Enhancing your websites protection while using Cloudflare

I posted some time ago about the benefits of using Cloudflare

See my video below if you are not familiar with Cloudflare which is a cloud CDN/WAF

 

Cloudflare provides a proxy between the internet and your website all traffic is intended to through the Cloudflare network where it is then filtered via the rules set up in the Cloudflare WAF (Web Application Firewall) then the traffic is based back to your servers real IP.

If you were to do a nslookup on a website that is behind Cloudflare you would see this.

Non-authoritative answer:
Name: example.com
Addresses: 104.27.138.196, 104.27.139.196

 

see below for a diagram of how this works.

Cloudflare layout

Non-authoritative answer:
Name: example.com
Addresses: 104.27.139.196, 104.27.138.196 <<<Cloudflare address

Now the real IP will be something else, however …..

If you are relying solely on the protection from Cloudflare this is a mistake !!!! and you should stop now and secure your server.

The issue becomes if your real IP is leaked there are many ways this can happen there  is also a hand script I can across

https://github.com/Anon-Exploiter/SiteBroker 

This script uses API’s to check header information and then also cross-references a database held by crimeflare of real IP addresses of servers that are behind the Cloudflare service.

The site looks at nameserver registrations to find the real IP information for the server behind the Cloudflare service.

Even if you look at my site it is listed since I have not always been on Cloudflare

see the output of my search  below

A direct-connect IP address was found: seanmancini.com 149.56.47.8 CANADA

An attempt to fetch a page from this IP was unsuccessful.

Previous lockups for this domain:

  • 2016-05-27: seanmancini.com 149.56.47.8 CANADA
  • 2016-02-23: seanmancini.com 69.164.192.4 UNITED STATES

with this information, an attacker can now directly try to establish a connection to your server,

to combat this problem I have written a small script for the UFW firewall that will white-list all of the Cloudflare IP space and nothing else.

This would mean that any traffic that has not passed through Cloudflare is denied  for web traffic

see my script below

https://github.com/bmfmancini/UFW-CLOUDFLARE-WHITELIST

Simply run the script on your Debian based provided you are using UFW and this script will do the rest

This can also be changed to  support IPTABLES and others

If you have questions please let me know!

 

Leave a Reply

Your email address will not be published. Required fields are marked *