castris
Verified User
IPv6 Client Blocking Issue on IPv4-Only Server (DirectAdmin + Nginx + ModSecurity + CSF + Cloudflare)
1. PROBLEM SUMMARY
On a DirectAdmin server with Nginx + ModSecurity + CSF, when traffic arrives through Cloudflare from IPv6 clients, the system only logs and processes the original client's IPv6 address.
ISSUE: The server does NOT have IPv6 enabled at the network level, so CSF firewall CANNOT effectively block these IPv6 addresses, leaving the server vulnerable to repeated attacks from the same IPs.
EXPECTED BEHAVIOR: Nginx/ModSecurity should be able to obtain or generate a usable IPv4 address for firewall blocking, since:
2. SYSTEM CONFIGURATION
Operating System: Ubuntu 24.04.3 LTS
Nginx: nginx/1.29.3 (OpenSSL 3.0.13)
ModSecurity: v3.0.14 with connector nginx v1.0.4
OWASP CRS: 4.20.0
CSF: v15.05 (DirectAdmin)
DirectAdmin: CustomBuild
Network configuration:
Nginx configuration (/etc/nginx/nginx-cloudflare.conf):
3. CURRENT BEHAVIOR (PROBLEMATIC)
Connection flow:
Evidence in logs:
Nginx access log:
ModSecurity error log:
CSF deny list:
Result:
Attack statistics:
4. EXPECTED BEHAVIOR
OPTION 1 (PREFERRED): Cloudflare Pseudo IPv4
OPTION 2: ModSecurity/Nginx converts IPv6 to IPv4 identifier
OPTION 3: Clear documentation
5. SPECIFIC TECHNICAL QUESTIONS
For DirectAdmin:
For Nginx:
6. CURRENT WORKAROUNDS (SUBOPTIMAL)
Temporary #1: Disable LF_MODSEC_PERM
Temporary #2: Rate limiting in Nginx
Temporary #3: Disable nginx-cloudflare.conf
7. REQUEST
Please provide:
I'm available to provide more information, logs, or perform tests.
1. PROBLEM SUMMARY
On a DirectAdmin server with Nginx + ModSecurity + CSF, when traffic arrives through Cloudflare from IPv6 clients, the system only logs and processes the original client's IPv6 address.
ISSUE: The server does NOT have IPv6 enabled at the network level, so CSF firewall CANNOT effectively block these IPv6 addresses, leaving the server vulnerable to repeated attacks from the same IPs.
EXPECTED BEHAVIOR: Nginx/ModSecurity should be able to obtain or generate a usable IPv4 address for firewall blocking, since:
- DirectAdmin and Nginx document Cloudflare support
- Backend server only operates with IPv4
- CSF needs IPv4 addresses for effective blocking
2. SYSTEM CONFIGURATION
Operating System: Ubuntu 24.04.3 LTS
Nginx: nginx/1.29.3 (OpenSSL 3.0.13)
ModSecurity: v3.0.14 with connector nginx v1.0.4
OWASP CRS: 4.20.0
CSF: v15.05 (DirectAdmin)
DirectAdmin: CustomBuild
Network configuration:
- Server only has IPv4: 5.135.93.85/26
- NO global IPv6 addresses configured
- CSF configured with IPV6 = "0"
Nginx configuration (/etc/nginx/nginx-cloudflare.conf):
Code:
real_ip_header X-Forwarded-For;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 104.16.0.0/13;
[... Cloudflare IPv4 ranges ...]
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2a06:98c0::/29;
[... other Cloudflare IPv6 ranges ...]3. CURRENT BEHAVIOR (PROBLEMATIC)
Connection flow:
- Client with IPv6 (e.g., 2a06:98c0:3600::103) → Cloudflare
- Cloudflare → Server (IPv4 connection from Cloudflare range)
- Cloudflare sends headers: X-Forwarded-For: 2a06:98c0:3600::103
- Nginx processes real_ip_header and obtains: 2a06:98c0:3600::103
- ModSecurity detects attack and logs IP: 2a06:98c0:3600::103
- ModSecurity/LFD adds to CSF: 2a06:98c0:3600::103
- CSF CANNOT block (server without functional IPv6)
Evidence in logs:
Nginx access log:
Code:
2a06:98c0:3600::103 - - [22/Nov/2025:06:01:18 +0100] "GET /wordpress/wp-admin/setup-config.php HTTP/2.0" 406 558ModSecurity error log:
Code:
[client 2a06:98c0:3600::103] ModSecurity: Access denied with code 406 (phase 2)
[id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"]CSF deny list:
Code:
2a06:98c0:3600::103 # BFM: mod_security1=1211 - Sat Nov 22 04:01:32 2025Result:
- NO effective rule for 2a06:98c0:3600::103 in ip6tables
- Server does not accept IPv6 connections
- CSF blocking is completely USELESS
Attack statistics:
- 72+ attempts blocked by ModSecurity from same IPv6
- 0 effective firewall-level blocks
- Attacker can continue indefinitely
4. EXPECTED BEHAVIOR
OPTION 1 (PREFERRED): Cloudflare Pseudo IPv4
- Cloudflare has "Pseudo IPv4" feature that generates consistent IPv4 from IPv6
- Nginx should be able to receive this IPv4 instead of/in addition to IPv6
- Question: Is there Nginx configuration to prefer IPv4 when available?
OPTION 2: ModSecurity/Nginx converts IPv6 to IPv4 identifier
- Generate consistent hash/transformation from IPv6 → IPv4
- Allow effective blocking in IPv4-only firewall
OPTION 3: Clear documentation
- If obtaining IPv4 is NOT possible, clearly document that:
- IPv4-only servers CANNOT effectively block IPv6 clients
- CSF/ModSecurity must be configured differently in these scenarios
- IPv6 on server or alternative solutions required (rate limiting)
5. SPECIFIC TECHNICAL QUESTIONS
For DirectAdmin:
- How should nginx-cloudflare.conf be configured on IPv4-only servers?
- Is there integration with Cloudflare Pseudo IPv4?
- How to handle ModSecurity blocks when CSF cannot block IPv6?
For Nginx:
- Can real_ip_header prefer IPv4 when multiple IPs are available?
- Is there a module/configuration to convert IPv6 to IPv4-blockable format?
- Is it possible to configure different real_ip_header per vhost in shared hosting?
6. CURRENT WORKAROUNDS (SUBOPTIMAL)
Temporary #1: Disable LF_MODSEC_PERM
- CSF doesn't add permanent ModSecurity blocks
- ModSecurity still blocks each attempt (406)
- Attacker can retry indefinitely
Temporary #2: Rate limiting in Nginx
- Limit requests per IP (works with IPv6)
- Not real blocking, just throttling
- More server load
Temporary #3: Disable nginx-cloudflare.conf
- Only viable if NO domain uses Cloudflare proxy
- Loses functionality for domains that do use Cloudflare
7. REQUEST
Please provide:
- Recommended solution or configuration for this scenario
- Documentation on limitations of IPv4-only servers with Cloudflare
- Roadmap if this is a pending feature to implement
I'm available to provide more information, logs, or perform tests.