Hide FTP / SFTP IP


#1

As I understand Cloudflare can only protect against DDoS attacks if the attacker is sending the traffic to the domain, not to the IP directly. So if the attacker discovers the IP the Cloudflare orange cloud is useless.

We use the orange cloud for all our web traffic. That is good. But we also have FTP services running on the same server. But according to your own advice, we should use the grey cloud for FTP services: https://support.cloudflare.com/hc/en-us/articles/200169626-What-subdomains-are-appropriate-for-orange-gray-clouds-

Thus giving an attacker an opportunity to easily find the IP by looking for the FTP IP address.

I guess almost every web server needs FTP access, and I also assume it is the same IP address like the web server in >99% of the cases.

How can we effectively hide the FTP IP address?


#2

Was there not a blog post or other announcement that the proxying of other services are being worked on? Pretty sure I saw a beta signup somewhere around here. Sure staff will chime in but this will almost certainly only be available on the upper paid tiers, I’d imagine due to the added complexity on the Cloudflare side. Have a search.


#3

If you’re only one ftping in you can leave off the ftp dns record completely and setup a local hosts file edit on your pc to bypass ISP dns. So only you know of and can access via ftp hostname.

And/or just ftp in via real ip address and do not setup ftp dns record at all.


#4

@eva2000 Thanks for your suggestion!

We are several developers working from different remote locations on the same website. That’s a reason why a local solution is not practical.

Also, the hosting provider changes the IP every so often. Giving the developers the updated IP each time would be a solution, but it’s not nice.

Currently we use a ftp subdomain with a CNAME record. That works perfectly with the regular IP changes. Also we use a different name than ‘ftp’. So it is kind of security through obscurity. But you know, security through obscurity is not the right way to try to make something safe.

Right now the decision is convenience vs. security. And with our current setup I’m still opting for convenience. But I’d really appreciate if Cloudflare would find a way, like for the web services, to combine convenience and security for FTP / SFTP.


#5

One option, also obscurity, is to put that IP address on some other domain. So your users will FTP to secret.someotherdomain.com

But I see the dilemma. I connect directly to the IP address.

Personally, I have a firewall set up to only allow HTTP/S access from Cloudflare IPs, and only allow SSH access from my home IP address.


#6

woah never heard of a web host who changes the ip for a site frequently ! Why do they do that ? Wouldn’t it be easier to switch to a web host who doesn’t do that ?


#7

So far, it happened once or twice a year. Reasons that I know of were:

  • Switch to a machine with better performance.

  • Datacenter got DDoSed. Seamless move of the website to another datacenter.

  • Other, unknown reasons.

This is a managed WordPress provider and especially the seamless move from one to another datacenter when they got DDoSed was fascinating. Just 15 Minutes downtime for the website. Almost two weeks of downtime for the DDoSed datacenter (Linode Christmas 2015). Our web host takes its job very seriously and I wouldn’t switch just because the IP may change from time to time. They do a really good job.