Hello Everyone,
May you know what is workers.dev ? https://workers.cloudflare.com/
It seems that someone(sssss) use workers.dev to issue malicious HTTPS requests to our servers .
Our servers disabled IPv6 in NetworkManager.
The "very" source IP is IPv6. This IPv6 is listed inside /etc/httpd/conf/extra/httpd-cloudflare.conf > RemoteIPTrustedProxy
Probably the original HTTP request is IPv4, but with X-Forwarded-For
The customer domain/website is NOT using CloudFlare CDN.
We suspect someone can use (abuse) CloudFlare workers.dev , working as forward proxy to issue malicious requests.
I tried to create a custom ModSecurity rule, make it blocked and logged inside modsec_audit log for details.
Inside modsec_audit log, it looks "Cf-Worker" is different across malicious HTTP requests.
As the source IP is IPv6 (proxied), our servers use IPv4 only, it is meaningless to block IPv6 address via csf lfd ipset.
As the customer site is NOT using CloudFlare CDN, it probably cannot use CF_ENABLE cloudflare feature (in /etc/csf/csf.cloudflare) to block them.
(We believe some were SQL injection attempts / XSS attempts , not simply wp-admin/setup-config.php)
We are thinking way(s) to block them (when the rate is high), but not affect legitimate workers.dev requests .
---
Below is an example of HTTP requests, logged inside modsec_audit log.
Thank you very much for your suggestion / advice.
May you know what is workers.dev ? https://workers.cloudflare.com/
It seems that someone(sssss) use workers.dev to issue malicious HTTPS requests to our servers .
Our servers disabled IPv6 in NetworkManager.
The "very" source IP is IPv6. This IPv6 is listed inside /etc/httpd/conf/extra/httpd-cloudflare.conf > RemoteIPTrustedProxy
Probably the original HTTP request is IPv4, but with X-Forwarded-For
The customer domain/website is NOT using CloudFlare CDN.
We suspect someone can use (abuse) CloudFlare workers.dev , working as forward proxy to issue malicious requests.
I tried to create a custom ModSecurity rule, make it blocked and logged inside modsec_audit log for details.
Inside modsec_audit log, it looks "Cf-Worker" is different across malicious HTTP requests.
As the source IP is IPv6 (proxied), our servers use IPv4 only, it is meaningless to block IPv6 address via csf lfd ipset.
As the customer site is NOT using CloudFlare CDN, it probably cannot use CF_ENABLE cloudflare feature (in /etc/csf/csf.cloudflare) to block them.
(We believe some were SQL injection attempts / XSS attempts , not simply wp-admin/setup-config.php)
We are thinking way(s) to block them (when the rate is high), but not affect legitimate workers.dev requests .
---
Below is an example of HTTP requests, logged inside modsec_audit log.
Code:
[root@xxx ~]# grep workers.dev modsec_audit.log
{"transaction":{"time":"20/Feb/2025:23:39:42.026897 +0800","transaction_id":"Z7dMvrLsv30AKbUM03MhwgABOxU","remote_address":"2a06:98c0:x::x","remote_port":36850,"local_address":"a.a.a.a","local_port":443},"request":{"request_line":"GET /wordpress/wp-admin/setup-config.php HTTP/2.0","headers":{"Cf-Ray":"914f973a24f3c7ef-TLL","Cf-Ew-Via":"15","Cf-Worker":"ovatubu???.workers.dev","Accept-Encoding":"gzip, br","X-Forwarded-Proto":"https","Pragma":"no-cache","Cf-Visitor":"{\"scheme\":\"https\"}","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36","Cache-Control":"no-cache","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language":"en-us,en;q=0.8,fr;q=0.5,fr-ca;q=0.3","Cdn-Loop":"cloudflare; loops=1; subreqs=1","Cf-Connecting-Ip":"2a06:98c0:3600::103","Host":"xxxxxxxx.com"}},"response":{"protocol":"HTTP/1.1","status":406,"headers":{"Content-Length":"249","Connection":"close","Content-Type":"text/html; charset=iso-8859-1","Date":"Thu, 20 Feb 2025 15:39:42 GMT","Server":"Apache/2"},"body":""},"audit_data":{"messages":["Access denied with code 406 (phase 2). [file \"/etc/modsecurity.custom.d/my-general-rules.conf\"] [line \"144\"] [id \"49900002\"] [msg \"My Rejected Request URI\"] [data \"host\"] [severity \"CRITICAL\"] [tag \"My Rejected Request URI\"]"],"action":{"intercepted":true,"phase":2,"message":"Matched phrase \"/wordpress/wp-admin/setup-config.php\" at REQUEST_URI."},"stopwatch":{"p1":442,"p2":599,"p3":0,"p4":0,"p5":82,"sr":103,"sw":0,"l":0,"gc":0},"response_body_dechunked":true,"producer":["ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/)","OWASP_CRS/3.3.5"],"server":"Apache/2","engine_mode":"ENABLED"}}Thank you very much for your suggestion / advice.
Last edited: