SSH bruteforce attempts from behind CF IP's

simon25 · November 30, 2021, 10:21pm

Hello,
I have recently noticed a large number (for us) of failed SSH attempts coming in from Cloudflare IP addresses. Our SSH service requires certificates, so I’m not stressing the approach, except for the frequency of the attempts.

> Dec  1 10:27:35 SSH sshd[21534]: Invalid user user from 172.69.35.246
> Dec  1 10:27:35 SSH sshd[21534]: input_userauth_request: invalid user user [preauth]
> Dec  1 10:27:36 SSH sshd[21534]: Received disconnect from 172.69.35.246 port 10480:11: Normal Shutdown, Thank you for playing [preauth]
> Dec  1 10:27:36 SSH sshd[21534]: Disconnected from 172.69.35.246 port 10480 [preauth]

Our default approach to failed attempts was to ban the IP address which resulted in Cloudflare IP addresses being blocked. This isn’t ideal as we are also a CF customer and expect legitimate traffic.

While we now have work-arounds in place, I’m interested to know if there is any mechanism to report these abuses to Cloudflare?

matteo · November 30, 2021, 10:36pm

I believe the e-mail dedicated to this would be [email protected], by the WHOIS service.

Seems weird to see this, these are TCP? They kind of seem spoofing or some sort Spectrum tunnel. Normally IPs are used only for HTTP/S traffic.

system · December 15, 2021, 10:36pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.