Announcement

Collapse
No announcement yet.

Cloudflare and Sucuri for security, DDOS and CDN

Collapse
X
Collapse
First Prev Next Last
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Cloudflare and Sucuri for security, DDOS and CDN

    I recently suffered massive and targeted DDOS attacks on my servers rendering them useless.
    This is when i really discovered Cloudflare and Sucuri for security,
    In the past i had tried Cloudflare on both VB4 and VB5 but it was very hard to control the caching and security and I was finding people couldn't log or register in some cases and stuff wasn't updating right. So i ended up moving off cloudflare but i had never had any real issues with attacks.

    So along come the attacks and the first thing i try is moving my sites behind cloudflare.
    My VB5 forum was not being attacked so it was fine and I was able to get it working good behind cloudflare.

    The VB4 forum was under attack so i moved the site under Sucuri.
    I found the forum worked better under Sucuri since they are not a CDN but only a security provider and you can easily turn off their caching.
    Sucuri does not offer a free option so you always have to pay at least $20 a month for service.
    I wasn't able to control the attacks under Sucuri but I believe it was because i had their solution for attacks misconfigured.

    Cloudflare does offer free service to any sites and allows you to register unlimited sites.
    They allow this to attract new customers but also they can advertise to enterprise customers about their data throughput capabilities.
    So in the end I had about 20 interdependent sites on one server so I ended up moving everything under cloudflare since it was free.
    I do pay for some of my busier sites as it offers more options and rules.

    Cloudflare also makes it easier to block countries.
    You can create many rules but for Vbulletin the most useful is turning off all caching and security, at least to start with.
    This is the only way I can stop my forums from acting strangely is to turn most of the cloudflare functionality off.
    You still benefit from the basic firewall functionality hiding your ip address and filtering out known attackers and attacks.
    My VB4 forums had a lot of spammers and bots but cloudflare siginificantly reduced that with no configuration.
    On VB5 there is basically no spammers or bots at all under cloudflare, although there was not much before.





    #2
    So now i wanted to talk specifically about how a firewall will stop DDOS attacks.
    During my attacks i found that pretty much all solutions work in the same manner to block attacks including Cloudflare, Sucuri and most others.

    You can use any firewall to do this but a remote firewall is by far the best option.
    Using an on server firewall can work but then your server is still working hard to process all the blocks, so not as effective.

    The basic fix for DDOS using a firewall is:

    Rule 1: Deny all traffic.
    Rule 2: Allow only from specific IP addresses.

    It is that simple but maybe not easy to realize when you are suddenly under attack.

    So I also found there is more documentation about Cloudflare than Sucuri so it is better that way.

    It is possible to block everything and allow only Cloudflare IPs (for example) using CSF or Mod_security.
    My first solution for stopping the attacks was having my site behind cloudflare then blocking all access to my server in Mod_security then allowing only cloudflare IPs.
    This worked to stop the attacks but I also blocked access to all other services on other ports, not just ports 80 and 443.

    After this I ended up just using the .htaccess file to filter traffic as the attacks were only on http, but directly on my ip address.

    So my .htaccess file is like so.

    Code:
    order deny,allow
    deny from all
    Allow from 173.245.48.0/20
    Allow from 103.21.244.0/22
    Allow from 103.22.200.0/22
    Allow from 103.31.4.0/22
    Allow from 141.101.64.0/18
    Allow from 108.162.192.0/18
    Allow from 190.93.240.0/20
    Allow from 188.114.96.0/20
    Allow from 197.234.240.0/22
    Allow from 198.41.128.0/17
    Allow from 162.158.0.0/15
    Allow from 104.16.0.0/12
    Allow from 172.64.0.0/13
    Allow from 2400:cb00::/32
    Allow from 2405:8100::/32
    Allow from 2405:b500::/32
    Allow from 2606:4700::/32
    Allow from 2803:f800::/32
    Allow from 2c0f:f248::/32
    Allow from 2a06:98c0::/29
    Using cloudflare to block your entire server is problematic since you cannot block IPs anymore because you are only seeing Cloudlfare IPs (or Sucuri or whatever)
    So it is hard to block anything when this happens because you don't know the origin ip.
    Cloudflare does not offer a way anymore to get the real client ips on a server level. They used to have a server plugin but now that appears to be deprecated and not available anymore.

