Ask HN: Weird SSH Probes from Cloudflare IPs

Hello, I have a honeypot listening to the ether, and these last days i have been seeing SSH probes coming from Cloudflare assigned IPs : ` {"time":"2022-07-11T06:17:29Z","source":"8.37.43.23:58024","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.17.38.1831312192.210.190.111"}} {"time":"2022-07-11T06:25:22Z","source":"8.42.172.26:50945","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.47.29.8435351192.210.190.111"}} {"time":"2022-07-11T06:25:45Z","source":"8.39.18.128:58679","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.32.82.2852512192.210.190.111"}} {"time":"2022-07-11T06:41:58Z","source":"8.40.140.107:62073","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.63.46.5342522192.210.190.111"}} {"time":"2022-07-11T07:02:18Z","source":"8.40.140.107:52379","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.54.95.6913424192.210.190.111"}} {"time":"2022-07-11T07:02:30Z","source":"8.39.18.128:53547","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.39.94.9344142192.210.190.111"}} {"time":"2022-07-11T07:44:32Z","source":"8.37.43.23:62487","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.73.77.3531321192.210.190.111"}} {"time":"2022-07-11T07:52:05Z","source":"8.37.43.34:60661","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.86.72.1144123192.210.190.111"}} {"time":"2022-07-11T08:26:13Z","source":"8.42.172.26:56143","event_type":"connection","event":{"client_version":"SSH-2.0-8.35 FlowSsh: FlowSshNet_SftpStress127.46.19.3324353192.210.190.111"}} `

Is this normal behavior and Cloudflare is known to scan the IPv4 space ?

Thanks.

Cloudflare WARP: https://blog.cloudflare.com/1111-warp-better-vpn/

I've noticed it (https://news.ycombinator.com/item?id=28652294) when someone has quipped about SSH scans coming from Cloudflare (https://news.ycombinator.com/item?id=28651598).

It's a boon for hackers since it provides an unlimited good-quality VPN. If you want to block them (either block only for SSH or just block WARP users in retaliation), here's a list of their IPs: https://www.cloudflare.com/ips/

skonteam · 3 years ago

Yeah, you are right probably someone behind the WARP vpn, i didn't know they allowed SSH trafic through that. What is surprising is that the IPs i am seeing do not match any of the ranges Cloudflare is publishing on that link (typically as sub range of 8.0.0.0/8).

johnklos · 3 years ago

VPNs aren't supposed to block traffic, so there'd be no good reason to block ssh unless you suspect your clients are malicious.

As to why Cloudflare's 8.37.43.0/24, 8.39.18.0/24, 8.40.140.0/24 and 8.42.172.0/24 networks aren't on that page which purports to be the "definitive source of Cloudflare’s current IP ranges", all I can say is that Cloudflare has a long history of caring much more about the appearance of transparency than about actually being transparent. They make reporting any abuse very difficult, and they probably wouldn't care in the slightest that their customers are doing nefarious things.

zinekeller · 3 years ago

Just checked, and you're right. Hmm, suspicious, although looking at RADB (https://www.radb.net/query?advanced_query=1&keywords=AS13335...) it seems that it routes more than that list.

onlyspaceghost · 3 years ago

That IP list does not contain warp ip addresses. It contains IPs that are used in cloudflare networks such as Proxying with the orange cloud or tunnels

The point of that list is if you are behind a cloudflare proxy in some form and only want to allow traffic from cloudflare

johnklos · 3 years ago

That's nice, but that page doesn't say that at all nor suggest anything remotely close. The URL itself implies that it's not specific to any service. They say, quite confusingly and unaccurately, "This page is intended to be the definitive source of Cloudflare’s current IP ranges."

That page really should say what it's for.

speedgoose · 3 years ago

By the way, unless you run a honey pot, you should probably only allow a few IP ranges for SSH in your firewall.

nousermane · 3 years ago

Yep. And paranoid folk, like myself, may consider adding a set of iptables rules to deny-list IPs originating this sort of junk traffic, wholesale:

  ipset create n hash:net

  -A INPUT -m set --match-set n src -j DROP
  -A INPUT -p tcp -m multiport -j n \
    --dports 22,23,25,445,1433,3389,8080
  -A n -j SET --add-set n src
  -A n -j DROP

ehPReth · 3 years ago

Question to you and the broader HN...

Is there a way to allowlist whole ASNs? I know you can't do it directly with like iptables/ebtables/etc but is there a daemon for that that'll watch for changes to them? I'd like to allowlist my cellular provider and my home ISP for example but they have a lot of ranges and sometimes introduce new prefixes

I think it would be more convenient to use a VPN like tailscale, or a bastion like teleport.

cpach · 3 years ago

Even better: Put the SSH port behind WireGuard/Tailscale.

RunningDroid · 3 years ago

That's basically what I do, nftables is configured to drop most* incoming traffic unless it's coming from wg0.

*: with the exception of wireguard's ports, transmission's non-admin ports, etc

Deleted Comment

ancarda · 3 years ago

Perhaps it's for https://radar.cloudflare.com/ or maybe a new service where they'll warn you if services like SSH are configured badly or not firewall'd off?

Also, is it possible this traffic is actually coming from a worker, i.e. https://workers.cloudflare.com/ rather than Cloudflare themselves?

garblegarble · 3 years ago

What makes you think these are Cloudflare addresses? Whois suggests they belong to Level 3

Check here : https://www.radb.net/query?advanced_query=1&keywords=AS13335...

Interesting, thanks!