CloudFlare questions

[MySiteGuy]

Actually Cloudflare Argo Tunnel can help with that https://blog.cloudflare.com/argo-tunnel/ but it's additional paid option

True, but I'm referring to basic Cloudflare services, and Agro is essentially doing extra security at the server level by virtually walling off the server's public IP, but still not a complete solution.

People don't just DDOS random IP addresses for no reason. They do try to login to random IP Addresses using brute force but that is an easy fix with basic security. This ridiculous idea that hiding your IP Address through proxies like CloudFlare doesn't fix directed malicious attacks against your property is ridiculous. Cloudflare has use case after use case proving this ridiculous blanket statement false.

Nowhere did I say they DDOS random IP addresses.
Nor did I say it didn't help with directed malicious attacks (towards a specific domain).

You are moving the goal posts, twice, and arguing against something I did not say --- that is what is ridiculous.

I did say security needs to be taken care of, at a server level. Many security exploits are done via common scans against IP ranges. Putting Cloudflare's basic services in front of a server doesn't take care of this.

I am not against using Cloudflare, at all, and in fact, have recommended it to several of my clients. But basic security steps/checks are still needed, and that's why I responded as I did. If I were to tell any client that putting Cloudflare in front of their server would take care of security concerns, it would be negligent advice.

For instance:

• Making sure firewall settings are good. Depending on the circumstances this may also include allowing only whitelisted IP address connections to some ports.
• Making sure MySQL is only listening to 127.0.0.1 (same with any locally hosted memcache or Redis install). Though this isn't strictly necessary if the firewall is set up correctly, it provides an extra bit of protection.
• Protection against account dictionary attacks (fail2ban, denyhosts, firewall rate limiting, etc).
• mod_security if it's Apache
• Validating an HTTPS connection between Cloudflare and the server
• Scheduled scans such as clamav/rkhunter/chkrootkit
• Turning off remote root login in ssh's settings
• Making sure services like unsecured ftp aren't enabled,
• Setting up a daily check for security updates to server software updates, and email notification if there are.
• Checking for world writable files
• Turning off Apache/Nginx server signatures (this does not stop anyone who can fingerprint the server, but will discourage script kiddies).

and more.

OP, by all means, use Cloudflare. But also lookup some resources on Google for basic Linux security checklists. Do the parts you can handle (many will give detailed instructions). If it's managed hosting, ask your hosting company what items they've done, and/or if they can take care of items on the security. Worst case, find someone who can do it for you.

(OP, thanks for bringing up the topic, it reminds me its time to do another audit on a couple of servers )

 

[alternadiv]

Are you actually using CloudFlare? I'm still showing your site going to A2.

Pretty sure I fixed this now?

 

[WSWD]

Pretty sure I fixed this now?

Yep! Looking good now.

 

[alternadiv]

I feel like this is a weird new problem CloudFlare might have created?

 

[WSWD]

Could definitely be an issue somewhere. At the same time, I'm not sure how it was so good before switching. You are loading huge images on your home page and that's part of what is taking so long to load. In reality though, on a fast internet connection, you aren't really going to notice it.

Your site is very fast for me.

 

[Suzanne O]

I'll start by saying I don't have much experience with server stuff or advanced security. I can upload files, use cPanel and FTP programs, create databases, and that's probably it.

As my site is growing, I'm feeling more vunrable to a security attack and I feel concerned about my lack of knowledge here. I use A2 Hosting, and looking around my account there, I see I can add-on CloudFlare services for $8 extra. From my understanding, this will make my site safer and faster. Sounds good to me.

That being said, is there anything I need to know? Once I purchase this, am I basically protected and I can stop worrying? Or is there a lot more to it? What about specific to a XenForo site?

Thanks!

If you are with cloudaccess.net as a host you will be fine because cloudflare belongs to them and yes you will be protected because the people who look after your account look after all the bits you don't want to do.

 

[eva2000]

I feel like this is a weird new problem CloudFlare might have created?

not related to Cloudflare, Google PageSpeed Insights released v5 of their test and changes the testing to use Google Lighthouse Report and weights the scores heavily for javascript performance - so if you are javascript heavy your time interactive time and speedindex and first contentful paint metrics suffer so you get a lower score and for mobile test is against mobile device with cpu throttling to emulate slow mobile devices which do not parse and process javascript as fast as high end mobile devices.

