Do I actually need CSF or fail2ban if behind CloudFlare?

[Belucci]

They are supposed to stop DOS attacks right? (or just the DDOS ones?) if the websites can't be accessed by the bare IP, do I really need to dig into protection with CSF, fail2ban or the likes?

 

[DomainBop]

if the websites can't be accessed by the bare IP

CloudFlare hides the IP address the domain/website is hosted on but it can't hide the IP address itself.  The majority of types of attacks that CSF and fail2ban protect against (like bruteforce attacks, etc) are attacks where the attacker is targeting an IP (or range of IPs) and not a specific domain so you definitely still need CSF (or other firewall) and fail2ban.  You also might want to add flarewall (which acts as a bridge between CSF and CloudFlare and keeps the blocked IP lists in sync http://flarewall.net/ )

 

[Munzy]

Simple Answer: Yes

Lengthy Answer: Cloudflare can't stop people from attempting to go around cloudflare and attacking your server directly.

 

[HalfEatenPie]

Yep.  

While it would slow down (not stop) targeted attacks, most of the time are simply malicious connections trying to get into SOMETHING by scanning the IP range.  Those are 99% of what you're going to be up against and Cloudflare does not protect you against that.  

 

[MikroVPS]

Definitely yes, because many-many bots on the internet do attack not directly to your site, directly to ip pool.

 

[BrianHarrison]

CloudFlare doesn't protect against a whole range of attacks that could be targeted at your domain name. CSF, mod_security, etc are all essential for your security.

 

[Belucci]

I understand it much better now, thank you all!

 

[raidz]

Sorry for the necropost.

Anyone know if CSF/LFD has support for niginx? My google skills didn't seem to find anything. Would love to use CSF/LFD + Flarewall/CF on an nginx server.

thanks

 

[Amitz]

CSF/LFD runs just fine on my servers with nginx installed. Why shouldn't it?

 

[raidz]

Are they able to monitor the nginx access logs?

 

[Geekion]

i think extra security wont hurt 

 

[winnervps]

From my experience:

I use cloudflare, but still found in the iptables and lfd logs that there are still IP were being banned.

So.......my conclusion is: There is still a chance that the 'intrusion' attempting to break after cloudflare (or ....something)

 

[HalfEatenPie]

From my experience:

I use cloudflare, but still found in the iptables and lfd logs that there are still IP were being banned.

So.......my conclusion is: There is still a chance that the 'intrusion' attempting to break after cloudflare (or ....something)

Mostly because cloudflare handles it from the DNS side of the thing.  But there's still going to be those zombies that'll try to brute force into your server directly by IP.

 

[Serveo]

Deffo need it, you still have a open IP/eth device to internet. Only cloudflare hides it for dns traffic.