WAF not blocking non-UK IPS

I have a WAF rule to block all non-uk IPS. However. the site reports a number of attempted admin logins (unsuccessful) from IPs which IP-Lookup identifies as originating in the US (byfar the largest source of attacks). Why is the WAF rule not blocking them?

What are your firewall rules?

That looks right. Do you have any other rules that would allow the requests?

Only one other rule:

Sorry there is another:

Where are you seeing the login attempts? Is it from your server or from Cloudflare? If it is from your server, then it could be people bypassing Cloudflare by using direct IP connection.

Thanks, that is very helpful, I will check that in the morning!

I am not sure how to check if they are using teh server IP address to access the site, its at the limits of my understanding.

Its a shared server, doesn’t that mean that a number of sites use the same server IP address?

Whois tells me: 104.21.95.234 - 838 other sites hosted on this server

If I try that IP address I get:

Error 1003 Ray ID: 79cdd4da0c3888b5 • 2023-02-21 07:40:00 UTC ## Direct IP access not allowed.

That’s the Cloudflare proxy address, not the end user address.

Make sure you have secured your Origin, and look at restoring the Original Client IP.

1 Like

Thanks… that is useful but I need some time to get my head around that!

Well I have read those and could spend much more time trying to understand them!. My origin server is an IONOS shared one so there is a limit to what I can do with it.

Admin Tools (I am using Joomla) Logs the IP address of suspected attacks (attempted logs in to the admin mostly) For my reading so far if those IP are anything other than Cloudflare’s then the attacker must be avoiding Cloudflare. But again I don’t understand as my origin server is shared and has hundreds of sites how does accessing the Ip address directly get to a specific website out of the hundreds on that IP address. Sorry if this is dumb.

Am in meetings the rest of the day

Host headers. It’s the same way vistors get to your specific site when connecting through Cloudflare.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.