Sermepa blocked by cloudflare

So we've been under attack and migrated our domain to Cloudflare and now our application is not being notified by sermepa redsys when a user does a payment. (Sermepa is the spanish way of charging credit cards, like authorize.net but spanish...)

Checking our code our app is telling Sermepa to connect to our callback url at: https://example.com/sermepa/post

Let's check on our old logs how was that connection when it was working.

# zgrep 'sermepa/post' /var/log/nginx/access.log.*.gz
/var/log/nginx/access.log.10.gz:"195.76.9.222" example.com [20/Mar/2019:16:17:49 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1077 349 "-" "Java/1.7.0" 0.990 "-"
/var/log/nginx/access.log.11.gz:"195.76.9.187" example.com [10/Mar/2019:21:44:46 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1077 349 "-" "Java/1.7.0" 1.834 "-"
/var/log/nginx/access.log.11.gz:"195.76.9.222" example.com [13/Mar/2019:20:36:30 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1077 349 "-" "Java/1.7.0" 1.805 "-"
/var/log/nginx/access.log.12.gz:"195.76.9.187" example.com [07/Mar/2019:23:08:50 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1076 349 "-" "Java/1.7.0" 1.696 "-"
/var/log/nginx/access.log.13.gz:"195.76.9.187" example.com [25/Feb/2019:15:20:00 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1022 349 "-" "Java/1.7.0" 1.375 "-"
/var/log/nginx/access.log.13.gz:"195.76.9.222" example.com [25/Feb/2019:17:05:03 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1025 349 "-" "Java/1.7.0" 0.943 "-"

Here we see a couple of things, Sermepa was always connecting from 195.76.9.222 or 195.76.9.187 and it was using a Java/1.7.0" 0.943 as user agent. I'm sure that that user agent is triggering Cloudsflare's Browser Integrity Check.

Some possible solutions:

  1. Disable Browser Integrity Check but that will be useful if we're under attack again.
  2. Change the callback url to a new subdomain not filtered by Cloudflare; we will need to reconfigure our webserver, domain and app.
  3. In 3 years of logs Sermepa always connected from those 2 ips why not whitelist them in Cloudflare?
  4. Contacting Sermepa and tell them to use another user agent. (just joking)

Lets further investigate those ip's with Whois.

# whois '195.76.9.187'
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '195.76.9.0 - 195.76.9.255'

inetnum:        195.76.9.0 - 195.76.9.255
netname:        REDSYSSERVICIOSPROCESAMIENTO
descr:          REDSYS SERVICIOS DE PROCESAMIENTO SLU
descr:          Internet Public Addresses
descr:          __
country:        es
[...]

Redsys owns the whole class C and that doesn't look to be changing anytime soon. I'm sold with option 3. Lets whitelist them in Cloudflare. Connect to the cloudflare panel and go to Firewall -> Tools and add an ip access rule

195.76.9.0/24 WITELIST Sermepa

We're done and receiving payments again!

© 2019 Joan Pérez i Cauhé. All rights reserved.