WingNews logo WingNews
top | item 32053650

Ask HN: Weird SSH Probes from Cloudflare IPs

31 points| skonteam | 3 years ago

Hello, I have a honeypot listening to the ether, and these last days i have been seeing SSH probes coming from Cloudflare assigned IPs : ` {"time":"2022-07-11T06:17:29Z","source":"8.37.43.23:58024","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.17.38.1831312192.210.190.111"}} {"time":"2022-07-11T06:25:22Z","source":"8.42.172.26:50945","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.47.29.8435351192.210.190.111"}} {"time":"2022-07-11T06:25:45Z","source":"8.39.18.128:58679","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.32.82.2852512192.210.190.111"}} {"time":"2022-07-11T06:41:58Z","source":"8.40.140.107:62073","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.63.46.5342522192.210.190.111"}} {"time":"2022-07-11T07:02:18Z","source":"8.40.140.107:52379","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.54.95.6913424192.210.190.111"}} {"time":"2022-07-11T07:02:30Z","source":"8.39.18.128:53547","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.39.94.9344142192.210.190.111"}} {"time":"2022-07-11T07:44:32Z","source":"8.37.43.23:62487","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.73.77.3531321192.210.190.111"}} {"time":"2022-07-11T07:52:05Z","source":"8.37.43.34:60661","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.86.72.1144123192.210.190.111"}} {"time":"2022-07-11T08:26:13Z","source":"8.42.172.26:56143","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.46.19.3324353192.210.190.111"}} `

Is this normal behavior and Cloudflare is known to scan the IPv4 space ?

Thanks.

18 comments

order

zinekeller|3 years ago

Cloudflare WARP: https://blog.cloudflare.com/1111-warp-better-vpn/

I've noticed it (https://news.ycombinator.com/item?id=28652294) when someone has quipped about SSH scans coming from Cloudflare (https://news.ycombinator.com/item?id=28651598).

It's a boon for hackers since it provides an unlimited good-quality VPN. If you want to block them (either block only for SSH or just block WARP users in retaliation), here's a list of their IPs: https://www.cloudflare.com/ips/

skonteam|3 years ago

Yeah, you are right probably someone behind the WARP vpn, i didn't know they allowed SSH trafic through that. What is surprising is that the IPs i am seeing do not match any of the ranges Cloudflare is publishing on that link (typically as sub range of 8.0.0.0/8).

onlyspaceghost|3 years ago

That IP list does not contain warp ip addresses. It contains IPs that are used in cloudflare networks such as Proxying with the orange cloud or tunnels

The point of that list is if you are behind a cloudflare proxy in some form and only want to allow traffic from cloudflare

speedgoose|3 years ago

By the way, unless you run a honey pot, you should probably only allow a few IP ranges for SSH in your firewall.

nousermane|3 years ago

Yep. And paranoid folk, like myself, may consider adding a set of iptables rules to deny-list IPs originating this sort of junk traffic, wholesale:

  ipset create n hash:net

  -A INPUT -m set --match-set n src -j DROP
  -A INPUT -p tcp -m multiport -j n \
    --dports 22,23,25,445,1433,3389,8080
  -A n -j SET --add-set n src
  -A n -j DROP

ehPReth|3 years ago

Question to you and the broader HN...

Is there a way to allowlist whole ASNs? I know you can't do it directly with like iptables/ebtables/etc but is there a daemon for that that'll watch for changes to them? I'd like to allowlist my cellular provider and my home ISP for example but they have a lot of ranges and sometimes introduce new prefixes

cpach|3 years ago

Even better: Put the SSH port behind WireGuard/Tailscale.