We’ve been on CF for a couple weeks now, and have basic firewall + WAF enabled, yet we’re still seeing requests like this on our server logs:
AH00126: Invalid URI in request POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
AH00126: Invalid URI in request GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1
I would have expected these would have been easily filtered out.
Is there a setting I’m missing that would have blocked these?
Additionally, I’m still getting warnings from Wordfence (wordpress security plugin) that it’s locking many users out due to consecutive failed login attempts. I was hoping to see these decrease as a result of enabling cloudflare, but not yet. I do have the wordpress-specific WAF collection enabled.
Top of my list is making sure nobody can bypass Cloudflare and directly try anything malicious by connecting to my server’s IP address. I drop any connection that doesn’t come from the list at IP Ranges
Thank you! I will implement custom firewall rules on wp-admin - makes sense.
The ‘at the edge’ option is already enabled, but I do have ‘to origin’ disabled. However I’m unsure how that would help in this case, as I’d expect cloudflare to be blocking these nefarious requests at the edge before even reaching our server.
Correct. You’d know for sure if you check your server logs.
But if you’re using Wordfence, it’s nice to let it know as well. That Wordfence option is pretty good at showing you what it thinks your IP address when you select the different options.
mode for your hostname?