I run a small website for our scout troop - hosted on GCP, with Cloudflare in front. I want to ensure things are as secure as possible so that I don’t have to spend much time on it, and check for odd requests every so often.
I am seeing the occasional request for a strange page in my stackdriver logs - and it comes from a Cloudflare IP
22.214.171.124 - - [15/Jan/2019:15:01:30 +0000] “GET /h/5735962.html HTTP/1.1” 404 507 “-” “Mozilla/5.0 (X11; CrOS x86_64 11316.66.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.49 Safari/537.36”
This /h/5735962.html doesn’t exist.
Does anyone know if this is WAI [part of Cloudflare operations] or should I be suspicious of someone doing a random “are you there” for nefarious purposes?!
That IP address is a Cloudflare one. The main question in this context is, do you rewrite IP address to the real client ones? But I doubt these requests originate from Cloudflare, someone is probably scanning your server.
Try following the instructions here to see the real IP address: https://support.cloudflare.com/hc/en-us/articles/201897700-Step-4-Recommended-First-Steps-for-all-Cloudflare-users#h_533849564801543957037974
It’s normal to see a lot of automated requests to nonexistent pages. There are many bots out there that are constantly scanning every website for signs of vulnerabilities. In this case, it’s also possible that the file in question used to exist but has since been deleted. In general, you don’t need to worry about these entries in your logs; as long as your site is up-to-date and secure, they’re harmless.
Thanks @sandro and @Zenexer for those helpful responses. I’m pretty well protected behind a number of captcha’s for classic attack pages (wordpress installl on GCP) and 2FA etc. I’ll into installing mod_Cloudflare when I have a bit of time.