SiteLock is expanding the network behind our web application firewall, TrueShield, and our content delivery network, TrueSpeed. To accommodate our growing customer base, we’re adding over 130,000 new unique IP addresses on May 1st, 2017. This will require some customers to make changes to their firewall or web server configuration to ensure our new servers are compatible with your website’s hosting server. If these changes are not made by May 1st, 2017, your site visitors may be restricted from accessing your website.

Do these changes apply to me?

You only need to make changes under these conditions:

  • Customers that use other firewall services in conjunction with SiteLock TrueShield (e.g. ModSecurity, cPHulk, or other network or endpoint firewall solutions) will be affected by this change.

If you have a network or endpoint firewall on your server, these new IP addresses should either be whitelisted or added as exceptions for any firewall rules that may refuse traffic based on high request frequency or bandwidth limits. This will ensure your firewall does not block communication with our servers. Specific information on the changes you need to make are detailed below.

  • Customers utilizing IP filtering rules in a web service (e.g. Apache, Nginx, IPtables, etc) will be affected by this change.

If you’ve established an IP filtering ruleset and are restricting certain IP addresses from accessing web directories, then you must add these IP addresses to the allowed IP list. This will ensure the SiteLock servers can communicate with your hosting server. Specific information on the changes you need to make are detailed below.

What are the *NEW* IP addresses?

In CIDR notation, the new ranges are:


45.60.0.0/16
45.223.0.0/16

Alternatively, in long-form the new ranges are:


45.60.0.0-45.60.255.255
45.223.0.0-45.223.255.255

If you are adding our IP addresses for the *FIRST TIME* 

SiteLock TrueShield Complete IP Range in CIDR notation:


199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22 
192.230.64.0/18
107.154.0.0/16
45.60.0.0/16
45.223.0.0/16

If using IPv6, include:


2a02:e980::/29

SiteLock TrueShield Complete IP Range in long form:


199.83.128.1-199.83.135.254
198.143.32.1-198.143.63.254
149.126.72.1-149.126.79.254
103.28.248.1-103.28.251.254
185.11.124.1-185.11.127.254
45.64.64.0-45.64.67.255
192.230.64.1-192.230.127.254
107.154.0.0-107.154.255.254
45.60.0.0-45.60.255.255
45.223.0.0-45.223.255.255

If using IPv6, include:


2a02:e980:0:0:0:0:0:0-2a02:e987:ffff:ffff:ffff:ffff:ffff:ffff

Changes for Customers Using Other Firewall Services

In most network or endpoint firewalls, you should be able to simply whitelist or create exceptions for these new IP addresses. Typically, your website hosting provider will be able to make these changes for you upon request. Reference this article when communicating with your hosting provider to make these changes.

Changes for Customers Using IP Filtering Rules in a Web Service

We’ve written rulesets for some of the most common web services used in filtering, like Apache, Nginx, and IPtables. Remember that when setting filtering rules, rulesets are inherited recursively. They may also be applied to other websites on the same server, depending on your configuration. For example, Apache .htaccess rulesets are inherited by subdirectories lower in the file structure and would therefore also be affected by .htaccess rules in parent directories. If you manage multiple websites, be sure that these rules are applied only to websites using SiteLock TrueShield. Applying the provided rules to a website not using TrueShield will result in the website becoming unreachable to visitors.

Apache
Apache uses files named, .htaccess in individual directories for configuring rules.

CRITICAL NOTE: Remember that .htaccess rules are inherited recursively by subdirectories, so be mindful of this when changing your .htaccess.

The .htaccess file for your website’s public root to reflect the following (starting at line 1 of the file):


# BEGIN SiteLock IP Filtering
order deny,allow
deny from all
allow from 199.83.128.0/21
allow from 198.143.32.0/19
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 185.11.124.0/22
allow from 45.64.64.0/22
allow from 192.230.64.0/18
allow from 107.154.0.0/16
allow from 45.60.0.0/16
allow from 45.223.0.0/16
allow from 2a02:e980::/29
# END SiteLock IP Filtering

Nginx
Nginx comes with a simple module called, ngx_http_access_module, that grants you the ability to allow or deny access based on IP. Update your file to include the following:


location / {
# Allow SiteLock TrueShield IPs
allow 199.83.128.0/21;
allow 198.143.32.0/19;
allow 149.126.72.0/21;
allow 103.28.248.0/22;
allow 185.11.124.0/22;
allow 45.64.64.0/22;
allow 192.230.64.0/18;
allow 107.154.0.0/16;
allow 45.60.0.0/16
allow 45.223.0.0/16
allow 2a02:e980::/29;
 
# Deny Unfiltered Non-SiteLock Traffic
deny all;
}

IPtables
Update the IPtables module on your Linux platform to reflect the following:


#SiteLock TrueShield IP Filtering 
#Allow HTTP (port 80) from SiteLock
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport http -j ACCEPT
 
#Block unfiltered non-SiteLock HTTP traffic
iptables -A INPUT -p tcp --dport http -j DROP
 
#Allow HTTPS (port 443) from SiteLock
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport https -j ACCEPT
 
#Block unfiltered non-SiteLock HTTPS traffic
iptables -A INPUT -p tcp --dport https -j DROP

**Save your changes**

Ubuntu:

sudo /sbin/iptables-save

Red Hat / CentOS:

/sbin/service iptables save

Or

/etc/init.d/iptables save

Why do these changes need to be made?

Remember, when using cloud-based WAF/CDN technology, like TrueShield, your website visitors are served your website content from a reverse-proxy server, rather than from your original website hosting server directly.

ReverseProxy

The SiteLock servers periodically make requests for updated content from your website’s hosting server. This ensures that we are delivering the freshest content to your visitors. During periods of high traffic, we may make more frequent requests for content than during off-peak periods. Cloud technology of this kind uses a finite number of unique IP addresses to fulfill these requests, making this behavior appear as a security threat to some firewall services. This can be due to the large number of requests from a disproportionately low number of perceived unique visitors. Whitelisting or creating firewall exceptions for our servers’ IP addresses prevents your other security systems from blocking legitimate traffic relayed through our servers.

Will more changes need to be made in the future?

The short answer is probably. As we expand our network to serve additional customers and improve our services, we will likely add additional IP ranges. Rest assured that we will notify you in advance prior to the changes. Stay tuned to the SiteLock blog for more product updates.