Disable all ports excetp 80/443

Hello - Our Cloudflare WAF listens on tons of extraneous ports such as :

2052/tcp open  clearvisn
2053/tcp open  knetd
2082/tcp open  infowave
2083/tcp open  radsec
2086/tcp open  gnunet
2087/tcp open  eli
2095/tcp open  nbx-ser
2096/tcp open  nbx-dir
8080/tcp open  http-proxy
8443/tcp open  https-alt
8880/tcp open  cddbp-alt

It looks like Cloudflare rule 100015 replies with an error 400 when implemented:

HTTP request sent, awaiting response... 403 Forbidden
2021-01-22 07:51:06 ERROR 403: Forbidden.

But this is just not acceptable from a security perspective. Is there a way to not have a listening socket on these ports?

Thanks!
-Joe

If you are an Enterprise customer you can enable Spectrum for your application on only ports 80/443. Otherwise Cloudflare uses shared IP address spaces and the ports are open, but specific WAF rules can be implemented to protect the application. You can and should ensure the origin server is also not listening on those ports if not needed.

Thanks for the info @cs-cf! It looks like Spectrum only works for SSH, RDP and Minecraft however, at least in my plan.

Thanks though!

Cheers,
-Joe

Pro plans can use SSH and Minecraft, Business plans add RDP, and enterprise plans can use any TCP/UDP ports.

In reality, there is no security issue here. If you have configured WAF rule 100015 only 80 and 443 are available, and the other standard Cloudflare ports will return an access denied error. (Personally, I’d prefer that only 80 and 443 were open by default, and that users had to opt-in to the other ports.)

3 Likes

Security scanning tools may complain, but I’ve yet to encounter a PCI or other auditing firm that when presented with proof that a WAF rule is blocking requests tot he origin and the origin is not listening on that port that it didn’t pass. It could that an auditor wouldn’t accept that answer… anything is possible. But these types of checks tend to be to make sure unused ports aren’t exposed in a way that is a security risk (I’d be mad if an auditor docked me for running an app on port 8443 if was done intentionally and otherwise met the security requirements. I don’t love apps on port 8443, but there’s nothing inherently less secure about them in my mind).

Just my $0.02… that and another $4 might get you a cup of :coffee: :smiley:

2 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.