New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Cloudflare WAF, random IP with access
So I was on cloudflare, locking down a site in the WAF section. when I notice in the tools tab, an IP address that is nothing to do with me with the statement "All websites in account" = allow.
I have 2FA on my account with a huge random password. Not sure what this is, or how it got there. Does anyone else have something similar?
Comments
Can you share the IP? (if it isn't yours)
hmmm maybe later, until I figure out why it was there, for now ill keep it quite.
But when I lookup the IP it says it's administered by IOMART Group PLC
"No IP Access Rules" here.
https://developers.cloudflare.com/fundamentals/account-and-billing/account-security/review-audit-logs/
Probably a good place to start.
Thanks, that was sound advice. I checked and downloaded the CSV, searched it and the only record of it is from today when I deleted it.
The audit logs go back 18 months, which is good enough for most things i suppose, but what ever happened it's no longer in the logs.
The account is only a 19 months old, so I suspect what ever happened it happened when I first signed up.
I think I’ve seen something similar when i managed CF from a host’s cpanel/DA (to allow updates of records between the two) ages ago though.
A while ago it used to be the case that adding a DNS record for an IP would also add that same IP as an IP Access Rule under Allow. Unsure why, but that's what it was.
See e.g. https://community.cloudflare.com/t/ip-access-rules-defaults/252990
Testing it now however, I can't confirm the same behaviour seems to happen anymore. I would say if the IP is one of a server you control, don't worry about it because it was probably was that. But if you've never done business with any company affiliated with the IP, go through steps here just to be safe: https://developers.cloudflare.com/fundamentals/account-and-billing/account-security/securing-a-compromised-account/
Thanks, did most of the steps anyway, but there were a couple that i didn't think about.
The IP address is nothing to do with me, do you think its worth contacting IOMART to say the IP address might have been used for abuse? or should I just assume it's a 14 yo hacker with a laptop, and put it down to bad luck and move on.
If your account is secured now, I'd just leave it. If there's nothing in audit logs then it would be so long ago I doubt IOMART cares anymore.