Is Cloudflare and firewall enough to harden a VPS after IP exposure?
Cybersecurityvpswebsite management
Running a Hetzner VPS with Coolify (Docker-based PaaS). The IP appears to have been indexed by scanners - seeing constant automated probes for common PHP webshells. Current mitigation plan includes migrating DNS to Cloudflare, configuring UFW, Fail2Ban, and WAF rules. Questions about requesting a new primary IP and recommended Traefik middlewares for rate limiting.
Synthesized Answer
Based on 1 community responses
Proxying through Cloudflare should be sufficient to mitigate the exposure of your VPS IP address. Cloudflare acts as a reverse proxy, shielding your origin server from direct access. Configuring UFW to allow only Cloudflare IP ranges and SSH is a good practice. For additional security, consider implementing rate limiting using Traefik middlewares.
You are pretty much going to experience that no matter what. Even if you update UFW to only allow Cloudflare IP ranges, you will get scans against SSH and if you turn on deny logging you will see that your IP still is being scanned. Changing the IP just moves your target somewhere else for it to be indexed again. Fail2Ban rules, like you mentioned, will reduce your attack surface and get the "background" automated attacks somewhat at bay. You can do things like only allowing SNI HTTPS requests and not direct IP connections (which is what you doing with the Cloudflare proxy). From what you are saying: you are doing a solid middle of the road start. I would focus on making sure you keep the security posture up as you implement other services.
Is this just for your projects or are you providing a service to customers? If it's just you - does the effort merit the work. If its customers, there are more things you can do but "do you need to" is going to be more up to you.
TL;DR - sounds like a solid starting place; don't worry about the IP address