Whitelisted Country Code Doesn't Block International Traffic


#1

Hello,

My current firewall setup is set to a medium security level with the US being whitelisted.

However, when I check my Wordpress logs, I notice several among the many international IP addresses trying to repeatedly gain access to my web server. Here is a sample list:

  1. 217.147.169.231 from the Ukraine under the ISP name LLC TC Interzvyazok and a usage type of Data
    center/Web hosting/transit (go here for more details: https://www.abuseipdb.com/check/217.147.169.231).

  2. 188.166.60.209 from Digital Ocean Data Center Web Hosting in the Netherlands (go here for more info:
    https://www.abuseipdb.com/check/188.166.60.209).

  3. 188.138.105.63 from Host Europe GmbH Data Center/Web Hosting/Transit in Germany (go here for more
    info: https://www.abuseipdb.com/check/188.138.105.63).

Based on the report, I know these are bots or malicious spammers.

Given my current firewall setup, why I am still getting international requests given the US is the only country whitelisted?

And why are these requests coming from data centers or prominent companies like Digital Ocean?

Any help or support will be graciously appreciated!

Thank you, by the way, for designing a stupendous, user-friendly CDN! :grinning:

All my best,

Joe


#2

The CF firewall doesn’t follow the “classic” firewall behavior like

Allow, 1, 2, 3
Deny all other

You may need to block all unwanted IPs, Networks, ASNs or countries, or challenge them wich a (java script) captcha.


#3

I understand.

So what benefit does it do me if I have US code whitelisted?

Can I have both a whitelist of US and a blacklist for unwanted IPs/ASNs simultaneously?

Thanks Mark for getting back so quickly.

I really appreciate it !


#4

I wouldn’t whitelist the US, as many attacks come from the US as well. I’d start limiting other countries as needed.

Or…(I’m a big fan of Wordfence), install Wordfence. It does a really good job of blocking malicious traffic. Their paid plan, if you want to be even more strict, will let you blacklist most of the world.


#5

I am trying to block all international traffic before it reaches apache. From my understanding, there’s no software/plugin even the paid ones that will accomplish this task. The only other way is to insert IP table rules via my firewall.

I am not about to insert more than 1 billion IP addresses in my one small-mid size VPS. Even though there’s still a risk of whitelisting US, I can blacklist at an individual basis at the firewall level if and when the attack happens. Currently, I haven’t gotten any attacks from the US. Mainly China, Croatia, Russia, Germany, Netherlands, and Ukraine.

In the meantime, can I just leave US whitelisted and block specific international country ASNs such as the aforementioned foreign countries?

Also, if my logs are still picking up international traffic even though the US is the only country whitelisted, what benefit does it do me for whitelisting US?

I appreciate your feedback and help.


#6

The Whitelist/Blacklist function isn’t just for countries. It also works on IP addresses and ranges. In more granular cases, it helps to Whitelist IP addresses of your own that may look suspicious due to some specific ways you use your own website. So go ahead and whitelist the US, as you do want to give US users the benefit of the doubt.

But that isn’t going to raise the defenses against the rest of the world. What might help is to set the security level to High. Read on…

What I just now tried: I have a Page Rule that sets Security Level to “Under Attack” for wp-admin and wp-login. I added my home IP address to the Firewall Access Rules as a Whitelist. I can confirm I don’t get the Under Attack interstitial when I whitelisted my address.

So…Set your Security Level to Under Attack, and whitelist the US. I hope that works/helps.


#7

Ok. Will give it a shot.

Thanks for your valuable input. It means a lot!

Since I get a plethora of the LLC TC Interzvyazok Ukraine attacks a day, I am going to blacklist its ASN and monitor my logs to see if the actual requests are blocked.


#8

There’s not a way in which I can block more than one ASN on the same line in one shot rather than having to individually add them?


#9

Nope. I’m sure there’s some sort of technical reason for this, but you can’t combine multiple targets in one entry.


#10

You can script it against the API.

https://api.cloudflare.com/#user-level-firewall-access-rule-create-access-rule


#11

Hi cschariff,

My technical expertise is rudimentary. How would I be able to do that?

Thanks!


#12

Well you’d have to script it. I haven’t really seen any with ASNs, but there are a few around blocking IPs which is similar: https://gist.github.com/pjv/926ece8549cd45bac4821945f6ad253c

Also some automation using tools like fail2ban https://guides.wp-bullet.com/integrate-fail2ban-cloudflare-api-v4-guide/

Blocking countries is also available on the Business plan, but for non-biz you could also captcha non-US countries. Not quite the same as a block, but effective for blocking lots of malicious traffic.


#13

Hi cschariff,

Thanks for the tips. I will look into this when time permits.


#14

This topic was automatically closed after 14 days. New replies are no longer allowed.