Vultr Firewall added Cloudflare
-
I use a Cloudflare machine cert on this webserver for strict HTTPS.
So these new rules are awesome.
-
Nice!
-
@scottalanmiller said in Vultr Firewall added Cloudflare:
Nice!
Yeah, no idea how long it has been there. I don't go into those rules all that much.
But man that makes life sooooooo simple.
-
@JaredBusch care to explain why selecting cloudflare instead of just allowing port 80 and 443?
-
@black3dynamite your talking about ports - this is IP addresses... as Jared would say FFS.
-
@black3dynamite said in Vultr Firewall added Cloudflare:
@JaredBusch care to explain why selecting cloudflare instead of just allowing port 80 and 443?
I'm only allowing Cloudflare IP blocks on the HTTP/S ports.
That means nothing can possibly hit my server by IP. It is 100% safe from direct attacks.
-
@JaredBusch said in Vultr Firewall added Cloudflare:
I'm only allowing Cloudflare IP blocks on the HTTP/S ports.
That means nothing can possibly hit my server by IP. It is 100% safe from direct attacks.Can you please explain this a little more.
Do you mean that your server is then only accessible by domain name (if not by IP address)?
If so, why is it safer to be accessible by domain name, then by IP adress? -
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch said in Vultr Firewall added Cloudflare:
I'm only allowing Cloudflare IP blocks on the HTTP/S ports.
That means nothing can possibly hit my server by IP. It is 100% safe from direct attacks.Can you please explain this a little more.
Do you mean that your server is then only accessible by domain name (if not by IP address)?
If so, why is it safer to be accessible by domain name, then by IP adress?He means hackers can't attack HTTP or HTTPS on his server directly because he's only allowing CloudFlare to have access. CloudFlare is his proxy - so all the legitimate traffic goes to CloudFlare, Cloudfare cleans it up, then forwards what it needs to onto JB's server.
Of course the hackers can still attack his server on any other ports he doesn't have locked down similarly, not that he said anything about that, I'm just mentioning it in case you were wondering.
-
@Dashrender said in Vultr Firewall added Cloudflare:
on any other ports he doesn't have locked down similarly, not that he said anything about that,
It is a deny all, as visible in the screen shot.
-
@JaredBusch said in Vultr Firewall added Cloudflare:
@Dashrender said in Vultr Firewall added Cloudflare:
on any other ports he doesn't have locked down similarly, not that he said anything about that,
It is a deny all, as visible in the screen shot.
So it does - I didn't look at your picture.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
Do you mean that your server is then only accessible by domain name (if not by IP address)?
Yes, this does mean it is only accessible by the FQDN.
You cannot hit a site by the IP of the proxy, Cloudflare in this case. Because the proxy would have no clue what to do with the traffic.ML is behind Cloudflare. The IP resolves as 104.26.3.183, among others. If you go to that IP, Cloudflare has no clue WTF to send you to and says so.
The site I protected as mentioned in the screenshots above is on Vultr and has IP on the Vultr network, obviously. But a lookup only returns the Cloudflare info.
But even if someone scraped, or the IP was leaked (it is
173.199.114.195
), the Vultr Firewall will let nothing connect to that IP except SSH from 2 specific IP addresses andhttp
/https
only from the Cloudflare network. -
@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
And how can Cloudflare distinguish legitimate user from hacker if they both try to access via FQDN?(We have one server on Vultr and we access it through IP address. We also have one server on other provider)
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
And how can Cloudflare distinguish legitimate user from hacker if they both try to access via FQDN?(We have one server on Vultr and we access it through IP address. Also one on other provider)
It's not about the FQDN - it's about the fact that from the outside world's point of view, the website lives at CloudFlare... the legit visitors and the hackers only the the IP of CloudFlare, unless there is leakage, as JB mentioned, but even then, the firewall at Vultr prevents the hackers making a connection.
All legit connections to JB's server in Vultr MUST come through CloudFlare, expect the listed IPs that have access to SSH.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
No one said it is safer. It was only said that it can only be accessed that way.
-
@JaredBusch said in Vultr Firewall added Cloudflare:
No one said it is safer. It was only said that it can only be accessed that way.
@Dashrender said in Vultr Firewall added Cloudflare:
All legit connections to JB's server in Vultr MUST come through CloudFlare,
But what is the benefit of allowing only through Cloudflare if it is not safer?
Do you need to subscribe to some service at Cloudflare to use that or not? -
Let me use this example.
I have a blog on blog.jaredbusch.com (I don't) and it is run using WordPress on Vultr.
I do the basic and have the traffic going through Cloudflare with the orange cloud.
Any hacker will hit the site in the legal way through Cloudflare. The Cloudflare network has a lot of defense capabilities built in that you can use depending on your subscription level.
But assuming you have none of that, it still protects you by not exposing your public IP if nothing else.
But If I do not restrict access
http
/https
access to the live IP, botnets will quickly discover that IP10.11.12.13
is running a WP instance. Then the WP hacking bots will attach the system directly viahttps://10.11.12.13/wp-login.php?WTFEVERHACKWORKSONVERSION
etc.The Vultr filewall settings as discussed 100% eliminate that possibility.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
But what is the benefit of allowing only through Cloudflare if it is not safer?
Do you need to subscribe to some service at Cloudflare to use that or not?All proxy services can provide protection. It is a matter of what the service provides for what cost and what you want to protect.
This thread is not a discussion of the specific uses of Cloudflare. Feel free to make a thread for that.
-
@JaredBusch Thank you.
I will read a little about Cloudflare and its services... I am not familiar with that. -
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch Thank you.
I will read a little about Cloudflare and its services... I am not familiar with that.Even my personal domain, with like no content or traffic was protected from random drive by attacks. For free.
-
@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server?