All Hetzner Servers Banned from Cloudflare, Why?

I have 2 hetzner servers.

These servers cannot access the sites with Cloudflare protection turned on.

Why am I encountering error code 1020?

It seems that there is no such problem with providers other than Hetzner. Is there a way I can remove the ban?

You violated a firewall rule, that’s why you got the error
For more info visit the link below

1 Like

Are you saying you’re using Hetzner servers to access sites protected by Cloudflare? Personally, I block all of Hetzner due to the ridiculous amount of malicious traffic coming from there to probe my websites. I end up doing the same to most high-profile hosts for the same reason.


Yep hetzner is terrible, it’s top 5 on my site, I hcaptcha the entire asn so everything unless the bot is a cf known bot.

1 Like

Same here. I exclude Verified Bots, and have a whitelist of other services within their ASN that I allow, but in general if I see lots of abuse like behaviour from a particular hosting provider ASN its the ban hammer.

Contact the website owner directly, explain your use case, and they might create a way to allow your service.


From the topic title, I really cannot confirm that one at least for now.
I also use Hetzner, even dedicated and cloud.
70+ Websites hosted.
All behind Cloudflare.

May I ask, are you using Hetzner as a VPN (Outline?), or at least trying to scrape/crawl the Web with them, as far as it sounds like that to me? (I doubt you’ve setup the Windows Server on the cloud one to access Website over Google Chrome as well …) :thinking:

Because owners have security measurements due to either webcrawl, webmeup and similar ones hosted at Hetzner which do daily crawl - which either I block.

I even reported them at Hetzner Abuse form, but nothing changed. The saga continues.

In terms of protection, I only allow my servers IP addresses from Hetzner ASN, while I keep blocking other IPs from their ASN that way.

Funny. Wanna bet? :smiley:
I can provide you a couple of domains to try out with any other provider, even with Hetzner too. The result would be the same :slight_smile:

I am afraid no.
Only if you figure out how to contact the Website / domain owner with a good argument/reason why so.

1 Like

OVH and Hetzner both are terrible in this aspect. Extremely spammy in general. Digital ocean isn’t too good either but at least they reply fast to abuse reports.


I set up fail2ban to auto report, on a separate server up and behind a relay throw away IP. I was curious to see what happened. China wasn’t impressed :laughing: but won’t go into what happened there.

But the digital ocean was the top with Microsoft, hetnzer, sas, m247, ovh, scala, Linode don’t care as others said, generic it is not us we forward your report on.

Aws and Google did remove some, and I got genuine replies, not generic ones like the others. I mean these IP addresses had thousands of reports most of them shrug.


No I don’t need to install windows on my server I can see the blocking text by making a request with curl.

I tried with Amazon and DigitalOcean, but it doesn’t seem to be banned on servers where hetzner is banned.

How about you ger your app on the verified cloudflare bot list and call it a day.

I mean you think curl works on those none hetnzer servers, sure but lots will block you still we don’t enjoy unwanted automated traffic thanks.

No idea what that means.

Cloudflare provide tools to website operators. They don’t automatically block anything outside of DDOS. I have explicit rules in place to block certain hosting providers, there is not even a button that I could click that says “block hosting providers". You would need to contact the relevant websites directly if your requests are being blocked.


I also have a site whose api can be used for malicious purposes, but instead of banning it directly with asn, I prefer to complicate the bot’s work.

The data I want to retrieve with curl is definitely not malicious, but I think I’d better talk to the owner.

The website owner can also block requests based on an user-agent by the string part which contains a curl.

Unfortunately it seems to be a globally asn ban.
I’m trying to reach the site owner.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.