Cloudflare avoid this mistake!
In this video I describe how an attacker may be able to bypass cloudflare restrictions by finding the IP address of the origin server. There are 2 fixes that can be done:
1) Request a new IP address from your provider (VPS, Internet service)
2) Block access to port 80,443 from non cloudflare origins
Number 2 must be done to ensure the fix is permanent. However, if you feel your need assistance in resolving this or any other security issue please contact me:
info@ljcybersolutions.uk
Update: I know I went swiftly passed the solution for step 2, however, every infrastructure is different please reach out to me above and we can discuss the details.
Пікірлер: 49
I never saw a content about THIS here on KZread. Thank you very much!!!! Subscribed.
Just subscribed and noticed your channel is still a small channel. Can't wait for the new content! Amazing quality.
good stuff! made be subscribed to your channel, looking forward for more awesome content.
Thx I find this very helpful. It's something I will be taking some notes on so that I can try it in my own home lab w/ a Debian VM I will spin up. I'm still a bit new to using this type of external connection but I'm trying to practice a bit before I go using it personally.
Thanks for sharing this. As for the solution, I thought setting up the "Authenticated Origin Pulls" in Cloudflare ensured requests to the origin server only come from the Cloudflare network and would be a cleaner solution instead of whitelisting IPs.
Thanks Laurence. I have been meaning to investigate this.
@GooseDave
Жыл бұрын
Worked a treat!
Thisi s interesting. Thank you for sharing.
Awesome. I thought I might be the only one who knew of security trails.
One of the least confusing videos :)
Great info
Thanks Bro !!
Thanks for making this. I always wondered about this. But was never sure how to go about blocking it or doing anything.
Fantastic content - you have earned another subscriber! Thank you Laurence. I use google cloud for hosting. I have followed your approach and specified the cloudflare IP addresses to be allowed through the Google Cloud Network firewall. Hopefully this is better than updating the firewall rules within the Ubuntu instance in my case. Do the cloudflare address ranges change over time?
@iiamloz
Жыл бұрын
They can, however, cloudflare normally announce it. which you would have to make the modifications. Like delete outdated rules. If you use GCP or other cloud providers, you can use their firewall as an allow list. It would make it more preformant for your box as it wouldn't need to handle the reject/drop
@abinalexpothen7072
Жыл бұрын
@@iiamloz thank you for your reply!
Hi thanks for this video. Is there anyway to make these port restrictions on the CloudFlare side or only in the host?
Thank you for sharing. Lol subscribing..
If the attacker knows the origin IP then you're asking for trouble, you can block all the ports you like but if they're a hacker worth their salt they'll find a way around your port restrictions. The way I do it for all my clients is to set up the domain on Cloudflare before pointing it to my origin server (before installing the origin server / VPS). If you're moving an existing domain with old dns records then keep in mind that most VPS hosting companies have the option to backup a server instance, then restore that image to another instance (with a new IP obviously), which is also an option (takes me less than 10-15 minutes to do it this way).
Would it be possible to spoof cloudflare's ip address to get to the server directly?
why dont you use the Authenticated Origin Pulls?
But that will block email traffic since Cloudflare needs to expose IPs. right?
good stuff, server side firewall (pfsesnse) create an alias 'cloudflare_IP_List_V4' then make firewall rule to allow alias 'cloudflare_IP_List_V4' and block all other.
@Darkk6969
Жыл бұрын
Yep, I do the same thing with my pfsense. Alias makes things alot easier to manage the IPs and hosts.
Is anyone here familiar with Windows Server (more recent iterations) would expose the private IP in this way? (and if so, how to mask it)
Hmm, this seems to assume the DNS before CloudFlare leaked the IP. By by then, even if you move to CloudFlare, the past IP may be leaked. You have to literally move to a new address
@iiamloz
Жыл бұрын
Yes, that was a presumption. In most cases, people move to cloudflare. If you start start with cloudflare and proxy enabled by default this is not affected
Correct me if I’m wrong, I’m still learning. But would using Cloudflare’s tunneling (not opening any ports on my network) prevent this. When I follow your steps, I’m only seeing Cloudflare IP addresses.
@iiamloz
Жыл бұрын
Yes, that would work. However, depending on your business, you may not be able to run it. Also, I don't know when, but it didn't use to be a free feature, so many businesses have it set up like this
@50_Pence
Жыл бұрын
@@iiamloz yeah its free with limitaions. you cant do udp etc. hence doing things your way will be best for things such as udp . great vid!
Thx man. Nice!
i do basically the same but on vps provider firewall. Only added cloudflare ips to acess 80.443
@iiamloz
11 ай бұрын
Awesome! My provider does offer that but I dont use it at that level
@Richard-kl8wr
11 ай бұрын
@@iiamloz It is necessary in cloudflare tunnel configuration ?
@iiamloz
11 ай бұрын
Nope, as there are no open ports unless you misconfig it
ummm i have question, then what will happen with ftp since its require real ip address (but with port 21 tho)??
@iiamloz
Жыл бұрын
You wouldn't proxy from cloudflare any ports that are not 80 or 443. Unless you use cloudflared, then you would just use access controls to only allow certain ips
Hi sir I need your help.. I have a dynamic website hosting on AWS EC2, added to Cloud Faler recently (cloud front+ cloud flare dns proxy) . But some issues are facing, Some IPV6(not all isp ipv6 requests) requests are not allowing images to load.No problem with the IPV4 request.give me a suggestion.pls.
Hey your audio sounds like -12 db and 720p video upscaled to 4k!
Or just use your own reverseproxy
@iiamloz
Жыл бұрын
Of course you can! But most people don't want to handle ddos or learn how to handle traffic via terminal