Waf/firewall/i'm not a robot etc

dash-dns
#1

This post was flagged by the community and is temporarily hidden.

#2

There are firewall events logged under the Firewall tab of the dashboard for your domain. Shows block/js challenge etc as well as the source, host and the filter id of the triggered rule.

#3

Indeed, however it does not tell you which service in cloudflare bashboard that has initiated the robots check etc.

#4

Sorry, could you clarify what you mean by ‘which service’. It’s not a Cloudflare term I know of so just want to double-check I understand what it is you need so I can hopefully point you in the right direction.

#5

Say your site users complain about “having to complete a challenge or have to prove they’re not robots a lot”

I go into the dashboard and check the ip, it does not show up.
I then check all the rules and can’t understand which rule triggers the CHALLENGE for the user?
I turn off WAF so users don’t get abused by the challenge…

#6

Can I ask if you’re using a filter to find the IP in question in the Firewall Events? Because I’ve just seen another user raise the point that the Firewall Events filtering isn’t working other than on Ray ID and on checking it I see that it does indeed appear to have problems at the moment.

I think the events tab is probably still what you’re after but the filtering issue is impeding your use of it presently. ‘Normally’ I’d hope that tab gives you the info you need.

#7

What should “I’m under attack mode” be set to if i have constant people trying to ssh/ftp/kerberos/telnet/111/139 my server?

#8

Unless you’re using ‘Spectrum’ in order to let Cloudflare proxy non-HTTP(s) traffic nothing like that should ever hit your backend from through Cloudflare as long as you have the DNS entry set to ‘orange’ (proxied by Cloudflare). The only traffic that would get through Cloudflare and therefore be affected by the ‘Under Attack’ level would be on ports defined here:

If you have Cloudflare proxying all web traffic then you could look into dropping traffic that doesn’t come form the Cloudflare proxy IP ranges:

Obviously you need to add exceptions to that (ie expand where you allow traffic from) if you have other traffic coming in (like SSH from some locations etc).

If you check on Github there are also a lot of people that have rolled their own security by using fail2ban in conjunction with the CLoudflare API so that if you start getting a lot of access attempts you can black list IPs at Cloudflare too.

EDIT: To clarify - there’s nothing Cloudflare can do to stop traffic hitting your backend if the attackers are going off your host IP and hitting your SSH etc. ports directly. But if you’re using Cloudflare you can drop massive amounts of the source address space at your firewall because legit traffic will all come through them and you can leverage their DDOS mitigation etc etc.

#9

Cloudflare keeps telling my users to complete one more step, this is really annoying, how do i turn this off?

WAF IS TURNED OFF?! I don’t get why users would get this when it’s not even enabled?

#10

I assume we’re back taking about normal users accessing via HTTP(s) now?

If so, then under Firewall - Settings, set Security Level to ‘Essentially Off’ to reduce these prompts.

#11

This post was flagged by the community and is temporarily hidden.

#12

That’s the lowest generic level, yes. With that turned off, WAF turned off and no Firewall Rules you’re at the most permissive level you can be. Make sure no Page rules are altering that base state.

You can try whitelisting at a IP/ASN/country level but really if people are getting challenged at that level them CloudFlare is just wary of their action for some reason.

2 Likes