Firewall rule to block IP not working

Answer these questions to help the Community help you with Security questions.

What is the domain name?
*** the goofy automated thing says I’m not allowed to post a URL in this area that’s asking for a URL. Can’t make this stuff up.

Have you searched for an answer?
Yes

Please share your search results url:
*** the goofy automated thing says I’m not allowed to post a URL in this area that’s asking for a URL. Can’t make this stuff up.

When you tested your domain, what were the results?
I added a rule to block IP 37.46.113.212 - but they’ve continued to submit contact forms even though the rule says it’s active

Describe the issue you are having:
I added a rule to block IP 37.46.113.212 - but they’ve continued to submit contact forms even though the rule says it’s active

What error message or number are you receiving?
none

What steps have you taken to resolve the issue?

  1. added a WAF firewall rule to block 37.46.113.212
  2. activated the rule (which shows active)
  3. searched online to see why the firewall rule isn’t working.

Was the site working with SSL prior to adding it to Cloudflare?
don’t remember - the site has been on Cloudflare for 5+ years

What are the steps to reproduce the error:

  1. nothing you can do - unless you send me your IP address and I add it to the firewall.

Have you tried from another browser and/or incognito mode?
N/A

Please attach a screenshot of the error:
there isn’t an error.

It’s very unlikely the requests are somehow bypassing the firewall rule, my bets are on your backend allowing direct requests or another firewall rule is allowing the requests before the block rule is executed.

2 Likes

Well, I wrote a manual block into the php header and the nonstop contact forms have finally ceased.

I take it back. They’re still getting through. Wth?

This is because new users don’t have a trust level. You get around this by putting URLs in as pre-formatted text (inside``.)

Is your domain proxied @michaellunsford?

Yes, root and www

Can you screenshot the rule?

What do you see in Security → Events?

Are they possibly accessing your server directly?

Nothing with that IP address. If they are bypassing Cloudflare, they’re also somehow bypassing the php script, which is also looking for that specific IP.

It’s very odd. All of the emails are very similar - like they’re fishing for exploits. Several fields are filled with “123456” so I added in a bunch of “if this field contains that” language to the form (it’s all custom PHP), to not send the email. I tested in from my browser, and it tells me that the email was not sent for the reason I told it to say… However, the forms continue to come through with the same field content I told it to block!

I’ve now also added an apache IP block to the .htaccess file. Now waiting to see if another batch of 20 contact forms comes in.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.