Obvious hacking attempts not blocked

We’ve been on CF for a couple weeks now, and have basic firewall + WAF enabled, yet we’re still seeing requests like this on our server logs:

AH00126: Invalid URI in request POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
AH00126: Invalid URI in request GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1

I would have expected these would have been easily filtered out.

Is there a setting I’m missing that would have blocked these?

Additionally, I’m still getting warnings from Wordfence (wordpress security plugin) that it’s locking many users out due to consecutive failed login attempts. I was hoping to see these decrease as a result of enabling cloudflare, but not yet. I do have the wordpress-specific WAF collection enabled.

Top of my list is making sure nobody can bypass Cloudflare and directly try anything malicious by connecting to my server’s IP address. I drop any connection that doesn’t come from the list at cloudflare.com/ips

I also Normalize URLs:

For the logins, you can rate limit the login page from Firewall → Tools

You can also use Firewall Rules to block any access to wp-login from any country not allowed.

In my case, I use Access to protect wp-login because I have an extremely limited number of people who are allowed to log in to my sites:
https://developers.cloudflare.com/cloudflare-one/applications

5 Likes

Thank you! I will implement custom firewall rules on wp-admin - makes sense.

The ‘at the edge’ option is already enabled, but I do have ‘to origin’ disabled. However I’m unsure how that would help in this case, as I’d expect cloudflare to be blocking these nefarious requests at the edge before even reaching our server.

Have you selected CF-Connecting-IP to get the visitor IP when using Cloudflare and proxied :orange: mode for your hostname?

No, but we’re using mod_cloudflare/mod_remoteip - that should give the same result, right?

Correct. You’d know for sure if you check your server logs.

But if you’re using Wordfence, it’s nice to let it know as well. That Wordfence option is pretty good at showing you what it thinks your IP address when you select the different options.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.