Cloudflare IPs on Port 22?

Would Cloudflare have any reason to be accessing my server on port 22? That’s the port I use for SSH and when I look at it there are several IPs from Cloudflare trying to access that port. I’m trying to figure out what might be happening here as they all seem to be Cloudflare IP’s

[email protected]:~# netstat -tn 2>/dev/null | grep :22 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      5 172.70.175.154
      1 172.71.94.49
      1 172.71.150.59
      1 172.71.142.151
      1 172.70.214.27
      1 162.158.78.85
      1 162.158.62.227
      1 141.101.77.62
      1 141.101.77.30

Do you use Cloudflare Spectrum for SSH?

No. That’s the thing, just the standard Cloudflare WAF stuff.

Interesting. Could you send the full output of netstat -tn 2> /dev/null | grep ':22'? Just to be sure it’s Cloudflare making the connections to your server and not the other way around.

It’s possible to create a health monitor to a specific port in Cloudflare. If you don’t proxy SSH traffic / monitor availability from Cloudflare you can safely block the Cloudflare IPs for that port/ application.

I don’t.

That’s what I was wondering though, if it was safe to block them, seems like it is, I will try and see what happens lol

This is probably somebody using WARP to attempt and bruteforce your ssh; alternatively, it could be Cloudflares honeypot trying to find compromised devices and giving them a higher threat score.

It was hitting me pretty hard over about 30+ IP’s, I think it was some type of attack on the ssh port. I started blocking them and everything seems fine now.

I think the latter is more likely. Those IP address are not used for WARP egress.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.