You can read my thread and discussion on Google PageSpeed Insights v5 at https://community.centminmod.com/threads/google-pagespeed-insights-v5-update.16016/

yes, Google PageSpeed Insights v5 is heavily weighted towards interactive and speedindex and first contentful paint metrics on 3G moto g4/nexus 5 device emulation. So for dynamic and javascript heavy sites, 3G mobile score will be lower. From v5 API this is the weighting used to determine the score

• interactive 5
• speed-index 4
• first-contentful-paint 3
• first-cpu-idle 2
• first-meaningful-paint 1

also First Contentful Paint metrics for Google Chrome User Experience CRux part of Google Insights PageSpeed v5 api has changed https://community.centminmod.com/threads/google-pagespeed-insights-v5-update.16016/#post-68617

For FCP, v4 looked at the 50th percentile while v5 looks at the 90th percentile. The fast/avg/slow assignment also changed from 33/33/33 to ~10/40/50. More info in the docs...

v4 About PageSpeed Insights | PageSpeed Insights | Google Developers
v5 About the PageSpeed Insights API | PageSpeed Insights | Google Developers

True, but I'm referring to basic Cloudflare services, and Agro is essentially doing extra security at the server level by virtually walling off the server's public IP, but still not a complete solutio

There's also Cloudflare Authenticated Origin Pulls too https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/ and https://support.cloudflare.com/hc/en-us/articles/204899617

Please note that once Authenticated Origin Pulls are enforced by your origin server, any HTTPS requests outside of Cloudflare to your origin will fail including those to gray clouded records on Cloudflare.

Instructions for my Centmin Mod Nginx users to deploy Cloudflare Authenticated Origin Pulls which is already automatically setup on every new Nginx HTTP/2 HTTPS site creation (but disabled by default and can just uncomment the settings to enable) https://community.centminmod.com/th...d-origin-pulls-protecting-your-origins.13847/

 

[Brent W]

True, but I'm referring to basic Cloudflare services, and Agro is essentially doing extra security at the server level by virtually walling off the server's public IP, but still not a complete solution.




Nowhere did I say they DDOS random IP addresses.
Nor did I say it didn't help with directed malicious attacks (towards a specific domain).

You are moving the goal posts, twice, and arguing against something I did not say --- that is what is ridiculous.

I did say security needs to be taken care of, at a server level. Many security exploits are done via common scans against IP ranges. Putting Cloudflare's basic services in front of a server doesn't take care of this.

I am not against using Cloudflare, at all, and in fact, have recommended it to several of my clients. But basic security steps/checks are still needed, and that's why I responded as I did. If I were to tell any client that putting Cloudflare in front of their server would take care of security concerns, it would be negligent advice.

For instance:

• Making sure firewall settings are good. Depending on the circumstances this may also include allowing only whitelisted IP address connections to some ports.
• Making sure MySQL is only listening to 127.0.0.1 (same with any locally hosted memcache or Redis install). Though this isn't strictly necessary if the firewall is set up correctly, it provides an extra bit of protection.
• Protection against account dictionary attacks (fail2ban, denyhosts, firewall rate limiting, etc).
• mod_security if it's Apache
• Validating an HTTPS connection between Cloudflare and the server
• Scheduled scans such as clamav/rkhunter/chkrootkit
• Turning off remote root login in ssh's settings
• Making sure services like unsecured ftp aren't enabled,
• Setting up a daily check for security updates to server software updates, and email notification if there are.
• Checking for world writable files
• Turning off Apache/Nginx server signatures (this does not stop anyone who can fingerprint the server, but will discourage script kiddies).

and more.

OP, by all means, use Cloudflare. But also lookup some resources on Google for basic Linux security checklists. Do the parts you can handle (many will give detailed instructions). If it's managed hosting, ask your hosting company what items they've done, and/or if they can take care of items on the security. Worst case, find someone who can do it for you.

(OP, thanks for bringing up the topic, it reminds me its time to do another audit on a couple of servers )

You are moving the goal posts, twice, and arguing against something I did not say --- that is what is ridiculous.

Way more informative than:

No, it will not make your site more secure.

I didn't do anything. You lead off with that. Thanks for expanding.