Cloudflare's servers sends junk traffic requests generating API Error (401) for unknown reason.

So I just deleted a tons of junk logs with over 1000 pages of the 401 API error. I also deleted the API keys.
Because honestly we do not use the API.

The best thing would be to just disable the API, but I cannot find a way to do it.

So after deleting all the log entries they started to pop up again from these IP so far 172.70.246.190, 172.70.247.113, 172.70.247.162 all belonging to CloudFlare (where we host the DNS for the domain). I have checked and verififed the IP's with Whois. All CLoudFlare owned IP's.

I could generate new API keys, but those were also generating the 401 API error so..

Here is the OSTicket system config:
Server: Our own locally hosted company server - no hosting company. We use do use CloudFlare as mentioned above.


I have no idea how to solve this and get rid of all these junk entires + resolving the API error itself. But I imagine that there must be others on this OSticket forum that has or are experiencing the same error/issue and hopefully could kindly share a tip or two about how to handle this issues.

Thanks a bunch in advance for anything that could lead us in the right direction!

Kind regards

  • KevinTheJedi replied to this.

  • AngryWarrior

    You can simply setup a ticket filter to reject any tickets submitted via API. You can also make sure you don't have any API Keys configured/enabled. Other than that you'd have to modify the codebase to remove references to the URI's, etc. The API is baked in but requires a Valid API key and the requesting IP needs to match the IP tied to the API Key.

    Cheers.

      AngryWarrior

      Can you post screenshots of the specific errors? We would need more information to better assist.

      Cheers.

        Well here is an example.

        The IP-addresses are all Cloudflare's servers.
        Not sure why they love our OSticket installation so much that they hit the API every few minute or so.

          AngryWarrior

          Looks like someone (or some script) is trying to make API requests to create Tickets. That error is only logged when attempting to access the Ticket API with an API Key that's not valid. The key they are trying to use is within the [] characters.

          So either an attacker or automated system or script or something.

          Cheers.

            Not sure about that. I mean CloudFlare does not rent out VPS servers/sell private hosting, and all the IP's are CF servers.
            But sure, it could come of course from someone using CF's proxy network maybe.

            Is there a way to completely shutdown/disable the API in osTicket?
            We do not use it anyway and thus it is an unnecessary open attack vector that you might as well close, right?

            Thanks in advance.

              AngryWarrior

              You can simply setup a ticket filter to reject any tickets submitted via API. You can also make sure you don't have any API Keys configured/enabled. Other than that you'd have to modify the codebase to remove references to the URI's, etc. The API is baked in but requires a Valid API key and the requesting IP needs to match the IP tied to the API Key.

              Cheers.

                @"KevinTheJedi"#p158233Right thanks.
                It would be nice if osTicket would consider to build in a check box function or something similar where you could turn off the API.

                Write a Reply...