Repeated login attempts to my site from CloudFlare owned IPs

Could someone be using a bot on Cloudflare’s network to do this?

I’ve been seeing a massive amount of login attempts to my site from Cloudflare owned IP addresses.
Multiple requests from IP address in the 172.64.0.0 - 172.71.255.255 have been trying to guess user passwords and accounts on my site.
The report abuse form doesn’t have an option for this type of event.

Fortunately that username doesn’t actually exist.
WordFence is set to lockout any failed login attempt and block the IP address for 2 months.

Sample of the log output…

|Lockout|172.68.34.59|January 21, 2020 7:56 am|Used an invalid username ‘lovefromtheoven’ to try to sign in|March 21, 2020 7:56 am|1|January 21, 2020 7:56 am|
|Lockout|172.68.34.65|January 21, 2020 7:52 am|Used an invalid username ‘lovefromtheoven’ to try to sign in|March 21, 2020 7:52 am|1|January 21, 2020 7:52 am|
|Lockout|172.68.34.95|January 21, 2020 6:34 am|Used an invalid username ‘lovefromtheoven’ to try to sign in|March 21, 2020 6:34 am|2|January 21, 2020 7:59 am|
|Lockout|172.68.102.119|January 21, 2020 6:15 am|Used an invalid username ‘lovefromtheoven’ to try to sign in|March 21, 2020 6:15 am|1|January 21, 2020 6:15 am|
|Lockout|172.68.34.35|January 21, 2020 6:01 am|Used an invalid username ‘lovefromtheoven’ to try to sign in|March 21, 2020 6:01 am|1|January 21, 2020 6:01 am|

3 Likes

Can you let Support know? I’ve seen instances like this where the IP is that of your nameserver or a DNS record on the DNS tab. In this case, I cannot match IP to either of those and would appreciate a second set of eyes on it.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help at the bottom of the screen. Please share your ticket number here and I’ll track progress.

I think I figured it out.
Since all traffic is routed through Cloudflare proxy, Wordfence requires a security change to reveal actual IP addresses of visitors instead of the masked addresses sent by the CF proxy.

If you use Wordfence, you have to change the method it uses to get IP addresses from visitors.
The default option is :
“Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites. (Recommended)

Change the default selection and chose the option below to retrieve actual IP addresses of visitors.
“Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.”

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.