Web Attacks on port 8443 from Cloudflare IP Addresses

What is the name of the domain?

tonymacx86

What is the error message?

kernel: Firewall: TCP_IN Blocked IN=eno1 OUT= MAC=0c:c4:7a:e0:5c:b8:ec:7c:5c:8f:fd:de:08:00 SRC=172.71.144.112 DST=107.155.116.139 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=64699 DF PROTO=TCP SPT=22590 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0

What is the issue you’re encountering

These denies are filling up /var/log/messages and it’s not a security best practice to not log them.

What steps have you taken to resolve the issue?

None taken since I can’t block those IP addresses or have the ability to have Cloudflare block without upgrading which is not economically feasible

It’s a shame that Cloudflare allows malicious activity. They are almost as bad as Proxy Servers AKA VPN servers.

What are the steps to reproduce the issue?

Visit website

Cloudflare is “just” a proxy so I suspect that the IP’s you’re seeing are those of the Cloudflare Proxy and if you looked into the actual requests you’d find that they’re being forwarded for some third party (see Restoring original visitor IPs | Cloudflare Support docs).
To put that in slightly more technical terms the IP on your logs are mis-informing you as they’re at the wrong layer in the OSI network hierarchy, probably 4 vs 7.

If you’re not using port 8443 then the simple solution is to create a WAF Custom rule to block any unnecessary ports, e.g. the below only allows port 80 & 443 (HTTP & HTTPS)
not (cf.edge.server_port in {80 443})

2 Likes

I did configure my server to restore original IP and any connection on open ports, 80 and 443, is seen from the original IP and not Cloudflare.

Port 8443 is closed so any attempt to access on it is seen as coming from Cloudflare since it’s not hitting Apache.

Lately, a helpful one:

I was able to add that rule and I no longer are seeing those web attacks on port 8443.

Thank you for actually answering my question unlike others.

2 Likes

Fritex,

I’ve worked in cyber security since 1997 for multiple vendors providing, firewalls, WAFs, web vulnerability scanners, vulnerability modeling, SIEM and behavior analytics. So this is the second time you posted an answer that was not useful or helpful. john.harman is a true MVP unlike you.

Dude… DBAD. @fritex spends a lot of time and effort trying to help people in these forums. If he missed the mark, given your vast experience, you know not everyone knows everything about all topics and sometimes they get on the wrong track.

What do you gain by saying that?

Also I read through his previous response and he provided a WAF rule that did effectively the same thing,

So not only were you rude, you were wrong.

1 Like

You are wrong, john.harman provided the answer unlike fritex who answered with something that was unrelated to the actual question. He didn’t read the OP and just gave a canned answer that he also did in my previous post on this issue.

I am occasionally wrong as @fritex and many others can attest. But in this instance your instance that you are in the right despite clear evidence to the contrary is quite telling. If you had gone back and reread his post you would see that in fact, the answer was both on topic and on point.

Want to double down again? I’ve been doing this cyber thing longer than you and I know mistakes happen. No one bats 1000 when it comes to troubleshooting. But if you insist on being wrong, don’t let me stop you from showing your ■■■.

1 Like