cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

cPHulkd: Trust X-Forwarded-For as the origin ip address when the request originates from CloudFlare

Keith Poole (Agilis IT) shared this idea 4 years ago
Open Discussion

The current issue is that brute force attacks can occur on https://customerdomain.tld, which may be (always in our case) behind a reverse-proxy such as CloudFlare.


When these get brute force attacked, cpsrvd reports the logins to cphulkd via a Unix socket, but cphulkd only actions on the REMOTE_ADDR, ignoring X-Forwarded-For.


This then means that when the IP address is blocked, being the IP of the reverse-proxy provider, MANY services are interrupted until the temporary ban is lifted.

Comments (4)

photo
1

I would like to add to this and request that cpHulk also include the X-Forwarded-For header in the notice emails that it generates. Even if cpHulk doesn't take actions on the X-Forwarded-For IP it should be included in notices so admins can have a clearer record that the request might have come from a proxy service.

photo
2

Performing actions based on the X-Forwarded-For header would be very dangerous because it is trivial to forge the header with any IP address that an attacker desires to use, including the white-listed IP address of an administrator allowing unlimited brute-force attacks on the server, or using the IP address of another user on the server resulting in a Denial of Service to that user. To prevent this problem you would need to be sure that all requests made to a service port come only from the reverse proxy and that it would not pass a forged X-Forwarded-For header to the back-end server.

photo
1

I think most of us well understand the implications of HTTP Headers. The fact remains that these headers are commonly used to expose and exchange information that can indeed be validated against other data that has some level of trust.


I for one would much rather see the "dangerous" information all in one place. As opposed to having to dig through the access log or build secondary automation to do it for me after the fact.


We already have a "whitelist" in cPHulk. That whitelist implies a certain level of trust, but that's an aside here. Why wouldn't an admin want to see this information in one place? Why wouldn't we want automation by which we could set "Trusted" networks to extract header information from?


Be it CloudFlare or a local install of nginx running proxy duty, or even just that old WHM option for Apache to run "Proxy sub-domains" for your cpanel account services... Another look at cPHulk and this feature request would be a reasonable request, I think.


Speaking to any security implications - these hypothetical options are only as dangerous as their default values make them. The safest defaults are always "disabled" until someone who knows what they're for comes along to configure them. And for anyone else a note warning them of this security implication should suffice.

photo
photo
1

X-Forwarded-For can be easily spoofed - a workaround would be to ONLY believe the X-Forwarded-For header value IF the originating IP is in the known CloudFlare IP ranges.

photo
1

Here's a potential workaround for the time being until cPanel do something more official...

https://www.aetherweb.co.uk/solved-cpanels-cphulk-cloudflare-and-x-forwarded-for/

Leave a Comment
 
Attach a file