So I recently made a change to this blog in an attempt a new service I heard about named Cloudflare. I’m still putting together my full thoughts on the service but overall I think it’s something that more and more people should look at using and overall has a high recommendation from me at the moment.
But one major thing that happened that I didn’t at first realize was that it would break my brute force defense method I talked about in a previous post. I noticed this when I couldn’t log into my own admin section for this blog.
I put it off for a bit cause I wasn’t sure how I wanted to fix this issue (and have been busy with a million other things) but after seeing a tweet from Cloudflare that linked to some useful information that gave me the inspiration I needed to get to work.
So here is an update to the .htaccess file that I am now using for this blog to stop any attempted brute force attacks.
I’m using the originating IP info passed on by Cloudflare to control the access instead of just the IP address of who is connecting to apache (which is now Cloudflare’s servers.)
So if you switch over to Cloudflare (which I hope you will after my next posts) and still want to keep your admin safe from attacks you now have a proper solution.
*** UPDATE ***
As mentioned by @eastdakota you can still use the previous method if you install mod_cloudflare which will make the Remote Address the same as the CF-Connecting-IP. This also fixes log issues where everything looks like it came from Cloudflare and can fix a few apps that do use the remote address for other things.
Personally I didn’t go this way because I’m not a huge fan of installing anything that’s not a managed packaged (in my case in debian) for a server. For me, it’s very easy to not remember that I need to look for updates for things that I can’t just easily get through apt and don’t want to leave a security vulnerability or other issue because of it. I’m not saying that mod_cloudflare would do that as it’s not super complex but when I have other options that’s what I prefer to use. Also not everyone has the access with their host/knowledge to do that.Comments: 0 Tags: