Hi there everyone! I'm working with cloudflare for the first time and I've set it up properly where the domain routes through it and to the server properly. It got me thinking though, I can still enter the IP address into the browser and reach the Apache2 default Debian page. It seems to me like that could be used for a DDOS attack as well. I've searched but it seems very clear that you can't protect IP access through Cloudflare so I'm wondering how I would go about disabling web access via IP address? Could someone tell me how I would do this or why I'm going about it incorrectly? Thanks for your time!
It actually depends on the site that you host, but I won't take the efforts to block access to the IP. Only you and Cloudflare know that a specific site is hosted on your server and on that IP, so it's very unlikely that someone attacks your IP because he wants to attack your site. If you want to disallow access anyway, then you basically need the IP addresses from all Cloudflare node servers, then allow these e.g. via iptables and block all other IP addresses. Take care to allow also the IP address that you use to connect to the server by ssh of course Otherwise you lock yourself out. But as mentioned already, I won't do this unless you really had a problem with an attack where someone got around cloudflare.
It actually depends on the site that you host, but I won't take the efforts to block access to the IP. Only you and Cloudflare know that a specific site is hosted on your server and on that IP, so it's very unlikely that someone attacks your IP because he wants to attack your site. If you want to disallow access anyway, then you basically need the IP addresses from all Cloudflare node servers, then allow these e.g. via iptables and block all other IP addresses. Take care to allow also the IP address that you use to connect to the server by ssh of course Otherwise you lock yourself out. But as mentioned already, I won't do this unless you really had a problem with an attack where someone got around cloudflare.
There is a recent thread regarding DDoS that covers mod_evasive configuration and links to another article on iptables DDoS protection that you could consider to improve your server's resiliency if you do leave the ip open.
