I've been having a problem with visitors being blocked (they see the "webmaster has forbidden" message) upon first visit to the site.
I have CPHulk rules on set up in WHM, and there is also a Sucuri firewall installed by my hosting provider. I don't know if it is possible, but it appears that visitors — including myself — are being assigned what may be the same Sucuri Proxy IP address when they visit. If one of those visitors is an attacker, e.g., a bot, and triggers a log entry in SCP and eventually gets blacklisted in SCP, then everybody else who tries to access the site from the same proxy IP is automatically blocked.
Does that sound possible? Maybe the Sucuri firewall functions as a CDN and provides IP addresses?
I'm planning to disable the Sucuri firewall and see if the problem stops. I thought I would post this here and see what your thoughts are on the matter.
To avoid cases like yours I created the "Avoid proxies" option into Global Configuration -> Tuning tab. If it's set to 'Yes' then the firewall will use the "remote_addr" header to determine the offensive IP. This could ban all users if, as is your case, your behind a proxy or a cdn.
If the "Avoid proxies" option is set to "No" then the firewall will examine several headers (among others Cloudflare and Incapsula headers) to determine the real IP of the attacker. This is the most reliable way to determine the IP and you should be used if possible.
Can you check what's your setting for the "Avoid proxies" option?