Cloudflare avoid this mistake!

Sdílet
Vložit
  • čas přidán 10. 11. 2022
  • In this video I describe how an attacker may be able to bypass cloudflare restrictions by finding the IP address of the origin server. There are 2 fixes that can be done:
    1) Request a new IP address from your provider (VPS, Internet service)
    2) Block access to port 80,443 from non cloudflare origins
    Number 2 must be done to ensure the fix is permanent. However, if you feel your need assistance in resolving this or any other security issue please contact me:
    info@ljcybersolutions.uk
    Update: I know I went swiftly passed the solution for step 2, however, every infrastructure is different please reach out to me above and we can discuss the details.

Komentáře • 49

  • @fvgoya
    @fvgoya Před rokem +3

    I never saw a content about THIS here on CZcams. Thank you very much!!!! Subscribed.

  • @vitor000000
    @vitor000000 Před 2 měsíci

    Just subscribed and noticed your channel is still a small channel. Can't wait for the new content! Amazing quality.

  • @cneilmon
    @cneilmon Před rokem +1

    good stuff! made be subscribed to your channel, looking forward for more awesome content.

  • @-ColorMehJewish-
    @-ColorMehJewish- Před rokem +1

    Thx I find this very helpful. It's something I will be taking some notes on so that I can try it in my own home lab w/ a Debian VM I will spin up.
    I'm still a bit new to using this type of external connection but I'm trying to practice a bit before I go using it personally.

  • @jawadhfarooqui
    @jawadhfarooqui Před rokem +1

    Thanks for sharing this. As for the solution, I thought setting up the "Authenticated Origin Pulls" in Cloudflare ensured requests to the origin server only come from the Cloudflare network and would be a cleaner solution instead of whitelisting IPs.

  • @GooseDave
    @GooseDave Před rokem +1

    Thanks Laurence. I have been meaning to investigate this.

  • @meron6913
    @meron6913 Před 10 měsíci +1

    Thisi s interesting. Thank you for sharing.

  • @nikolqy
    @nikolqy Před rokem +1

    Awesome. I thought I might be the only one who knew of security trails.

  • @msmith508
    @msmith508 Před rokem +2

    One of the least confusing videos :)

  • @freeonlineserver
    @freeonlineserver Před 9 měsíci +1

    Great info

  • @rolosaenz
    @rolosaenz Před rokem +1

    Thanks Bro !!

  • @mendelsphotography
    @mendelsphotography Před rokem +4

    Thanks for making this. I always wondered about this. But was never sure how to go about blocking it or doing anything.

  • @abinalexpothen7072
    @abinalexpothen7072 Před rokem +5

    Fantastic content - you have earned another subscriber! Thank you Laurence.
    I use google cloud for hosting. I have followed your approach and specified the cloudflare IP addresses to be allowed through the Google Cloud Network firewall. Hopefully this is better than updating the firewall rules within the Ubuntu instance in my case.
    Do the cloudflare address ranges change over time?

    • @iiamloz
      @iiamloz  Před rokem +1

      They can, however, cloudflare normally announce it. which you would have to make the modifications. Like delete outdated rules.
      If you use GCP or other cloud providers, you can use their firewall as an allow list. It would make it more preformant for your box as it wouldn't need to handle the reject/drop

    • @abinalexpothen7072
      @abinalexpothen7072 Před rokem

      @@iiamloz thank you for your reply!

  • @benjaminjameswaller
    @benjaminjameswaller Před 6 měsíci

    Hi thanks for this video. Is there anyway to make these port restrictions on the CloudFlare side or only in the host?

  • @R1D9M8B4
    @R1D9M8B4 Před rokem +1

    Thank you for sharing. Lol subscribing..

  • @haywardgg
    @haywardgg Před rokem

    If the attacker knows the origin IP then you're asking for trouble, you can block all the ports you like but if they're a hacker worth their salt they'll find a way around your port restrictions. The way I do it for all my clients is to set up the domain on Cloudflare before pointing it to my origin server (before installing the origin server / VPS). If you're moving an existing domain with old dns records then keep in mind that most VPS hosting companies have the option to backup a server instance, then restore that image to another instance (with a new IP obviously), which is also an option (takes me less than 10-15 minutes to do it this way).

