Should I be worried about IPs getting through to server despite page rules?

user7471 · March 23, 2021, 9:30pm

Hi there,

I’m pretty fresh at this so sorry if this is a common question. Not exactly sure what search terms to whittle down such a broad question.

I have page rules set up so that it geoblocks every country other than Canada/US with a JS Challenge and I also have straight up blocked Russia, China, and Ukraine (cause I was getting a lot of traffic from them I didn’t want).

I’m still seeing from my apache logs that every other day I get a block of about 100 requests to access my phpadmin which is disabled from external access. These IPs are coming from the Asia Pacific network (APNIC) and RIPE (Europe based?), but don’t have any identifiable information about them.

Q1: How are they bypassing the page rules on Cloudflare?
Q2: If they’re able to make requests directly with the server, should I be concerned about other vulnerabilities?
Q3: Should I even worry about this considering the server is already denying the requests?

Thanks

sandro · March 23, 2021, 11:07pm

You mean firewall rules, right?

Can you post a screenshot of your rule as well as the list of rules? The order of rules is important too.

If you have them properly configured such requests should not get to your server, if they still do you either have an incorrect rule setup or they connect directly to your server. In the latter case you’d need to make sure only Cloudflare can connect to it, by configuring your server firewall accordingly. cloudflare.com/ips has all the addresses.

sandro · March 23, 2021, 9:34pm

Also, a JavaScript challenge won’t block them, but only present a challenge which they can solve.

user7471 · March 23, 2021, 11:20pm

Sorry yes, I meant firewall rules.

Rule 1 is:
(ip.geoip.country ne “CA” and ip.geoip.country ne “US”)
Do a JS Challenge

Rule 2 is:
(ip.geoip.country eq “CN”) or (ip.geoip.country eq “RU”) or (ip.geoip.country eq “UA”) or (ip.geoip.country eq “IE”)
Completely Block

So far I’ve only had 1 person solve the JS challenge out of 460 in the last 24 hours. To me it seems these IPs are bots, not people because they’re able to make all 100 requests in only the span of 1 second.

sandro · March 25, 2021, 4:17pm

You need to switch the rules, also, I would recommend “is in”

(ip.geoip.country in {"CN" "IE" "RU" "UA"}) -> Block
(not ip.geoip.country in {"CA" "US"}) -> JS challenge

Right now rule #2 will never fire because of rule #1.

system · March 26, 2021, 11:31pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.