IP Access Rules Not Blocking Brute Force Attacker

What is the name of the domain?

example.com

What is the issue you’re encountering

We recently experienced a brute force attack on our website, and in response, we blocked the attacker’s IP address using Cloudflare’s IP Access Rules. However, despite the block, the attacker still appears to have access to our website, and the brute force attack hasn’t stopped. This is perplexing because I expected the IP block to prevent any further access to our site from that IP address. Here are a few details: The IP was added to the “Block” list in Cloudflare’s IP Access Rules. The attack continued even after the IP was blocked. We’ve confirmed that the IP in question is still actively hitting our server. Has anyone else encountered a similar issue? Is there something I might be missing in the configuration? Any advice or troubleshooting tips would be greatly appreciated.

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

We recently experienced a brute force attack on our website, and in response, we blocked the attacker’s IP address using Cloudflare’s IP Access Rules.

However, despite the block, the attacker still appears to have access to our website, and the brute force attack hasn’t stopped. This is perplexing because I expected the IP block to prevent any further access to our site from that IP address.

Here are a few details:

The IP was added to the “Block” list in Cloudflare’s IP Access Rules.
The attack continued even after the IP was blocked.
We’ve confirmed that the IP in question is still actively hitting our server.
Has anyone else encountered a similar issue? Is there something I might be missing in the configuration? Any advice or troubleshooting tips would be greatly appreciated.

Make sure the DNS records are proxied, so requests are actually passing through Cloudflare first.

Make sure your origin only allows connections to your webserver from Cloudflare IP addresses or they may be going to your server IP address directly.

Useful guides…

Use “Full (strict)” or “Strict” modes only to ensure connections are fully secured.

2 Likes

Hi,
Thanks for your Reply DNS records are already proxied and Attack Mode is active ,
But IP is still accessing my website and actively attacking.

Is your origin configured to only allow traffic from Cloudflare?

Can you find the IP address in your Cloudflare security event log?
https://dash.cloudflare.com/?to=/:account/:zone/security/events

1 Like

Is your origin configured to only allow traffic from Cloudflare?
No , my server is hosting multiple websites but just one domain is getting attacked.
Can you find the IP address in your Cloudflare security event log?
No , security event log is empty.
Im using Fail2Ban that successfully detected the attack and added the IP to Blocked in IP Access Rules.

To be safe, ensure your firewall only allows Cloudflare IP addresses to ports 80 and 443.

What is the domain? Are you sure it is proxied? A security event log should never be empty for an active site, especially if you have UAM enabled.

1 Like

Yes My domain is fully proxied , and security event log is empty in that day.
the ip should be blocked once its in IP Access Rules.

What is the domain?

I can’t share Domain of my client in the forum.

You can enter the domain here. If you post the first 8 digits of the code for the test, I can find the domain.
https://cf.sjr.org.uk/tools/check

If proxied, the test will make 2 connections to your domain (one from my server and one from a Cloudflare Worker) so if UAM is enabled you should see them in the security event log as they won’t pass the challenge.

1 Like

i did the test :
this is the result
https://cf.sjr.org.uk/tools/check?cba37429****************************

If you have UAM enabled then I should be receiving a challenge accessing your site, but I am not.

Also http does not redirect to https, so your login page to which the domain redirects is insecure.

securitytrails.com indicates that your site was unproxied 7 days ago and hasn’t yet picked up that the site is proxied again, so you only enabled the proxy in the past few hours which is why your security event log is empty.

Now the site is proxied, you should see requests blocked if you have set IP access rules correctly.

I am able to connect directly to your origin IP address, so you should do as I suggested and allow only Cloudflare IP address through your firewall.

1 Like

Yes , we were forced to disable Cloudflare and switched to local Firewall to stop the attack ,
First attack was Approximately 7 days ago that’s when we switched i already turn it ON today.

If the webserver doesn’t restrict requests to just Cloudflare IPs there’s nothing to stop the attacker from hitting the origin server directly and that is likely what is going on here. If it were going through Cloudflare and a block rule matched… the request would be blocked.

1 Like

The problem is persisting on multiple servers the requests are coming from Cloudflare,
IPs can’t be blocked using CSF cause it’s coming from Cloudflare.
Any ideas why Cloudflare isn’t blocking the IP.

  1. The requests aren’t coming through Cloudflare.
  2. The rule is incorrect.
  3. The rule conflicts with a higher priority rule which allows the request.
  4. The hostname is managed by a service provider, not the account you have.

If you’re just using under attack, it’s entirely possible to pass a challenge. If you want to block an IP use a block rule.

1 Like

I already tried with my IP and block rule is working this problem is happening from time to time ,
so we cant pinpoint the exact steps.
IPs directly on the server are blocked already.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.