• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question CloudFlare and Fail2ban

MuddyMoe

New Pleskian
Server operating system version
AlmaLinux 9.4
Plesk version and microupdate number
Plesk Obsidian Version 18.0.62 #2
What is the best/most current approach to working with CloudFlare and Fail2Ban such that Fail2Ban doesn't ban CloudFlare IPs and Fail2Ban bans are passed on to CloudFlare?

Thank you!
 
Technically, you can exclude Cloudflare IPs from Fail2Ban in the /etc/fail2ban/jail.local file. To exclude them, simply add them to the [DEFAULT] section's ignoreip directive. Example:
Code:
[DEFAULT]
ignoreip = 34.147.110.144/28 ... and so on ... 127.0.0.1/8 ::1
The subnets that Cloudflare uses, are listed here: IP Ranges

But: I recommend to NOT to do this, because it will allow attackers to brute-force your server as they also come through Cloudflare for domains that have their DNS with Cloudflare. When you list a CF subnet in ignoreip, requests coming from that ip range will be excluded from F2B, so attackers will have all the time they need to break into your server.

What I do recommend though is to exclude Google IP ranges from your server. Those can be found here: https://developers.google.com/search/apis/ipranges/googlebot.json
 
Technically, you can exclude Cloudflare IPs from Fail2Ban in the /etc/fail2ban/jail.local file. To exclude them, simply add them to the [DEFAULT] section's ignoreip directive. Example:
Code:
[DEFAULT]
ignoreip = 34.147.110.144/28 ... and so on ... 127.0.0.1/8 ::1
The subnets that Cloudflare uses, are listed here: IP Ranges

But: I recommend to NOT to do this, because it will allow attackers to brute-force your server as they also come through Cloudflare for domains that have their DNS with Cloudflare. When you list a CF subnet in ignoreip, requests coming from that ip range will be excluded from F2B, so attackers will have all the time they need to break into your server.

What I do recommend though is to exclude Google IP ranges from your server. Those can be found here: https://developers.google.com/search/apis/ipranges/googlebot.json
Thank you!! I have a follow up question. Does CloudFlare use Google IP ranges or do we have a separate set that we would need to exclude?
 
Cloudflare does not use Google IP ranges, but Google does. If you want your website indexed in Google, do not block the Google IP ranges.
 
But: I recommend to NOT to do this, because it will allow attackers to brute-force your server as they also come through Cloudflare for domains that have their DNS with Cloudflare. When you list a CF subnet in ignoreip, requests coming from that ip range will be excluded from F2B, so attackers will have all the time they need to break into your server.


It's worth noting that for many of us, Fail2Ban will end up blocking normal Cloudflare traffic and thus Fail2Ban is routinely deactivated. Therefore whitelisting Cloudflare IPs and reactivating Fail2Ban will actually increase protection, not decrease it.

Cloudflare is not typically an outbound service - unless users are using Zero Trust for general internet access, or possibly using applications. Using Cloudflare as DNS does not place Cloudflare between outbound requests from a server - so malicious traffic from a server where DNS is behind Cloudflare will use it's original IP (unless some other spoofing is taking place).
 
@Bitpalast is right.

When you whitelist all Cloudflare IP ranges in Fail2Ban, you create a potential security vulnerability because any attacker using a Cloudflare-proxied connection would be exempt from Fail2Ban's protection mechanisms.

The reason that this problem occurs is your proxied dns record

When a domain is proxied through Cloudflare, all traffic goes through Cloudflare's servers before reaching your origin server.

The solution (A) is to properly configure your web server to use the real visitor IP (CF-Connecting-IP header)

Code:
# Add Cloudflare IP handling at the top of your .htaccess file
# This tells your server to use the CF-Connecting-IP header for the real visitor's IP
<IfModule mod_remoteip.c>
    RemoteIPHeader CF-Connecting-IP
</IfModule>

# Alternative method if mod_remoteip is not available
<IfModule mod_setenvif.c>
    SetEnvIf CF-Connecting-IP ^(.*)$ REMOTE_ADDR=$1
    SetEnvIf CF-Connecting-IP ^(.*)$ PROXY_REMOTE_ADDR=$1
</IfModule>

OR quick and dirty solution (B) just disable the proxy in your A record will all the downsides that this means
 
Back
Top