Menu

Topic-icon Possible IP address conflict with Sucuri Proxy IPs

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
1 month 1 day ago #7970 by azurelinksc
I've been having a problem with visitors being blocked (they see the "webmaster has forbidden" message) upon first visit to the site.

I have CPHulk rules on set up in WHM, and there is also a Sucuri firewall installed by my hosting provider. I don't know if it is possible, but it appears that visitors — including myself — are being assigned what may be the same Sucuri Proxy IP address when they visit. If one of those visitors is an attacker, e.g., a bot, and triggers a log entry in SCP and eventually gets blacklisted in SCP, then everybody else who tries to access the site from the same proxy IP is automatically blocked.

Does that sound possible? Maybe the Sucuri firewall functions as a CDN and provides IP addresses?

I'm planning to disable the Sucuri firewall and see if the problem stops. I thought I would post this here and see what your thoughts are on the matter.

Thanks!

Please Log in or Create an account to join the conversation.

More
1 month 23 hours ago #7971 by Jose
Hi azurelinksc,

To avoid cases like yours I created the "Avoid proxies" option into Global Configuration -> Tuning tab. If it's set to 'Yes' then the firewall will use the "remote_addr" header to determine the offensive IP. This could ban all users if, as is your case, your behind a proxy or a cdn.

If the "Avoid proxies" option is set to "No" then the firewall will examine several headers (among others Cloudflare and Incapsula headers) to determine the real IP of the attacker. This is the most reliable way to determine the IP and you should be used if possible.

Can you check what's your setting for the "Avoid proxies" option?

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.095 seconds
Powered by Kunena Forum

Login or Sign In