We are often scanned/checked for vulnerabilities and from log we can see requests look like this:
2020-01-28 14:19:59 Content type: application/x-www-form-urlencoded
2020-01-28 14:19:59 Request content: <?=md5("phpunit")?>
2020-01-28 14:19:59 HTTP referer:
2020-01-28 14:19:59 User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2020-01-28 14:19:59 HTTP_CF_CONNECTING_IP:
2020-01-28 14:19:59 HTTP_CF_IPCOUNTRY:
2020-01-28 14:19:59 Query: path=vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2020-01-28 14:19:59 REMOTE_ADDR: 220.127.116.11
2020-01-28 14:19:59 REMOTE_HOST:
I have added address 18.104.22.168 to firewall in CloudFalre but requests are still coming through (somehow).
I have following questions
- How can requests come via CloudFlare but variable HTTP_CF_CONNECTING_IP is empty?
- How would you recommend to defend against such scanning?
- Why CloudFlare firewall does not block such request, what could be the reasons?