Should i be worried? if so how do i fix this ( ips being banned )

DJMalachite · February 6, 2023, 1:28pm

Hello.

Ive recently started using a cloudflare domain with cloudflared so i can acces my HA instance outside my network

recently i noticed random ip addresses from other countrys trying to request /media/wp-includes/wlwmanifest.xml should i be worried? and what should i do?

Source: components/http/ban.py:82
Integration: HTTP (documentation, issues)
First occurred: 5 February 2023 at 04:00:36 (9 occurrences)
Last logged: 12:20:02

Login attempt or request with invalid authentication from 159.223.69.30 (159.223.69.30). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 87.130.16.34.bc.googleusercontent.com (34.16.130.87). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 204.48.25.184 (204.48.25.184). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)
Login attempt or request with invalid authentication from 146.190.87.108 (146.190.87.108). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36)
Login attempt or request with invalid authentication from 20.197.59.116 (20.197.59.116). Requested URL: '/media/wp-includes/wlwmanifest.xml'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36)```

WallyR · February 6, 2023, 6:00pm

It is just bots testing for vulnerabilities.
If you do not protect your HA, the.n you will get thousands of different hits with various tests and some day there may be a flaw in HA.
I suggest you use NabuCasa or a wellrenowned VPN service in front of your HA.

Remember that HA comprise of a lot of integrations also and just one need a vulnerability to allow the hackers in.

It has already occured once ( and that needed a second fix ).

DJMalachite · February 6, 2023, 9:03pm

Alright understood i never had this issue when i used duckdns but now that i moved to cloudflare it started

i added a firewall rule in cloudflare and it caught some extra scans

Atm i cant pay for nabucasa but would enabling cloudflare sided firewall options work better?

WallyR · February 6, 2023, 10:41pm

Not sure how that works, so can’t really say
Normally with firewalls they block access to unwanted IPs and ports, but the issue with bots is that they hit everything and that means also the ports and IPs that are allowed, which is where the vulnerabilities have the greatest chance of being.

andryjohn · March 4, 2024, 11:15am

@DJMalachite can you share which Cloudflare Firewall filter rule you added? I am seeing the same type of traffic on my instance.
Thanks