We recently experienced a brute force attack on our website, and in response, we blocked the attacker’s IP address using Cloudflare’s IP Access Rules. However, despite the block, the attacker still appears to have access to our website, and the brute force attack hasn’t stopped. This is perplexing because I expected the IP block to prevent any further access to our site from that IP address. Here are a few details: The IP was added to the “Block” list in Cloudflare’s IP Access Rules. The attack continued even after the IP was blocked. We’ve confirmed that the IP in question is still actively hitting our server. Has anyone else encountered a similar issue? Is there something I might be missing in the configuration? Any advice or troubleshooting tips would be greatly appreciated.
What is the current SSL/TLS setting?
Full
What are the steps to reproduce the issue?
We recently experienced a brute force attack on our website, and in response, we blocked the attacker’s IP address using Cloudflare’s IP Access Rules.
However, despite the block, the attacker still appears to have access to our website, and the brute force attack hasn’t stopped. This is perplexing because I expected the IP block to prevent any further access to our site from that IP address.
Here are a few details:
The IP was added to the “Block” list in Cloudflare’s IP Access Rules.
The attack continued even after the IP was blocked.
We’ve confirmed that the IP in question is still actively hitting our server.
Has anyone else encountered a similar issue? Is there something I might be missing in the configuration? Any advice or troubleshooting tips would be greatly appreciated.
Is your origin configured to only allow traffic from Cloudflare?
No , my server is hosting multiple websites but just one domain is getting attacked.
Can you find the IP address in your Cloudflare security event log?
No , security event log is empty.
Im using Fail2Ban that successfully detected the attack and added the IP to Blocked in IP Access Rules.
You can enter the domain here. If you post the first 8 digits of the code for the test, I can find the domain. https://cf.sjr.org.uk/tools/check
If proxied, the test will make 2 connections to your domain (one from my server and one from a Cloudflare Worker) so if UAM is enabled you should see them in the security event log as they won’t pass the challenge.
If you have UAM enabled then I should be receiving a challenge accessing your site, but I am not.
Also http does not redirect to https, so your login page to which the domain redirects is insecure.
securitytrails.com indicates that your site was unproxied 7 days ago and hasn’t yet picked up that the site is proxied again, so you only enabled the proxy in the past few hours which is why your security event log is empty.
Now the site is proxied, you should see requests blocked if you have set IP access rules correctly.
I am able to connect directly to your origin IP address, so you should do as I suggested and allow only Cloudflare IP address through your firewall.
Yes , we were forced to disable Cloudflare and switched to local Firewall to stop the attack ,
First attack was Approximately 7 days ago that’s when we switched i already turn it ON today.
If the webserver doesn’t restrict requests to just Cloudflare IPs there’s nothing to stop the attacker from hitting the origin server directly and that is likely what is going on here. If it were going through Cloudflare and a block rule matched… the request would be blocked.
The problem is persisting on multiple servers the requests are coming from Cloudflare,
IPs can’t be blocked using CSF cause it’s coming from Cloudflare.
Any ideas why Cloudflare isn’t blocking the IP.
I already tried with my IP and block rule is working this problem is happening from time to time ,
so we cant pinpoint the exact steps.
IPs directly on the server are blocked already.