CD
Cloudflare Developers15mo ago
goodboygoodenergies

CloudFlare Proxy address blocked after implementing IPBAN?

Hi, yesterday we implemented IPBAN (https://github.com/DigitalRuby/IPBan/) on some of our Windows servers to automatically block dodgy IPs from hitting our servers. Today, some of our customers were complaining that they couldn't access their portal, served by IIS. When we turned off the firewall rules created by IPBAN, customers could immediately access their portals again. The only thing I can imagine is that somehow a CloudFlare proxy address was blocked? But none of the addresses recored by IPBAN, correspond to the addresses listed on the CloudFlare IP page (https://www.cloudflare.com/ips/). Does anyone have any advice on where we can look to narrow down the cause of the problem? Thanks
GitHub
GitHub - DigitalRuby/IPBan: Since 2011, IPBan is the worlds most tr...
Since 2011, IPBan is the worlds most trusted, free security software to block hackers and botnets. With both Windows and Linux support, IPBan has your dedicated or cloud server protected. Upgrade t...
2 Replies
DarkDeviL
DarkDeviL15mo ago
The Cloudflare IP page, as you mention, does not list individual IP addresses, but subnets / network ranges, containing many addresses at once. 162.158.0.0/15 covers for example 162.158.0.0 - 162.159.255.255, or, wildcard-like, both 162.158.* and 162.159.*, in total 131'072 individual IPv4 addresses.. Similarly, 172.64.0.0/13 covers for example 172.64.0.0 - 172.71.255.255, or, wildcard-like, 172.64.*, 172.65.*, 172.66.*, ... and so on, up to, and including 172.71.*, in total 524'288 individual IPv4 addresses. From looking at e.g. IPBan, their claims, such as for example on https://github.com/DigitalRuby/IPBan/wiki/Force+Ban+or+Unban, it sounds like IPBan is only working around with individual IP addresses, and not network ranges. I find it hard to believe that anyone (including, but not limited to IPBan) would limit their thing to operate only on individual IP addresses (and not subnets/ranges), especially in 2023, but it does sound that way. And, that would, if understood well, mean that in order to use IPBan, you would need to create a such unban.txt file, with well over 1 million lines, simply to account for (and ignore) Cloudflare IP addresses. If your website (served by ISS) is being run behind Cloudflare, using Proxied cloudflare records, then it is likely that your logs are showing the IP addresses of the Cloudflare Proxy, and as such, banning the Proxy when people try things on your website. Depending on how IPBan does it's tricks, something like e.g. https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/ could MAYBE be enough to solve the issue. If the Restoring original visitor IPs link above doesn't provide any success, and given that you have indicated that it works fine, when you disable IPBan again, the conflict is within IPBan to be found, and would be something you need to take up with the IPBan team.
goodboygoodenergies
goodboygoodenergiesOP15mo ago
Thanks for the response. To be clear, I have checked each of the individual IPs blocked by IPBan, against the ranges specified in the CloudFlare page - none of the blocked IPs, are inside the ranges specified. The app config for IPBan indicates it supports CIDR blocks for whitelisting: <!-- Comma separated list of ip addresses, cidr masks, urls or dns names that are never banned. Whitelist takes precedence over blacklist. If you use a url, the response should be text and newline delimited, example: https://uptimerobot.com/inc/files/ips/IPv4andIPv6.txt. For urls, ? char is not allowed, so if you need a query string, you must create a non ? url and have it 302 redirect to the new url with a ? in it. Ips in this list are added to a whitelist firewall rule and will always be allowed. --> <add key="Whitelist" value=""/>

Did you find this page helpful?