Skip to content

Cloudflare Spectrum — SSH & RDP Protection with DDoS Mitigation

DodaTech Updated 2026-06-23 4 min read

In this tutorial, you'll learn about Cloudflare Spectrum. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Spectrum protects SSH and RDP services from DDoS attacks, brute force attempts, and port scans by proxying TCP traffic through Cloudflare's global network. This tutorial walks through configuring Spectrum for SSH on port 22 and RDP on port 3389 with practical security hardening.

Why SSH and RDP Protection Matters

SSH and RDP are common attack targets. Internet-wide scans constantly probe port 22 and port 3389 for open services. Once discovered, attackers launch brute force credential attacks or exploit unpatched vulnerabilities. Cloudflare Spectrum hides your origin IP address, absorbs DDoS traffic, and lets you apply firewall rules before traffic reaches your server.

Real-world use: DodaZIP's engineering team manages hundreds of Linux servers via SSH. Before Spectrum, the SSH gateway was hit by credential stuffing attacks daily. After proxying SSH through Spectrum with IP whitelisting, blocked attack traffic dropped from 12,000 requests per day to zero.

Spectrum SSH Architecture

flowchart TD
  DEV[Developer] --> EDG[Cloudflare Edge]
  EDG --> NET[Cloudflare Network]
  NET --> ORG[Origin SSH Gateway]
  subgraph DDoS Protection
    EDG
    NET
  end
  ATT[Attacker] --> EDG
  ATT -.->|Blocked| EDG
  EDG -.->|DDoS dropped| DISCARD
  style DEV fill:#09c,color:#fff
  style ORG fill:#090,color:#fff
  style ATT fill:#c00,color:#fff
  style DISCARD fill:#c00,color:#fff

Configuring Spectrum for SSH

Follow these steps to proxy SSH through Cloudflare Spectrum.

# Step 1: Create a Spectrum app for SSH
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "protocol": "tcp/22",
    "dns": {
      "type": "CNAME",
      "name": "ssh.dodazip.com"
    },
    "origin_direct": ["tcp://10.0.0.5:22"],
    "proxy_protocol": "v1",
    "tls": "off",
    "ip_firewall": true,
    "edge_ips": {
      "type": "dedicated"
    }
  }'

# Proxy Protocol v1 adds the client IP to the TCP header
# so the origin can log or filter by real visitor IP
# Step 2: Update origin SSH server to accept Proxy Protocol
# Edit /etc/ssh/sshd_config and add:
# Match superseded by sshd ProxyProtocol support
# Install haproxy and configure to strip proxy protocol header:
# listen ssh_proxy
#   bind :2222
#   mode tcp
#   server origin 127.0.0.1:22 send-proxy-v2

# This preserves the original client IP for audit logging

Configuring Spectrum for RDP

RDP on port 3389 is frequently targeted by ransomware groups. Spectrum hides it from internet scans.

# Create a Spectrum app for RDP
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "protocol": "tcp/3389",
    "dns": {
      "type": "CNAME",
      "name": "rdp.dodazip.com"
    },
    "origin_direct": ["tcp://10.0.0.10:3389"],
    "proxy_protocol": "v1",
    "tls": "on",
    "ip_firewall": true,
    "edge_ips": {
      "type": "dedicated"
    }
  }'

# TLS termination at the edge encrypts traffic between client and Cloudflare
# Configure Windows RDP firewall to allow only Cloudflare IPs
# PowerShell command to add firewall rule:
# New-NetFirewallRule -DisplayName "Allow Cloudflare RDP" `
#   -Direction Inbound -Protocol TCP -LocalPort 3389 `
#   -RemoteAddress 173.245.48.0/20,103.21.244.0/22,...
# This blocks all RDP traffic not originating from Cloudflare IPs

IP Whitelisting with Spectrum

The most effective security measure is restricting access to known IP addresses or ranges.

# Create IP Access Rule to whitelist only your team's IPs
# Navigate to Security > WAF > IP Access Rules
# Add rule: IP is in {203.0.113.0/24, 198.51.100.0/24}
# Action: Allow
# Then add a second rule: IP is not in those ranges
# Action: Block
# Do the same via API
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/ip_access_rules \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "whitelist",
    "configuration": {
      "target": "ip_range",
      "value": "203.0.113.0/24"
    },
    "notes": "Allow engineering team IPs for SSH access"
  }'

TLS Termination for RDP

Enabling TLS termination on Spectrum encrypts RDP traffic between the client and Cloudflare. Your origin RDP server does not need its own certificate.

# Verify TLS termination for RDP
# When tls: "on", Cloudflare terminates TLS at the edge
# and forwards plain TCP to the origin
# Client connects to rdp.example.com:3389 over TLS
# Cloudflare forwards to origin:3389 over plain TCP
# This offloads TLS processing from your RDP server

FAQ

Can I use Spectrum with SSH without exposing my origin IP?

Yes. Spectrum proxies all TCP traffic through Cloudflare's IP addresses. Your origin IP remains hidden. Only Cloudflare IPs appear in DNS lookups since the Spectrum DNS record uses a CNAME pointing to Cloudflare.

Does Spectrum support multi-factor authentication for SSH?

Spectrum operates at the TCP level and does not inspect SSH application data. MFA must be configured on your SSH server as usual. Spectrum provides the transport layer security; authentication is handled by your origin.

How do I preserve the original client IP when using Spectrum?

Enable Proxy Protocol on the Spectrum app and configure your origin (or a haproxy proxy) to accept Proxy Protocol headers. This preserves the original source IP for logging and firewall purposes.

Practice Questions

  1. Why is it important to hide SSH and RDP ports from internet-wide scans?
  2. How does Proxy Protocol preserve client IPs when traffic is proxied through Spectrum?
  3. What is the benefit of enabling TLS termination on Spectrum for RDP traffic?

Summary

Cloudflare Spectrum protects SSH and RDP services by proxying TCP traffic through the global edge network, hiding origin IPs, and absorbing DDoS attacks. Combined with IP whitelisting and Proxy Protocol, it provides enterprise-grade security for remote access infrastructure. TLS termination offloads encryption overhead from RDP servers while maintaining end-to-end security.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro