Need help understanding how a Cloudflare IP is getting blocked

I have several web sites set up with…
Apache2.4 w/mod_cloudflare
fail2ban w/cloudflare ban action enabled, ignoreip is configured with Cloudflare IP address ranges.
fail2ban also bans IPs on the origin server in iptables.

Everything has been working fine. But then a couple of days ago, I received an alert from fail2ban that it banned 104.28.222.43, which is a Cloudflare IP. So I updated the ignoreip setting in fail2ban with the latest list of Cloudflare IP ranges.

Then after I thought about it, because mod_cloudflare is swapping out Cloudflare’s IP with the true client IP before any else happens, I should never be seeing a Cloudflare IP address, and shouldn’t need to add Cloudflare’s IPs to the ignoreip setting in fail2ban.

So my question is this, is it possible for someone to bypass fail2ban filtering and actions by using Cloudflare Workers so the client IP is coming from Cloudflare? I’m not familiar with what Workers are capable of. But if a request originates from Cloudflare’s address ranges, say from a Worker, so that the client IP my web server sees is Cloudflare IP, and mod_cloudflare doesn’t modify it, then fail2ban would ignore it. Is that possible?

Or is there some other reason that mod_cloudflare would show the client IP as a Cloudflare IP?

I obviously have other security systems in place, fail2ban is just banning IPs on the origin server in iptables, and on Cloudflare, after they were already caught by some other security tool, such as mod_security. But since the banning happens for a period of time, couldn’t something like this be used for a DoS if Cloudflare is temporarily blocked from connecting to my origin server?

This IP address is outside the published Cloudflare IP address list so won’t be “swapped out” when using the list.

It is a Cloudflare IP address so is likely WARP traffic and therefore can be treated like any visitor IP address (although banning it may block multiple WARP users from your site).

Requests from a Cloudflare worker to another Cloudflare zone will appear from 2a06:98c0:3600::103.

1 Like

Oh, oops, you are right. I looked at 104.24.0.0/14 from the IPv4 list and thought it was part of it. But it is not.

So WARP doesn’t send a CF-Connecting-IP because of it’s privacy features? If true, I’m not sure what to do about blocking bad actors using WARP then.

This connection attempt was definitely hacking activity attempted against a WordPress site’s REST API. That’s not something an ordinary browser would do, especially since I have the REST API disabled on the site, and no REST API meta data/headers in the site’s HTML.

I guess I would rather block it and inconvenience other WARP users for a while rather than let it all through.

P.S. I see now that mod_cloudflare is no longer supported. CloudFlare recommends using mod_remoteip that comes with Apache.

The proxy sends CF-Connecting-IP headers. WARP is just a VPN so 104.28.222.43 is, as far as you (and the Cloudflare proxy) are concerned, the client IP address.

The same would apply for any IP address with multiple users, such as VPNs and other proxies, corporate egress points and so on so it’s up to you how to treat it. WARP IPs change often as well so a block will have a short term effect to stop the immediate cruft, but it’s easy to move to another IP.