  • @Dipsomaniac
    @Dipsomaniac Před rokem +1

    Would it be possible to spoof cloudflare's ip address to get to the server directly?

  • @yacahumax1431
    @yacahumax1431 Před 7 měsíci

    why dont you use the Authenticated Origin Pulls?

  • @maherkhalil007
    @maherkhalil007 Před 9 měsíci

    But that will block email traffic since Cloudflare needs to expose IPs. right?

  • @propeto13
    @propeto13 Před rokem +4

    good stuff, server side firewall (pfsesnse) create an alias 'cloudflare_IP_List_V4' then make firewall rule to allow alias 'cloudflare_IP_List_V4' and block all other.

    • @Darkk6969
      @Darkk6969 Před rokem

      Yep, I do the same thing with my pfsense. Alias makes things alot easier to manage the IPs and hosts.

  • @-ColorMehJewish-
    @-ColorMehJewish- Před rokem +1

    Is anyone here familiar with Windows Server (more recent iterations) would expose the private IP in this way? (and if so, how to mask it)

  • @opensourcedev22
    @opensourcedev22 Před rokem +1

    Hmm, this seems to assume the DNS before CloudFlare leaked the IP. By by then, even if you move to CloudFlare, the past IP may be leaked. You have to literally move to a new address

    • @iiamloz
      @iiamloz  Před rokem

      Yes, that was a presumption. In most cases, people move to cloudflare. If you start start with cloudflare and proxy enabled by default this is not affected

  • @CommittotheIndian
    @CommittotheIndian Před rokem +6

    Correct me if I’m wrong, I’m still learning.
    But would using Cloudflare’s tunneling (not opening any ports on my network) prevent this.
    When I follow your steps, I’m only seeing Cloudflare IP addresses.

    • @iiamloz
      @iiamloz  Před rokem +4

      Yes, that would work. However, depending on your business, you may not be able to run it.
      Also, I don't know when, but it didn't use to be a free feature, so many businesses have it set up like this

    • @50_Pence
      @50_Pence Před rokem +1

      @@iiamloz yeah its free with limitaions. you cant do udp etc. hence doing things your way will be best for things such as udp . great vid!

  • @Gordack
    @Gordack Před rokem

    Thx man. Nice!

  • @Richard-kl8wr
    @Richard-kl8wr Před 11 měsíci +1

    i do basically the same but on vps provider firewall. Only added cloudflare ips to acess 80.443

    • @iiamloz
      @iiamloz  Před 11 měsíci

      Awesome! My provider does offer that but I dont use it at that level

    • @Richard-kl8wr
      @Richard-kl8wr Před 11 měsíci

      @@iiamloz It is necessary in cloudflare tunnel configuration ?

    • @iiamloz
      @iiamloz  Před 11 měsíci

      Nope, as there are no open ports unless you misconfig it

  • @enricoroselino7557
    @enricoroselino7557 Před rokem

    ummm i have question, then what will happen with ftp since its require real ip address (but with port 21 tho)??

    • @iiamloz
      @iiamloz  Před rokem +1

      You wouldn't proxy from cloudflare any ports that are not 80 or 443. Unless you use cloudflared, then you would just use access controls to only allow certain ips

  • @champfamily7508
    @champfamily7508 Před rokem

    Hi sir I need your help.. I have a dynamic website hosting on AWS EC2, added to Cloud Faler recently (cloud front+ cloud flare dns proxy) . But some issues are facing, Some IPV6(not all isp ipv6 requests) requests are not allowing images to load.No problem with the IPV4 request.give me a suggestion.pls.

  • @ws_stelzi79
    @ws_stelzi79 Před rokem

    Hey your audio sounds like -12 db and 720p video upscaled to 4k!

  • @adamschimmel4070
    @adamschimmel4070 Před rokem +1

    Or just use your own reverseproxy

    • @iiamloz
      @iiamloz  Před rokem +1

      Of course you can! But most people don't want to handle ddos or learn how to handle traffic via terminal