I’m using fail2ban to block web vulnerability scanners. It is working correctly when visiting the site if CloudFlare is bypassed, but a user can still access it if going through it. I have mod_cloudflare installed.
Is it possible to block users with IPtables when using Cloudflare?
Ubuntu Server 12.04 32-bit
22.214.171.124 - - [29/Aug/2012:19:16:01 -0500] "GET /muieblackcat HTTP/1.1" 404 469 "-" "-"
[apache-probe] enabled = true port = http,https filter = apache-probe logpath = /var/log/apache2/access.log action = iptables-multiport[name=apache-probe, port="http,https", protocol=tcp] maxretry = 1 bantime = 30 # Test
[Definition] failregex = ^<HOST>.*"GET /muieblackcat HTTP/1.1".* ignoreregex =
The reason this isn’t working (and isn’t going to work) is that iptables operates on the IP address of the machine that directly connected to yours. If you’re using CloudFlare, this means you are receiving connections from CloudFlare, not directly from the end users.
Here’s an example, taken from one of my sites on CloudFlare:
::ffff:126.96.36.199 www.yes-www.org - [05/Sep/2012:21:50:50 +0000] "GET / HTTP/1.1" 200 9585 "http://no-www.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.8 (KHTML, like Gecko) Chrome/23.0.1251.2 Safari/537.8" "188.8.131.52"
Here we see that the connection was received from 184.108.40.206, one of CloudFlare’s servers. If this were blocked in iptables, then CloudFlare would not be able to reach us (from that address; fortunately they have many others). The connection to CloudFlare actually came from 220.127.116.11, which is what appeared in the X-Forwarded-For and CF-Connecting-IP headers.
Unfortunately in this sort of setup, this means you can’t really use iptables to block visitors. You do have a couple of options, though:
- Use CloudFlare’s Threat Control panel, as Damon mentioned. This gets painful if you have a lot of IP addresses you want to block, or they change frequently.
- Block the requests at the application level. Tools such as my own Bad Behavior can accomplish this sort of thing.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.