Vultr Firewall added Cloudflare

Dashrender

@JaredBusch said in Vultr Firewall added Cloudflare:

@Dashrender said in Vultr Firewall added Cloudflare:

on any other ports he doesn't have locked down similarly, not that he said anything about that,

It is a deny all, as visible in the screen shot.

So it does - I didn't look at your picture.

JaredBusch

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

Do you mean that your server is then only accessible by domain name (if not by IP address)?

Yes, this does mean it is only accessible by the FQDN.
You cannot hit a site by the IP of the proxy, Cloudflare in this case. Because the proxy would have no clue what to do with the traffic.

ML is behind Cloudflare. The IP resolves as 104.26.3.183, among others. If you go to that IP, Cloudflare has no clue WTF to send you to and says so.

The site I protected as mentioned in the screenshots above is on Vultr and has IP on the Vultr network, obviously. But a lookup only returns the Cloudflare info.

But even if someone scraped, or the IP was leaked (it is 173.199.114.195), the Vultr Firewall will let nothing connect to that IP except SSH from 2 specific IP addresses and http/https only from the Cloudflare network.

Mario Jakovina

@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
And how can Cloudflare distinguish legitimate user from hacker if they both try to access via FQDN?

(We have one server on Vultr and we access it through IP address. We also have one server on other provider)

Dashrender

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
And how can Cloudflare distinguish legitimate user from hacker if they both try to access via FQDN?

(We have one server on Vultr and we access it through IP address. Also one on other provider)

It's not about the FQDN - it's about the fact that from the outside world's point of view, the website lives at CloudFlare... the legit visitors and the hackers only the the IP of CloudFlare, unless there is leakage, as JB mentioned, but even then, the firewall at Vultr prevents the hackers making a connection.

All legit connections to JB's server in Vultr MUST come through CloudFlare, expect the listed IPs that have access to SSH.

JaredBusch

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch OK, but why is access by FQDN safer then access by IP adress?

No one said it is safer. It was only said that it can only be accessed that way.

Mario Jakovina

@JaredBusch said in Vultr Firewall added Cloudflare:

No one said it is safer. It was only said that it can only be accessed that way.

@Dashrender said in Vultr Firewall added Cloudflare:

All legit connections to JB's server in Vultr MUST come through CloudFlare,

But what is the benefit of allowing only through Cloudflare if it is not safer?
Do you need to subscribe to some service at Cloudflare to use that or not?

JaredBusch

Let me use this example.

I have a blog on blog.jaredbusch.com (I don't) and it is run using WordPress on Vultr.

I do the basic and have the traffic going through Cloudflare with the orange cloud.

Any hacker will hit the site in the legal way through Cloudflare. The Cloudflare network has a lot of defense capabilities built in that you can use depending on your subscription level.

But assuming you have none of that, it still protects you by not exposing your public IP if nothing else.

But If I do not restrict access http/https access to the live IP, botnets will quickly discover that IP 10.11.12.13 is running a WP instance. Then the WP hacking bots will attach the system directly via https://10.11.12.13/wp-login.php?WTFEVERHACKWORKSONVERSION etc.

The Vultr filewall settings as discussed 100% eliminate that possibility.

JaredBusch

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

But what is the benefit of allowing only through Cloudflare if it is not safer?
Do you need to subscribe to some service at Cloudflare to use that or not?

All proxy services can provide protection. It is a matter of what the service provides for what cost and what you want to protect.

This thread is not a discussion of the specific uses of Cloudflare. Feel free to make a thread for that.

Mario Jakovina

@JaredBusch Thank you.
I will read a little about Cloudflare and its services... I am not familiar with that.

JaredBusch

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch Thank you.
I will read a little about Cloudflare and its services... I am not familiar with that.

Even my personal domain, with like no content or traffic was protected from random drive by attacks. For free.

Mario Jakovina

@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server?

JaredBusch

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server?

Pretty much never a reason not to do it.

I always use Cloudflare already to handle DNS.

Dashrender

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server?

No reason not to have FQDN for your stuff - it's completely free from CloudFlare.

JaredBusch

@Dashrender said in Vultr Firewall added Cloudflare:

No reason not to have FQDN for your stuff - it's completely free from CloudFlare.

That's not how anything works.

You must pay for a domain name.

Now you can use all the sub domains you want. But that also gets int other configurations.

You do not just have a FQDN.

Mario Jakovina

@Dashrender Really! We use DynDNS paid service for our in-house servers
If you can point me how to get free FQDN from Cloudflare, I would be grateful?

Mario Jakovina

@JaredBusch said in Vultr Firewall added Cloudflare:

You must pay for a domain name.

OK, thanks

Dashrender

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch said in Vultr Firewall added Cloudflare:

You must pay for a domain name.

OK, thanks

Yeah - OK, sure, you have to pay for the domain name - but damn.. it's not like that's a fortune or anything...

If you're using a free DynDNS, then the free subs from CF should work as well.

scottalanmiller

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@Dashrender Really! We use DynDNS paid service for our in-house servers
If you can point me how to get free FQDN from Cloudflare, I would be grateful?

FQDN are never free, there's no way for that. Someone HAS to pay for them, as they cost money. If anyone offered them for free, I'd "buy" every one in existence then sell them to everyone else for way, way more than they cost today.

It's only by having them be $10 a year or whatever that people have to evaluate if they want to pay for them.

scottalanmiller

@Mario-Jakovina said in Vultr Firewall added Cloudflare:

@JaredBusch said in Vultr Firewall added Cloudflare:

You must pay for a domain name.

OK, thanks

But every FQDN from your domain, is free. Whether you have one, or millions.

Mario Jakovina

As I said - we do have FQDN.
I was just suprised when @Dashrender said they are free from Cloudflare