Cloudflare Certificate reveals Server IP

Hi,

Someone pointed me out that my server IP is open on the internet. And I told him thats not possible since I have taken all the security measurements, but still its true that with a simple lookup you can see it on: https://censys.io (thats the site used to look up server IP)
Untitled

What to do to solve this… ?

I’m not clear what their lookup query was. If I type in the IP address of my server, it only shows that it belongs to my webhost. If I type in a:example.com (my real domain name) for an IPv4 hosts query, this is what I get:

Admittedly, I’ve gone a step farther and firewalled off all access that does not come through Cloudflare. Your server still looks like it responds to direct queries, and that’s clearly exposing domain data.

3 Likes

Thanks for the reply.
Someone else pointed out to me that indeed my server has been scanned by those scanners and I don’t have firewalled off not-cloudflare IP adresses. I want to do it but I have some trouble with it.
Im using an Windows Server 2016 and as a webserver I’m using IIS.
VPS is hosted at OVH, but I can only make 19 firewall rules there. And I need more to allow the CloudFlare IPs (14 pieces) each for port 80 and 443 so yeah.
Also I tried it in the Windows Firewall with advanced security but I didn’t got any further with that because when I add a rule to block ALL incoming connections except the ones from my IP/PC and the ones on the CF IP, it locks me completely out of RDP. So Idk…

You don’t need both ports 80 and 443, if you force all traffic to HTTPS Cloudflare won’t connect to port 80 if SSL is Full (Strict) or to port 443 if it’s Flexible (not recommended).

I have Full strict and force HTTPS.
So I need 1 rule only then for each IP range.
All for port 80 then? Or which port then? :stuck_out_tongue:

Port 443.

1 Like

Okay, going to try it in a few minutes. Will post here if I have any problems, thanks for the help in advance.

2 Likes

Well everyone thanks for the help.
I have it configured like this now:

Is this right? My site seems to work and so on. I also changed the server IP to a failover IP.
I hope this is safe and right to do so. OVH told me to change to a failover IP.

Does the server support IPv6? In that case you would need to add those as well. Otherwise seems good, don’t speak german, but from what I understand of it seems fine.

The server does support it but I have in CloudFlare assigned a Psuedo IPv4 to a IPv6 so that shouldn’t be a problem I guess? Also I don’t like ipv6 because most of them are NOT static and when I ban a user from the website their IP changes with just a simple refresh, really annoying.

The connection will still come in via IPv4 if you haven’t added AAAA records to the DNS. The pseudo IPv4 IPs will go in the CF-Connecting-IP header like all IP, but will be all IPv4. There is not really a reason to do so if the server accepts IPv6 IPs without complaining…

The ranges are static, the single IPs aren’t, most users will get a /56 or /64 to their router which will assign at will… they should stay static, but can be easily changed. IPv4 dynamic external IPs have the same problem though.

2 Likes

Since IPv6 has such a large number of possible IPs, routers will assign a different v6 IP to each device on its network (ipv4 is NAT’d because the address space is exhausted). Try https://goo.gl/search/my+ip on two different devices on the same network and you’ll see they have different IPs except for the first 4 groups/64 bits with a /64 from your ISP, although a /56 is possible and a /48 is usually given to businesses.

Support for blocking via an entire v6 subnet is sparse because v6 isn’t widely deployed (CF is helping push this), but an example of doing it in python (with something like a django website):

# get the ipv6 64 prefix
# we actually don't know if they have
# a /64, /56, or /48 but most US residential IPs assign a /64.
b = ipaddress.ip_network('2001:0db8:85a3:0000:0000:8a2e:0370:7334')
b.supernet(64)
<<< IPv6Network('2001:db8:85a3::/64')

# we now know that v6 range
# now to ban future visitors on that network
visitor_ip = '2001:0db8:85a3:0000:0000:8a2e:ffff:0001'
ipaddress.ip_address(visitor_ip) in ipaddress.IPv6Network('2001:db8:85a3::/64')
<<< True

Note that getting the above done in another language may not be as easy as it is in Python.

This topic was automatically closed after 30 days. New replies are no longer allowed.