Hello,
Over the past 2 or 3 years, we've seen a dramatic increase in distributed brute force attacks towards WordPress websites and DoS attacks towards xmlrpc.php files. As you may know, these attacks send several requests per second and last for a few hours and sometimes even days. This often causes the server to overload, especially when multiple websites are targeted.
We've been able to mitigate/block these attacks using ModSecurity and CSF. ModSecurity would count the number of requests and CSF would block the attacker's IP after triggering ModSecurity a few times in a row.
The problem is when an attacked website is behind CloudFlare. In this case, ModSecurity and CSF block the attackers IP by getting it from the X-Forwarded-For header, but the attackers are still able to access the web server and sites because their requests come through CloudFlare's IPs, which must be whitelisted and can bypass CSF.
I've asked CloudFlare for a solution, but unfortunately, they haven't found one.
The solution that I can think of would be to have LSWS get the IPs from csf.deny and apply them to LSWS's deny list. I'm not sure how, but I hope you can consider this as a feature request. I'm sure we're not the only ones affected by this.
Another solution would be to have LSWS watch the error_log and deny IPs that trigger ModSecurity multiple times; the same way CSF does.
I hope you understand the idea. Thank you in advance for your consideration.
Regards,
Stefan
Over the past 2 or 3 years, we've seen a dramatic increase in distributed brute force attacks towards WordPress websites and DoS attacks towards xmlrpc.php files. As you may know, these attacks send several requests per second and last for a few hours and sometimes even days. This often causes the server to overload, especially when multiple websites are targeted.
We've been able to mitigate/block these attacks using ModSecurity and CSF. ModSecurity would count the number of requests and CSF would block the attacker's IP after triggering ModSecurity a few times in a row.
The problem is when an attacked website is behind CloudFlare. In this case, ModSecurity and CSF block the attackers IP by getting it from the X-Forwarded-For header, but the attackers are still able to access the web server and sites because their requests come through CloudFlare's IPs, which must be whitelisted and can bypass CSF.
I've asked CloudFlare for a solution, but unfortunately, they haven't found one.
The solution that I can think of would be to have LSWS get the IPs from csf.deny and apply them to LSWS's deny list. I'm not sure how, but I hope you can consider this as a feature request. I'm sure we're not the only ones affected by this.
Another solution would be to have LSWS watch the error_log and deny IPs that trigger ModSecurity multiple times; the same way CSF does.
I hope you understand the idea. Thank you in advance for your consideration.
Regards,
Stefan
Last edited: