Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Weird SSH Probes from Cloudflare IPs
31 points by skonteam on July 11, 2022 | hide | past | favorite | 18 comments
Hello, I have a honeypot listening to the ether, and these last days i have been seeing SSH probes coming from Cloudflare assigned IPs : ` {"time":"2022-07-11T06:17:29Z","source":"8.37.43.23:58024","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.17.38.1831312192.210.190.111"}} {"time":"2022-07-11T06:25:22Z","source":"8.42.172.26:50945","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.47.29.8435351192.210.190.111"}} {"time":"2022-07-11T06:25:45Z","source":"8.39.18.128:58679","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.32.82.2852512192.210.190.111"}} {"time":"2022-07-11T06:41:58Z","source":"8.40.140.107:62073","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.63.46.5342522192.210.190.111"}} {"time":"2022-07-11T07:02:18Z","source":"8.40.140.107:52379","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.54.95.6913424192.210.190.111"}} {"time":"2022-07-11T07:02:30Z","source":"8.39.18.128:53547","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.39.94.9344142192.210.190.111"}} {"time":"2022-07-11T07:44:32Z","source":"8.37.43.23:62487","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.73.77.3531321192.210.190.111"}} {"time":"2022-07-11T07:52:05Z","source":"8.37.43.34:60661","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.86.72.1144123192.210.190.111"}} {"time":"2022-07-11T08:26:13Z","source":"8.42.172.26:56143","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.46.19.3324353192.210.190.111"}} `

Is this normal behavior and Cloudflare is known to scan the IPv4 space ?

Thanks.




Cloudflare WARP: https://blog.cloudflare.com/1111-warp-better-vpn/

I've noticed it (https://news.ycombinator.com/item?id=28652294) when someone has quipped about SSH scans coming from Cloudflare (https://news.ycombinator.com/item?id=28651598).

It's a boon for hackers since it provides an unlimited good-quality VPN. If you want to block them (either block only for SSH or just block WARP users in retaliation), here's a list of their IPs: https://www.cloudflare.com/ips/


Yeah, you are right probably someone behind the WARP vpn, i didn't know they allowed SSH trafic through that. What is surprising is that the IPs i am seeing do not match any of the ranges Cloudflare is publishing on that link (typically as sub range of 8.0.0.0/8).


VPNs aren't supposed to block traffic, so there'd be no good reason to block ssh unless you suspect your clients are malicious.

As to why Cloudflare's 8.37.43.0/24, 8.39.18.0/24, 8.40.140.0/24 and 8.42.172.0/24 networks aren't on that page which purports to be the "definitive source of Cloudflare’s current IP ranges", all I can say is that Cloudflare has a long history of caring much more about the appearance of transparency than about actually being transparent. They make reporting any abuse very difficult, and they probably wouldn't care in the slightest that their customers are doing nefarious things.


That page is for the IPs that customers should whitelist as the source of traffic from our proxy services. These IPs are for Cloudflare WARP (our VPN-like app) and should not be whitelisted by customers in the same way. That's why they're not on that page.


Just checked, and you're right. Hmm, suspicious, although looking at RADB (https://www.radb.net/query?advanced_query=1&keywords=AS13335...) it seems that it routes more than that list.


That IP list does not contain warp ip addresses. It contains IPs that are used in cloudflare networks such as Proxying with the orange cloud or tunnels

The point of that list is if you are behind a cloudflare proxy in some form and only want to allow traffic from cloudflare


That's nice, but that page doesn't say that at all nor suggest anything remotely close. The URL itself implies that it's not specific to any service. They say, quite confusingly and unaccurately, "This page is intended to be the definitive source of Cloudflare’s current IP ranges."

That page really should say what it's for.


The page was created before warp and workers existed, so the description was valid at the time. They did fail to update it. If we say "cloudflare bad" 3 times, maybe jgc will appear and get someone to fix it.


By the way, unless you run a honey pot, you should probably only allow a few IP ranges for SSH in your firewall.


Yep. And paranoid folk, like myself, may consider adding a set of iptables rules to deny-list IPs originating this sort of junk traffic, wholesale:

  ipset create n hash:net

  -A INPUT -m set --match-set n src -j DROP
  -A INPUT -p tcp -m multiport -j n \
    --dports 22,23,25,445,1433,3389,8080
  -A n -j SET --add-set n src
  -A n -j DROP


Question to you and the broader HN...

Is there a way to allowlist whole ASNs? I know you can't do it directly with like iptables/ebtables/etc but is there a daemon for that that'll watch for changes to them? I'd like to allowlist my cellular provider and my home ISP for example but they have a lot of ranges and sometimes introduce new prefixes


I think it would be more convenient to use a VPN like tailscale, or a bastion like teleport.


Even better: Put the SSH port behind WireGuard/Tailscale.


That's basically what I do, nftables is configured to drop most* incoming traffic unless it's coming from wg0.

*: with the exception of wireguard's ports, transmission's non-admin ports, etc


Perhaps it's for https://radar.cloudflare.com/ or maybe a new service where they'll warn you if services like SSH are configured badly or not firewall'd off?

Also, is it possible this traffic is actually coming from a worker, i.e. https://workers.cloudflare.com/ rather than Cloudflare themselves?


What makes you think these are Cloudflare addresses? Whois suggests they belong to Level 3


Check here : https://www.radb.net/query?advanced_query=1&keywords=AS13335...


Interesting, thanks!




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: