SSH bruteforce attempts from behind CF IP's

I have recently noticed a large number (for us) of failed SSH attempts coming in from Cloudflare IP addresses. Our SSH service requires certificates, so I’m not stressing the approach, except for the frequency of the attempts.

> Dec  1 10:27:35 SSH sshd[21534]: Invalid user user from
> Dec  1 10:27:35 SSH sshd[21534]: input_userauth_request: invalid user user [preauth]
> Dec  1 10:27:36 SSH sshd[21534]: Received disconnect from port 10480:11: Normal Shutdown, Thank you for playing [preauth]
> Dec  1 10:27:36 SSH sshd[21534]: Disconnected from port 10480 [preauth]

Our default approach to failed attempts was to ban the IP address which resulted in Cloudflare IP addresses being blocked. This isn’t ideal as we are also a CF customer and expect legitimate traffic.

While we now have work-arounds in place, I’m interested to know if there is any mechanism to report these abuses to Cloudflare?

I believe the e-mail dedicated to this would be [email protected], by the WHOIS service.

Seems weird to see this, these are TCP? They kind of seem spoofing or some sort Spectrum tunnel. Normally IPs are used only for HTTP/S traffic.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.