Mod Security & Amazon Cloud Front Problems

Misuse of CloudFront by hackers can get your CDN blocked by your server, this can be a problem. Unfortunately for security reasons you do not want to allow CloudFront to by pass mod security, as this can be exploited by Mod Security:

216.137.42.131 # lfd: (mod_security) mod_security (id:210410) triggered by 216.137.42.131 (US/United States/server-216-137-42-131.dfw3.r.cloudfront.net): 5 in the last 3600 secs – Thu Mar 12 22:13:57 2015
205.251.218.78 # lfd: (mod_security) mod_security (id:950103) triggered by 205.251.218.78 (US/United States/server-205-251-218-78.arn1.r.cloudfront.net): 5 in the last 3600 secs – Sun Mar 15 23:38:33 2015
54.240.145.159 # lfd: (mod_security) mod_security (id:220030) triggered by 54.240.145.159 (US/United States/server-54-240-145-159.fra6.r.cloudfront.net): 5 in the last 3600 secs – Mon Mar 16 07:07:34 2015

We are considering to make an effort to build something to allow Mod Security to block X-IP-ADDRESS header instead of the actual IP which belongs to the CDN, meanwhile the best thing you can do is to make sure while mod security blocks risky requests, it doesn’t become black listed.
Here is the full list of IP address ranges used by Amazon Cloud Front up to this date, add them to your “Firewall Allow IPs” list:

54.182.0.0/16
54.192.0.0/16
54.230.0.0/16
54.239.128.0/18
54.239.192.0/19
54.240.128.0/18
204.246.164.0/22
204.246.168.0/22
204.246.174.0/23
204.246.176.0/20
205.251.192.0/19
205.251.249.0/24
205.251.250.0/23
205.251.252.0/23
205.251.254.0/24
216.137.32.0/19

Related Post
cloudfront-diagram
Amazon CloudFront Now Support Configurable Default TTL and Max TTL

Amazon CloudFront now allows you to set two new values, a Default TTL (Time To Live) and a Max time-to-live, so that you can control how long CloudFront caches your objects in each CDN node. This dramatically increases your control over the cache duration which previously only allowed you to set the Minimum TTL. Learn more about setting cascading cache rules for […]

Read more
Comodo Web Application Firewall – Modsecurity Vendor Rules For cPanel/WHM

ColumbusSoft’s Free collection of multiple 3rd-Party and customer ModSecurity rule sets to add additional security with extra attention to WordPress, WHMCS, Joomla, Prestashop and etc. In this release we have included the Comodo Web Application Firewall, a set of Free ModSecurity Rules from Comodo that provides powerful, real-time protection for your web applications, this is while cPanel/WHM has launched […]

Read more
Amazon Route 53 Changing Health Checking IP Ranges

If you’re using Route 53 health checks, you must ensure that your router and firewall rules allow inbound traffic from the IP addresses used by Route 53’s health checkers, so that Route 53 can access the endpoints that you specify in your health checks. As we have explained earlier in our forum post [ https://forums.aws.amazon.com/ann.jspa?annID=1838 […]

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

Mobile Detected
Tablet Detected
Desktop Detected
Large Screen Detected
Retina Display Detected