, I am not sure why you are saying there are none.