Unknown IP addresses are being whitelisted


#1

Yesterday I blocked ALL Chinese IP addresses from accessing our server due to an ongoing brute-force attempt. Today on the firewall, pretty much every non-Chinese address has been whitelisted.

How has this happened? Was it something I have done?


#2

I find that Cloudflare auto-whitelists the IP addresses of my web servers. This helps for when they make an internal call to its own domain that will get routed through Cloudflare.


#3

This is different. All IP addresses (apart from China!) are being whitelisted with the rule:
“Disable WAF for wp-admin”

I’m getting a bit worried about this. Do I have to remove the IP block for China to get this to work again?


#4

I’d be interested to hear if anyone else has had to block an entire country’s IP range. When you did that, did Cloudflare whitelist all other IPs automatically?

My firewall still has every non-Chinese IP address on the whitelist… it’s very worrying that CF thinks that they are the Wordpress Admin and I need some advice please.


#5

I’ve been seeing similar results lately @anthony1. I had previously added a challenge for some countries I’d been seeing a lot of odd behaviour from, however that particular rule has fallen off my WAF log.

I ended up disabling that rule WP0003 (so, don’t disable WAF for wp-admin – if I understand it correctly) and adding a pagerule to set the security level to “I’m under attack”, bypass cache, cache deception armor on, disable apps, and disable performance. You can also add a rate limiting option using the Protect Your Login button on the Firewall tab that will assist in preventing brute-force attacks.


#6

I appreciate your reply Stuart, but it doesn’t really make sense to me. I’m struggling to grasp why Cloudflare would bypass the firewall for all IP addresses that aren’t Chinese, if I block Chinese IPs. It’s not really what I expected nor requested.

Is there some method to this madness that I’m missing here?


#7

I’m not sure @anthony1; it might be worth reaching out to Cloudflare support to see what they can advise.