Allow only connections from our organization

Hey,

I was sealing a machine to be only accessible from WARP and I feel like something is off.

The machine is sealed from being accessed from the internet except for cloudflare ips.
Now, if somebody found our backend IP and used WARP, they would be able to see a login screen.

We could argue that I can obscure the port, however, it doesn’t feel right. Is there anything we can do to prevent this from happening?

EDIT:

Let’s say that I’m under WARP and I craft a request spoofing the Host header, if the user doesn’t make use of CAs and runs on flexible or full (not strict), they would be exposed as well right? Allowing the attacker to bypass WAF and potentially sending a DoS attack.

Maybe I’m thinking too much about it or I’m missing something (which could totally happen), hopefully somebody can clarify it for me :sweat: .

And you think Cloudflare is going to forward that spoofed host header?

1 Like

Fair enough, however, if the Layer7 firewall is disabled and no MITM is done on their side I can’t think of a way for them to block it at all, we would need to try this to confirm :exclamation: .

The RDP and SSH (or other services) issues kind of remain though, the request crafting is something that came after I realized that somebody could get to see a login screen of our rdp/ssh services.

I’m still trying to run this through my mind.

You think that someone will run WARP, but attempt to connect directly to your IP address and your RDP or SSH will let them in…though SSH should already be pretty well-protected with key-only access. I don’t know much about RDP or what it has to prevent unauthenticated access.

I’ve not even tested to see if WARP will tunnel SSH to an IP address (or even to a hostname). Have you?

1 Like

Just messed a bit with it for the last ~30 minutes. I crafted a basic script that supports both HTTP and HTTPS requests and I can confirm that Cloudflare is blocking those connections from being made, even if the Host header is spoofed.
RDP and SSH are also discarded from being accessed.

Such a relief, I’m so happy that my initial thoughts were wrong.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.