Close open ports to satisfy security scans

As part of our security procedures, we regularly run security scans against our domains. We received a notification of an open port 2095 opening on the IP address assigned to one of our zones. Our security procedures require that we close all unused ports.

Please advise how we can request that only specific ports (e.g. 80, 443) be opened for a specific domain/zone when using the Cloudflare proxy.

This has come up a time or two, but here’s the best solution:

Port 2095 is supported and open via Cloudflare proxy, including the other ports listed on the article below:
https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy

Therefore, if that port is not being used and is being closed at host origin/server, then I would not worry so much.

Furthermore, you can either use an easier solution via WAF Rule as @sdayman provided, or you could try to setup a Firewall rule to block request to all supported and compatible ports with Cloudflare proxy (:orange: cloud), except the 80 and 443 as you stated.

Which would result as only the port 80 and 443 would stay open for your domains when someone run scan against them, which is exactly as you want.

If I may add as an example from mine post before, I wanted to have port 80 and 443, but also only the 2083, while keeping others “closed” or rather to say “blocked” even for the hostnames being proxied via Cloudflare (:orange: cloud).

Just make sure to manually write the firewall expression in the field.

From the statement above, it should look like this in your Firewall rule (you can remove hostname and leave only the second part:

  • (http.host contains "example.com" and not cf.edge.server_port in {80 443})

  • or go with (not cf.edge.server_port in {80 443}) with action “Block”

Source:

Hope it helps a bit.

1 Like

Thank you for the feedback. Yes, I also saw that firewall rule and have implemented it. Thanks for the detail.

However, that does not CLOSE the port, it only BLOCKS the port. A port scan on any of the listed ports still shows them as OPEN, which throws a flag on our security scanners.

I’m hoping Cloudflare support can come in and give me a definitive “no”, or “Yes, but only on enterprise” response.

That response I linked to is from Cloudflare.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.