5

I've heard in a conversation and read in some forum posts that Cloudflare will proxy your IP, hiding it from the public, and this mitigates the risk of an attacker finding your server in the first place, making it more secure.

Is there any truth to that? It seems like a trivial "security through obscurity" trick, which while I'm all for them, don't want to believe it's actually increasing my server's security if it's the equivalent of rot13() as encryption.

Here's what I found on Cloudflare's site and they even mention your IP can still be found while using this service.

So does it actually provide any additional security?

Are there other reasons this is worth doing? or is it more of a marketing talking point than a practical benefit?

TCooper
  • 336
  • 1
  • 8

2 Answers2

6

Yes. The idea is that you block all HTTP and HTTPS connections to your server, except those originating from Cloudflare's network. Therefore, your server cannot be attacked directly - all HTTP and HTTPS requests must go through Cloudflare's web application firewall (WAF) first, before reaching your server; and Cloudflare's WAF will block any suspicious requests. So, it's not 'security through obscurity'.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • ah, so basically i.e. using ip tables: block all, allow [clourflare range] and you're done. Makes sense. Could you shed some light on common attacks over HTTP/HTTPS? I'm a bit of a noob in this space. I know how to brute force a plain text ssh login and how to prevent that... otherwise I'm pretty useless in this space. – TCooper Feb 06 '20 at 01:08
  • Also if you have any notes/links on how Cloudflare's WAF determines and blocks suspicious requests I'd appreciate it. Can the same improved security be achieved with AWS's Cloudfront CDN? Or no because it isn't a reverse proxy? – TCooper Feb 06 '20 at 01:15
  • TCooper, Common types of attacks on web application are cross-site scripting (XSS) attacks, SQL injection attacks, etc. Here is some information on how Cloudflare's WAF blocks these types of attacks: https://support.cloudflare.com/hc/en-us/articles/200172016-Understanding-the-Cloudflare-Web-Application-Firewall-WAF- – mti2935 Feb 06 '20 at 02:29
  • Here's another good reference - the 'OWASP Top 10' most critical web site security vulnerabilities (https://www.cloudflare.com/learning/security/threats/owasp-top-10/). But, while Cloudflare may be able to defend your site against some (or even many) of these types of attacks, there is no substitute for sound coding and system administration practices, to ensure that your site is not vulnerable to these types of attacks in the first place. A WAF (such as Cloudflare) should be thought of only as a second line of defense, after doing the above. – mti2935 Feb 06 '20 at 15:44
  • Thanks for the links. I guess I never thought about SQL injection being a HTTP request... or even XSS as obvious as that should've been(I do set my *http headers* to help prevent them smh). – TCooper Feb 06 '20 at 19:46
  • Right. To protect against SQL injection, you should use prepared statements. To protect against XSS, you need to sanitize all input. Also for XSS protection, you should also .textContent whenever possible, and use a strict content security policy (CSP). Finally, after you've done all of the above, use a WAF as a last line of defense. – mti2935 Feb 06 '20 at 20:48
  • Or argo tunnel, very secure. – Kind Contributor Feb 07 '20 at 14:34
2

Quite a bit of security requires obscurity. I.e., don't share your private keys. HOWEVER, the point of the near-universal hatred of "security through obscurity" is that, too often, people rely only on one layer of obscurity, and do not realize just how easy it is to guess.

Cloudflare provides some security by providing a bit of indirect obscurity. When used as one of many layers of security, it does increase your overall security, just as putting up curtains help, in addition to locking your doors and windows, and having an alarm system in place.

Cloudflare and similar services provide no protection against people who know your server's IP address. Security is like an ogre: It has layers.

Ghedipunk
  • 5,766
  • 2
  • 23
  • 34