Spammer's IP address bypassing Cloudflare's Firewall?

My website has been getting plagued with fake account signups lately, some of which have managed to bypass Cloudflare.

For example, I had a fake account created yesterday evening (20:14) from someone apparently in Ukraine with an IP of 91.237.27.64 (I don’t care about sharing spammer IPs). I know it’s a fake account as the fields were filled with spam messages.

I checked the logs on the host and can confirm the date and IP on the servers own logs, but when I go into Cloudflare’s Firewall Events page neither the IP address or anyone from the Ukraine show up in the filters!? FYI I checked cloudflare a few hours later so it should still be in the 24 hour log and events are listed before and after that time period.

So, am I missing some setting that’s allowing some nefarious visitors to bypass Cloudflare’s firewall and not get logged? Or are these hackers now bypassing the firewall completely?

The easiest way to bypass Cloudflare’s firewall is to bypass Cloudflare altogether by connecting directly to your server. Have you configured a firewall at your server to block all traffic that doesn’t come through cloudflare.com/ips?

1 Like

Ah I didn’t think of that.

Though in my DNS settings I had issues with FTP and mail having Cloudflare Proxy those, so I’ve got both of those set the “DNS only” and not proxied…

So I have a feeling setting a firewall as you suggested may cause issue with FTP access?

FYI it’s a B2B website and our customers access our stock list over FTP - changing that would cause massive problems with out customers all having to update things their end!

Unfortunately, I’m on a shared host which doesn’t offer any firewall options (they only do so on dedicated servers), so it looks like I can’t set up a firewall then?

My cheater method is to use .htaccess: