Hardening a VPS after IP exposure – Cloudflare and firewall sufficient?
Running a Hetzner VPS with Coolify (Docker-based PaaS). The IP appears to have been indexed by scanners - seeing constant automated probes for common PHP webshells (WSO, Wolverine shell variants, etc).
Current mitigation plan:
Migrate DNS to Cloudflare (proxy all A records) UFW: deny all, allow SSH + Cloudflare IP ranges only for 80/443 Fail2Ban for SSH WAF rules to block .php, .env, wp-admin requests
Questions:
Should I request a new primary IP from Hetzner, or is proxying through Cloudflare sufficient to make the old IP irrelevant? Any recommended Traefik middlewares for rate limiting since Coolify uses Traefik?
Stack: Coolify, Docker, Traefik, Node.js apps
1 comment
[ 3.9 ms ] story [ 14.8 ms ] threadTL;DR - sounds like a solid starting place; don't worry about the IP address