Hello - Our Cloudflare WAF listens on tons of extraneous ports such as :
2052/tcp open clearvisn
2053/tcp open knetd
2082/tcp open infowave
2083/tcp open radsec
2086/tcp open gnunet
2087/tcp open eli
2095/tcp open nbx-ser
2096/tcp open nbx-dir
8080/tcp open http-proxy
8443/tcp open https-alt
8880/tcp open cddbp-alt
It looks like Cloudflare rule 100015 replies with an error 400 when implemented:
If you are an Enterprise customer you can enable Spectrum for your application on only ports 80/443. Otherwise Cloudflare uses shared IP address spaces and the ports are open, but specific WAF rules can be implemented to protect the application. You can and should ensure the origin server is also not listening on those ports if not needed.
Pro plans can use SSH and Minecraft, Business plans add RDP, and enterprise plans can use any TCP/UDP ports.
In reality, there is no security issue here. If you have configured WAF rule 100015 only 80 and 443 are available, and the other standard Cloudflare ports will return an access denied error. (Personally, I’d prefer that only 80 and 443 were open by default, and that users had to opt-in to the other ports.)
Security scanning tools may complain, but I’ve yet to encounter a PCI or other auditing firm that when presented with proof that a WAF rule is blocking requests tot he origin and the origin is not listening on that port that it didn’t pass. It could that an auditor wouldn’t accept that answer… anything is possible. But these types of checks tend to be to make sure unused ports aren’t exposed in a way that is a security risk (I’d be mad if an auditor docked me for running an app on port 8443 if was done intentionally and otherwise met the security requirements. I don’t love apps on port 8443, but there’s nothing inherently less secure about them in my mind).
Just my $0.02… that and another $4 might get you a cup of
