I can't figure this out at all. I've tried everything I can think of. I still get bizarre IP addresses in my log files. It's making it very difficult to protect against attacks because I cannot see the real IPs of the attackers unless I screw around with tcpdump.
Although installed and enabled mod_cloudflare is not passing the correct IP addresses to apache2 log files at all.
I am seeing a lot of IP addresses like; 18.104.22.168 which I know are not correct. My test method is to use 'curl' with long easily identifiable URLs that no regular visitor (or attacker) would be likely to visit and then check my log files. At the same time as my tests I'm getting bizare IP addresses that have nothing to do with the hosts I'm performing the tests from. Why is this happening?
mod_cloudflare is definitely installed on ubuntu 14.04 running apache2. I have never seen this before.
The strange, unrecognized IP addresses are often coming from Amazon data centers - I guess CloudFlare servers are often located in Amazon data centers?
Here what I'm getting when I verify that the cloudflare module is enabled:
[email protected]:/var/log/apache2# apache2ctl -M | grep cloud
I tried using tcpdump looked for a packet containing an HTTP header. It looks like it works but I am not getting legit IPs in my logs still...
User-Agent: Podcasts/1075.33 CFNetwork/758.1.6 Darwin/15.0.0 X-Middleton/1
Cookie: __cfduid=dcd6e93c799b853cb0f57c6bb3a91cd891449138442; ezouid=1146425940; l$
If-Modified-Since: Mon, 30 Nov 2015 11:28:06 GMT
X-Forwarded-For: 2602:306:8b00:64b0:6596:26d9:496b:156b, 2602:306:8b00:64b0:6596:2$
That one looks like it has an IPv6 address. I never saw IPv6 in my logs before but otherwise it looks right to me. I continued looking and I found one with a regular IP and it also looks right. But somehow I am not getting the correct IP addresses in my logs. How can this be?
Cookie: ezouid=1006370956; lp=http://www.mysite.com.com/about
X-Forwarded-For: 22.214.171.124, 126.96.36.199
In this second case it definitely appears to be correct because the user agent is google bot and the IP is owned by google and infosniper.net recognizes it as a google bot IP.
So what can be going on here? I just grepped my access log for the second IP, 188.8.131.52 and it's nowhere to be found.
I repeated my own test while running tcpdump. I can see my real IP in the tcpdump. I can find the same request exact request in the access log but it does NOT have my real IP attached to it. How can this be?
www.mysite.com:80 184.108.40.206 - - [03/Dec/2015:22:05:44 +0300] "GET /this_is_a_long_testing_URL_for_capturing_packets_HA4
220.127.116.11 is definitely not my IP. It doesn't appear in any of the cloudflare headers at all. It also deosn't appear anywhere in the packet capture dump either.
Can anyone describe how to further troubleshoot or fix this?