Vultr Firewall added Cloudflare
-
@JaredBusch said in Vultr Firewall added Cloudflare:
I'm only allowing Cloudflare IP blocks on the HTTP/S ports.
That means nothing can possibly hit my server by IP. It is 100% safe from direct attacks.Can you please explain this a little more.
Do you mean that your server is then only accessible by domain name (if not by IP address)?
If so, why is it safer to be accessible by domain name, then by IP adress? -
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch said in Vultr Firewall added Cloudflare:
I'm only allowing Cloudflare IP blocks on the HTTP/S ports.
That means nothing can possibly hit my server by IP. It is 100% safe from direct attacks.Can you please explain this a little more.
Do you mean that your server is then only accessible by domain name (if not by IP address)?
If so, why is it safer to be accessible by domain name, then by IP adress?He means hackers can't attack HTTP or HTTPS on his server directly because he's only allowing CloudFlare to have access. CloudFlare is his proxy - so all the legitimate traffic goes to CloudFlare, Cloudfare cleans it up, then forwards what it needs to onto JB's server.
Of course the hackers can still attack his server on any other ports he doesn't have locked down similarly, not that he said anything about that, I'm just mentioning it in case you were wondering.
-
@Dashrender said in Vultr Firewall added Cloudflare:
on any other ports he doesn't have locked down similarly, not that he said anything about that,
It is a deny all, as visible in the screen shot.
-
@JaredBusch said in Vultr Firewall added Cloudflare:
@Dashrender said in Vultr Firewall added Cloudflare:
on any other ports he doesn't have locked down similarly, not that he said anything about that,
It is a deny all, as visible in the screen shot.
So it does - I didn't look at your picture.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
Do you mean that your server is then only accessible by domain name (if not by IP address)?
Yes, this does mean it is only accessible by the FQDN.
You cannot hit a site by the IP of the proxy, Cloudflare in this case. Because the proxy would have no clue what to do with the traffic.ML is behind Cloudflare. The IP resolves as 104.26.3.183, among others. If you go to that IP, Cloudflare has no clue WTF to send you to and says so.
The site I protected as mentioned in the screenshots above is on Vultr and has IP on the Vultr network, obviously. But a lookup only returns the Cloudflare info.
But even if someone scraped, or the IP was leaked (it is
173.199.114.195
), the Vultr Firewall will let nothing connect to that IP except SSH from 2 specific IP addresses andhttp
/https
only from the Cloudflare network. -
@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
And how can Cloudflare distinguish legitimate user from hacker if they both try to access via FQDN?(We have one server on Vultr and we access it through IP address. We also have one server on other provider)
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
And how can Cloudflare distinguish legitimate user from hacker if they both try to access via FQDN?(We have one server on Vultr and we access it through IP address. Also one on other provider)
It's not about the FQDN - it's about the fact that from the outside world's point of view, the website lives at CloudFlare... the legit visitors and the hackers only the the IP of CloudFlare, unless there is leakage, as JB mentioned, but even then, the firewall at Vultr prevents the hackers making a connection.
All legit connections to JB's server in Vultr MUST come through CloudFlare, expect the listed IPs that have access to SSH.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch OK, but why is access by FQDN safer then access by IP adress?
No one said it is safer. It was only said that it can only be accessed that way.
-
@JaredBusch said in Vultr Firewall added Cloudflare:
No one said it is safer. It was only said that it can only be accessed that way.
@Dashrender said in Vultr Firewall added Cloudflare:
All legit connections to JB's server in Vultr MUST come through CloudFlare,
But what is the benefit of allowing only through Cloudflare if it is not safer?
Do you need to subscribe to some service at Cloudflare to use that or not? -
Let me use this example.
I have a blog on blog.jaredbusch.com (I don't) and it is run using WordPress on Vultr.
I do the basic and have the traffic going through Cloudflare with the orange cloud.
Any hacker will hit the site in the legal way through Cloudflare. The Cloudflare network has a lot of defense capabilities built in that you can use depending on your subscription level.
But assuming you have none of that, it still protects you by not exposing your public IP if nothing else.
But If I do not restrict access
http
/https
access to the live IP, botnets will quickly discover that IP10.11.12.13
is running a WP instance. Then the WP hacking bots will attach the system directly viahttps://10.11.12.13/wp-login.php?WTFEVERHACKWORKSONVERSION
etc.The Vultr filewall settings as discussed 100% eliminate that possibility.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
But what is the benefit of allowing only through Cloudflare if it is not safer?
Do you need to subscribe to some service at Cloudflare to use that or not?All proxy services can provide protection. It is a matter of what the service provides for what cost and what you want to protect.
This thread is not a discussion of the specific uses of Cloudflare. Feel free to make a thread for that.
-
@JaredBusch Thank you.
I will read a little about Cloudflare and its services... I am not familiar with that. -
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch Thank you.
I will read a little about Cloudflare and its services... I am not familiar with that.Even my personal domain, with like no content or traffic was protected from random drive by attacks. For free.
-
@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server? -
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server?Pretty much never a reason not to do it.
I always use Cloudflare already to handle DNS.
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch OK.
Is there any reason not to use at least Cloudflare Free plan and setup Vultr FW to allow only Cloudflare traffic, if we have FQDN for our server?No reason not to have FQDN for your stuff - it's completely free from CloudFlare.
-
@Dashrender said in Vultr Firewall added Cloudflare:
No reason not to have FQDN for your stuff - it's completely free from CloudFlare.
That's not how anything works.
You must pay for a domain name.
Now you can use all the sub domains you want. But that also gets int other configurations.
You do not just have a FQDN.
-
@Dashrender Really! We use DynDNS paid service for our in-house servers
If you can point me how to get free FQDN from Cloudflare, I would be grateful? -
-
@Mario-Jakovina said in Vultr Firewall added Cloudflare:
@JaredBusch said in Vultr Firewall added Cloudflare:
You must pay for a domain name.
OK, thanks
Yeah - OK, sure, you have to pay for the domain name - but damn.. it's not like that's a fortune or anything...
If you're using a free DynDNS, then the free subs from CF should work as well.