    They do however offer a way for web applications to get the proper IP addresses which is beneficial to Vbulletin users so they can block and manage real ip addresses.

    Comment


      #3
      So specific to vbulletin I found in version 4.25 they had added support for reverse proxies to obtain the real client IP address.
      In the config file is the section at the bottom only in VB 4.25

      Code:
      /* #### REVERSE PROXY IP ####
      If your use a system where the main IP address passed to vBulletin is the address of a proxy server
      and the actual 'real' ip address is passed in another http header then you enter the details here
      Enter your known proxy servers here. You can list multiple trusted IPs separated by a comma.
      You can also use the * wildcard (at the end of a definition only) or use the keyword 'all' to represent any ip address.*/
      $config['Misc']['proxyiplist'] = 'all';
      /* If the real IP is passed in a http header variable you can set the name here; */
      $config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';
      So here you can set the header variable that holds the real client ip address.

      Sucuri and other similar type of services will have a different or similar header but 'HTTP_X_FORWARDED_FOR' is the universal internet default and for cloudflare.
      However cloudflare also offers another header which may be more correct. 'CF-Connecting-IP'
      'HTTP_X_FORWARDED_FOR' may not account for multiple proxy layers.

      I will also mention that Cloudflare offers and even better header variable for their Enterprise customers that is more accurate apparently.
      What is True-Client-IP?
      If True-Client-IP is enabled, Cloudflare will add a True-Client-IP header in the request sent to the origin with the IP address of the end user.

      Connections from Cloudflare to origin servers come from Cloudflare IPs. True-Client-IP is a solution that allows Cloudflare users to see the end user’s IP address, even when the traffic to the origin is sent directly from Cloudflare.

      This feature supplements our current CF-Connecting-IP and X-Forwarded-For headers.
      There is also other header variables you cannot get as normal behind cloudflare you can get them through similar alternate header variables.

      If you're interested in the actual client (visitor) IP address, we recommend relying on the CF-Connecting-IP (or True-Client-IP) instead of X-Forwarded-For.
      As of VB 5.1.10 the /core/includes/config.php included this for reverse proxies.
      Which also allows you enter the trusted ips for the proxies allowing additional or primary security in your forum.

      Code:
      /* #### Reverse Proxy IP ####
      If your use a system where the main IP address passed to vBulletin is the address of a proxy server
      and the actual 'real' ip address is passed in another http header then you enter the details here */
      
      /* Enter your known proxy servers here. You can list multiple trusted IPs separated by a comma.
      You can also use the * wildcard (at the end of a definition only) or use the keyword 'all' to represent any ip address.*/
      $config['Misc']['proxyiplist'] = 'all';
      
      /* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
      $config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';
      Now as I am upgrading to Vbulletin 5.5.3 i see they have updated the config file to include specific support for Cloudflare and Sucuri including know IP address ranges.
      So you have built in security using Sucuri or cloudflare right in the Vbulletin config offering excellent basic protection.
      In the release notes for Vbulletin 5.5.3 i see:

      Proxy Support
      [/URL]
      We have added support for Cloudflare and Sucuri proxies in the /core/includes/config.php file. These directives are commented out in the default file. Uncomment the block that you wish to use. Uncommenting will make them active. Only one can be active at a time.
      4418489-vbulletin-connect-5-5-3-is-now-available-for-download

      Here is what the VB 5.5.3 /core/includes/config.php file looks like now:

      Code:
      /* #### Reverse Proxy IP ####
      If your use a system where the main IP address passed to vBulletin is the address of a proxy server
      and the actual 'real' ip address is passed in another http header then you enter the details here */
      
