Developer forum

Forum » CMS - Standard features » Cloudflare proxy ip ban

Cloudflare proxy ip ban

Hans Kloppenborg
Reply

Hello,

Since a short while we have a customer who has added the cloudflare proxy for security and IPV6 support.

Today we had the strange situation that our solution was no longer available under the www subdomain, only under the main domain.

After some heavy searching it appeared that the ip blok file contained the proxy ip adresses of cloudflare. Clearing the block file solved our problems.

Should the ip blocker not get the original ip adres of the visitor, and not the proxy ip? Would like hear how we can prevent 1 random hacking visitor from blocking everyone from visiting a cloudflare proxied website.

Greets Hans


Replies

 
Nicolai Pedersen
Reply

Yes it should... Will look into it.

 
Nicolai Pedersen
Reply

It seems to do that, at least in recent versions - see dump.

What version are you on - and do you have some log info on this - or link to solution.

Capture.PNG
 
Hans Kloppenborg
Reply

Hi Nicolai,

The solution is https://gbtwente.nl/ (DW 9.5.1). 

The ipban log is as follows where the 141.101 range seems to be cloudflare (for example https://db-ip.com/all/141.101.105):

2019-10-24 21:46:59.7555|INFO|IpBanner|Banned ip: 141.101.105.239; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:00.0142|INFO|IpBanner|Banned ip: 172.69.55.153; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:00.2329|INFO|IpBanner|Banned ip: 141.101.77.157; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:00.4547|INFO|IpBanner|Banned ip: 172.69.55.99; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:00.9418|INFO|IpBanner|Banned ip: 141.101.76.189; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:01.1570|INFO|IpBanner|Banned ip: 141.101.105.35; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:01.3602|INFO|IpBanner|Banned ip: 141.101.77.145; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:01.5714|INFO|IpBanner|Banned ip: 141.101.104.150; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:02.3055|INFO|IpBanner|Banned ip: 162.158.111.132; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:03.6782|INFO|IpBanner|Banned ip: 141.101.104.136; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:03.9776|INFO|IpBanner|Banned ip: 172.69.55.81; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:15.3619|INFO|IpBanner|Banned ip: 141.101.76.33; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:16.2169|INFO|IpBanner|Banned ip: 141.101.104.170; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:20.0721|INFO|IpBanner|Banned ip: 141.101.104.198; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:20.6660|INFO|IpBanner|Banned ip: 141.101.104.64; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
2019-10-24 21:47:37.6362|INFO|IpBanner|Banned ip: 141.101.105.23; REASON: Injection ban: Match on 404;http://www.gbtwente.nl:443/admin/public/404.aspx?404;https://GBTwente:80/index.php?page ((?:\%27|\'|\%3B|\;|\%3D|%23|\-\-|UNION( +ALL){0,1})(?:[\W\s]+|$)*(?:union|select|update|delete|drop|insert|shutdown|exec|declare|cast|set|truncate|create|alter|grant|use|deny|waitfor|benchmark|having)(?:[\W\s]+|$))
 

 

Greets Hans

 
Nicolai Pedersen
Reply
This post has been marked as an answer

It was fixed in 9.5.6

Votes for this answer: 1
 
Hans Kloppenborg
Reply

Okay Nicolay,

Will plan an update then.

 
Hans Kloppenborg
Reply

Goodmorning Nicolai,

Sadly it seems the update does not help. We created an acceptance version on https://acceptance.gbtwente.nl/ and replaced the DW version with the latest 9.5.8 version (we did not want to upgrade to higher major versions since we are not sure or compatability with our rapido version). We coupled this to Cloudflare and did some "Bad" things in urls and forms. The result in the ipban file looks like this (there is a lot more):


2019-10-30 09:01:16.0511|INFO|IpBanner|Banned ip:  141.101.104.196; REASON: Injection ban: Match on Search (\w*(?:\%27|\')[\W\s]*(?:\%6F|o|\%4F)(?:\%72|r|(?:\%52))[\W\s]|'[\W\s]*--|'[\W\s]*#)
2019-10-30 09:01:16.0998|INFO|IpBanner|Banned ip:  141.101.104.196; REASON: Injection ban: Match on Search (\w*(?:\%27|\')[\W\s]*(?:\%6F|o|\%4F)(?:\%72|r|(?:\%52))[\W\s]|'[\W\s]*--|'[\W\s]*#)
2019-10-30 09:01:32.7638|INFO|IpBanner|Banned ip:  162.158.111.132; REASON: Injection ban: Match on ID (\w*(?:\%27|\')[\W\s]*(?:\%6F|o|\%4F)(?:\%72|r|(?:\%52))[\W\s]|'[\W\s]*--|'[\W\s]*#)
2019-10-30 09:01:32.8151|INFO|IpBanner|Banned ip:  162.158.111.132; REASON: Injection ban: Match on 404;http://acceptance.gbtwente.nl:80/admin/public/404.aspx?404;http://gbtwente-acceptance:80/Default.aspx?ID (\w*(?:\%27|\')[\W\s]*(?:\%6F|o|\%4F)(?:\%72|r|(?:\%52))[\W\s]|'[\W\s]*--|'[\W\s]*#)
2019-10-30 09:05:23.7776|INFO|IpBanner|Banned ip:  141.101.104.180; REASON: Injection ban: Match on Search (((\%3C)|<|\[)((\%2F)|\/)*(?:script|url|a\W|img|svg|iframe)+.*?((\%3E)|>|\]))
2019-10-30 09:05:24.0901|INFO|IpBanner|Banned ip:  141.101.104.180; REASON: Injection ban: Match on Search (((\%3C)|<|\[)((\%2F)|\/)*(?:script|url|a\W|img|svg|iframe)+.*?((\%3E)|>|\]))
 

All the ip adresses banned are either Cloudflare France or Cloudflare Netherlands.

 

N.B. It almost seems as if cloudflare automaticly switches to another IP address after one gets blocked, since we ourselves never noticed that we where blocked. We where thinking we to amateuristic in our attempts to get a block, since we always got the website after our attempts. Only after checking the ip-ban logs we saw what had happend.

Greets Hans

 

 
Lars Larsen
Lars Larsen
Reply

Hi

Is this issue fixed in v9.6.9?

 
Nicolai Pedersen
Reply

Yes, I believe.

But if you use a proxy and all visitors use the proxy ip, then just disable ip banning. Cloudflare should take care of the rest. you can also whitelist Cloudflare IP - at least in later versions of DW.

I would need to see all headers of a request in order to see if that particular setup is handled.

 
Lars Larsen
Lars Larsen
Reply

Hi Nicolai

Here are there two request headers logged by DW

Capture1.JPG Capture2.JPG
 
Nicolai Pedersen
Reply

And what IP gets banned when running that. And is that ALL your request headers?

 

You must be logged in to post in the forum