I posted some time ago about the benefits of using Cloudflare
See my video below if you are not familiar with Cloudflare which is a cloud CDN/WAF
Cloudflare provides a proxy between the internet and your website all traffic is intended to through the Cloudflare network where it is then filtered via the rules set up in the Cloudflare WAF (Web Application Firewall) then the traffic is based back to your servers real IP.
If you were to do a nslookup on a website that is behind Cloudflare you would see this.
Addresses: 220.127.116.11, 18.104.22.168
see below for a diagram of how this works.
Addresses: 22.214.171.124, 126.96.36.199 <<<Cloudflare address
Now the real IP will be something else, however …..
If you are relying solely on the protection from Cloudflare this is a mistake !!!! and you should stop now and secure your server.
The issue becomes if your real IP is leaked there are many ways this can happen there is also a hand script I can across
This script uses API’s to check header information and then also cross-references a database held by crimeflare of real IP addresses of servers that are behind the Cloudflare service.
The site looks at nameserver registrations to find the real IP information for the server behind the Cloudflare service.
Even if you look at my site it is listed since I have not always been on Cloudflare
see the output of my search below
A direct-connect IP address was found: seanmancini.com 188.8.131.52 CANADA
An attempt to fetch a page from this IP was unsuccessful.
Previous lockups for this domain:
- 2016-05-27: seanmancini.com 184.108.40.206 CANADA
- 2016-02-23: seanmancini.com 220.127.116.11 UNITED STATES
with this information, an attacker can now directly try to establish a connection to your server,
to combat this problem I have written a small script for the UFW firewall that will white-list all of the Cloudflare IP space and nothing else.
This would mean that any traffic that has not passed through Cloudflare is denied for web traffic
see my script below
Simply run the script on your Debian based provided you are using UFW and this script will do the rest
This can also be changed to support IPTABLES and others
If you have questions please let me know!