      /*
          Enter your known proxy servers here. You can list multiple trusted IPs separated by a comma.
          You can also use the * wildcard (at the end of a definition only) or use the keyword 'all' to represent any ip address.
          Using all is generally not recommended for security reasons.
      */
      //$config['Misc']['proxyiplist'] = '127.0.0.1, 192.168.*, all';
      
      /* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
      //$config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';
      
      //Default proxy settings for common proxy providers.  Uncommenting this will override any previous proxy
      //configuration (and thus only one of them can be used).
      /*
      //default configuration for Cloudflare proxy.
      $config['Misc']['proxyiplist'] = '103.21.*, 103.22.*, 103.31.*, 104.16.*, 108.162.*, 131.0.*, ' .
          '141.101.*, 162.158.*, 172.64.*, 173.245.*, 188.114.*, 190.93.*, 197.234.*, 198.41.*, ' .
          '2400:cb00:*, 2405:b500:*, 2606:4700:*, 2803:f800:*, 2c0f:f248:*, 2a06:98c0:*';
      
      $config['Misc']['proxyipheader'] = 'HTTP_CF_CONNECTING_IP';
      */
      
      /*
      //default configuration for Sucuri Firewall
      $config['Misc']['proxyiplist'] = '192.88.134.2, 192.88.134.3, 192.88.134.4, 192.88.134.5, 192.88.134.6, ' .
          '192.88.134.7, 192.88.134.8, 192.88.134.9, 192.88.134.10, 192.88.134.11, 192.88.134.12, 192.88.134.13, ' .
          '192.88.134.14, 192.88.134.15, 192.88.134.16, 192.88.134.17, 192.88.134.18, 192.88.134.19, 192.88.134.20, ' .
          '192.88.134.21, 192.88.135.2, 192.88.135.3, 192.88.135.4, 192.88.135.5, 192.88.135.6, 192.88.135.7, ' .
          '192.88.135.8, 192.88.135.9, 192.88.135.10, 192.88.135.11, 192.88.135.12, 192.88.135.13, 192.88.135.14, ' .
          '192.88.135.15, 192.88.135.16, 192.88.135.17, 192.88.135.18, 192.88.135.19, 192.88.135.20, 192.88.135.21, ' .
          '185.93.228.2, 185.93.228.3, 185.93.228.4, 185.93.228.5, 185.93.228.6, 185.93.228.7, 185.93.228.8, 185.93.228.9, ' .
          '185.93.228.10, 185.93.228.11, 185.93.228.12, 185.93.228.13, 185.93.228.14, 185.93.228.15, 185.93.228.16, ' .
          '185.93.228.17, 185.93.228.18, 185.93.228.19, 185.93.228.20, 185.93.228.21, 185.93.229.2, 185.93.229.3, ' .
          '185.93.229.4, 185.93.229.5, 185.93.229.6, 185.93.229.7, 185.93.229.8, 185.93.229.9, 185.93.229.10, ' .
          '185.93.229.11, 185.93.229.12, 185.93.229.13, 185.93.229.14, 185.93.229.15, 185.93.229.16, 185.93.229.17, ' .
          '185.93.229.18, 185.93.229.19, 185.93.229.20, 185.93.229.21, 185.93.230.2, 185.93.230.3, 185.93.230.4, ' .
          '185.93.230.5, 185.93.230.6, 185.93.230.7, 185.93.230.8, 185.93.230.9, 185.93.230.10, 185.93.230.11, ' .
          '185.93.230.12, 185.93.230.13, 185.93.230.14, 185.93.230.15, 185.93.230.16, 185.93.230.17, 185.93.230.18, ' .
          '185.93.230.19, 185.93.230.20, 185.93.230.21';
      
      // Support Sucuri Firewall
      $config['Misc']['proxyipheader'] = 'HTTP_X_SUCURI_CLIENTIP';
      */

      Hopefully this is a good second post that helps someone.

      Sucks that you can't post external links here, my posts are not well supported without it.
      Plus i am committing high plagiarism with out supporting links.
      It should be allowed!
      thanks

      Comment

      Working...
      X