cPanel & WHM Version 84 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
 

cPHulkd: Trust X-Forwarded-For as the origin ip address when the request originates from CloudFlare

Keith Poole (Agilis IT) shared this idea 3 years ago
Open Discussion

The current issue is that brute force attacks can occur on https://customerdomain.tld, which may be (always in our case) behind a reverse-proxy such as CloudFlare.


When these get brute force attacked, cpsrvd reports the logins to cphulkd via a Unix socket, but cphulkd only actions on the REMOTE_ADDR, ignoring X-Forwarded-For.


This then means that when the IP address is blocked, being the IP of the reverse-proxy provider, MANY services are interrupted until the temporary ban is lifted.

Comments (4)

photo
1

I would like to add to this and request that cpHulk also include the X-Forwarded-For header in the notice emails that it generates. Even if cpHulk doesn't take actions on the X-Forwarded-For IP it should be included in notices so admins can have a clearer record that the request might have come from a proxy service.

photo
2

Performing actions based on the X-Forwarded-For header would be very dangerous because it is trivial to forge the header with any IP address that an attacker desires to use, including the white-listed IP address of an administrator allowing unlimited brute-force attacks on the server, or using the IP address of another user on the server resulting in a Denial of Service to that user. To prevent this problem you would need to be sure that all requests made to a service port come only from the reverse proxy and that it would not pass a forged X-Forwarded-For header to the back-end server.

photo
1

X-Forwarded-For can be easily spoofed - a workaround would be to ONLY believe the X-Forwarded-For header value IF the originating IP is in the known CloudFlare IP ranges.

photo
1

Here's a potential workaround for the time being until cPanel do something more official...

https://www.aetherweb.co.uk/solved-cpanels-cphulk-cloudflare-and-x-forwarded-for/