(Help understand) Nefarious activity from Cloudflare IPs

Hello.

I should start by saying I am not a Cloudflare customer - dabbled, but wasn’t right for me. So my nameservers are not with Cloudflare.

My issue and reason for posting is that I am noticing a significant amount of nefarious activity on my site in the last 48 hours or so. A large number of scans, brute force attempts and other such activity all supposedly coming from Cloudflare IPs. Now I am not suggesting Cloudflare themselves are to blame, but I am becoming more and more confused as time goes on, as to why it’s all coming from Cloudflare IPs, or appears to be?

Below is just three entries from my web server logs. There are significantly more, but didn’t see much value to dumping the entire lot. :slightly_smiling_face:

162.158.159.94 - - [03/Aug/2020:09:32:41 +0000] “GET /wp-login.php HTTP/1.1” 301 601 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
162.158.158.183 - - [03/Aug/2020:10:07:10 +0000] “GET /wp-login.php HTTP/1.1” 301 601 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
162.158.158.227 - - [03/Aug/2020:15:13:34 +0000] “GET /admin/ HTTP/1.1” 301 589 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

I have setup mod_remoteip as per https://support.cloudflare.com/hc/en-us/articles/360029696071 - but this doesn’t appear to be working as I’m still only seeing Cloudflare IPs - do I need to be actively using Cloudflare for this to show the remote IP? :disappointed:

It’s getting to the point where I’m considering adding the Cloudflare IPs to my firewall and just dropping. But I am open to any suggestions people have on how best to deal.

Thank you,
Lewys

Two options. Either someone has set up your IP address on his Cloudflare account or these are regular client requests via Cloudflare’s VPN service.

Based on the IP address I’d say it should be the former as that is an official proxy address, however the fact that seemingly no client IP address is forwarded would rather point to the latter.

A couple of questions

  • What’s your domain?
  • Are you running Wordpress?
  • Are you sure you configured mod_remoteip correctly? If not, it won’t replace the IP address and the actual address will stay.
  • Can you also log the host header? What does it say there?

Hey,

Thanks for responding!

That is interesting as there are at least two domains also appearing in my logs, very very infrequently, but when I visit them, I am taken to my own website; despite having no association with the two domains. I hadn’t put two and two together until your post.

Sure enough, if I check the nameservers for both domains; they’re Cloudflare NS’s. DiG and ping only revealing more Cloudflare IPs, but I think it’s looking quite likely someone has my (now) IP in their Cloudflare account.

So would it be fair to say that the likely cause of the Cloudflare IPs appears in my logs, would be because someone is going to one of these other domains, and then Cloudflare is doing what it does, and connecting to the IP address?

I’m double checking my mod_remoteip config, there’s a very real chance I did something incorrect. :blush:

In that case someone probably pointed his site to your IP address or possibly still has it pointed from before. Check your mod_remoteip configuration, once properly configured it should show the real IP addresses, however they are not even that relevant. At this point you probably best block either requests from Cloudflare or just requests for the hostnames in question.

This topic was automatically closed after 14 days. New replies are no longer allowed.