Someone's bypass Cloudflare Firewall

firewall

#1

Hello everyone. I have small problem with cloudflare firewall. I am using cloudflare firewall to project website comments without captcha.

. But 2 days ago 1 bot bypassed cloudflare image
I am using Authenticated Origin Pulls and I am blocked all ip except cloudflare
no one access directly server but i cannot see 109.184.176.191 ip adress on cloudflare firewall. Ok, this bot how to send spam comment to my website ?.


#2

That first match should do it. Is anything showing up in the Firewall Events Log?

It’s possible there’s some low-paid human spammer hitting your website.


#3

This ip address does not appear on firewall log.


#4

If you run a full fledged browser you’ll be able to bypass, respectively rather solve, a JavaScript challenge also in an automated fashion. There is/was even a Python library which approached that issue for non-browser instances using a Node.js instance to execute the JavaScript challenge.

That sort of challenge generally is quite effective but still does not provide you a 100% bot-exclusion rate.


#5

But if the validation, the firewall should show the IP address, the problem is that the IP address does not appear.


#6

I dont know what the screenshot you posted is. Can you get the request specific lines from your log file? That should show whether the request should have been challenged to begin with.

If you say it went via Cloudflare but there is no log in the firewall events, that would most likely mean it did not get challenged.


#7

Those firewall rules look odd. If they’re followed in order, I’m not sure if that first entry is supposed to block all TCP ports, or let everything through. Then the second entry looks like it’s allowing only Cloudflare access to Port 443.

Can you post the domain name so we can test it out?


#8

These ara normal firewall rules. Block all tcp and udp incoming except cloudflare ip and port 443. Please be careful. first post i say Authenticated Origin Pulls is active and i dont forget configure on server side.


#9

If you can rule out a direct connect there simply was no challenge.


#10

i block all non cloudflare trafic. First protection vps firewall , second protection cloudflare client certificate. No one can reach without Cloudflare.


#11

Well I addressed that already twice.


#12

Use “Block” instead of “JS Challenge”.

So no one will be able to bypass.

What JS Challenge does is it checks for IP reputation of visitor and if its good, it allows.


#13

A JavaScript challenge will always challenge, regardless of any “reputation”.

The problem here is not whether to block or to challenge but the OP claims the request came via Cloudflare, was challenged, but does not show up in the event list, and this part has been addressed several times by now.


#14

start from your server logs find that request and check if it really came from cloudflare


#15

Nobody can access from the outside of Cloudflare


#16

challenge is not ip based. i dont need a block comments. if i need i can modify php file or i will create new nginx rule. I am using for blocking bots.


#17

Sorry, not going to address it for a fourth time :wink:

Please re-read what has been already mentioned three days ago.


#18

How many comment was submitted from that IP?


#19

1 but we get 3 more comment like this from other ips.


closed #20

This topic was automatically closed after 30 days. New replies are no longer allowed.