Cloudflare Spectrum — SSH & RDP Protection with DDoS Mitigation
In this tutorial, you'll learn about Cloudflare Spectrum. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare Spectrum protects SSH and RDP services from DDoS attacks, brute force attempts, and port scans by proxying TCP traffic through Cloudflare's global network. This tutorial walks through configuring Spectrum for SSH on port 22 and RDP on port 3389 with practical security hardening.
Why SSH and RDP Protection Matters
SSH and RDP are common attack targets. Internet-wide scans constantly probe port 22 and port 3389 for open services. Once discovered, attackers launch brute force credential attacks or exploit unpatched vulnerabilities. Cloudflare Spectrum hides your origin IP address, absorbs DDoS traffic, and lets you apply firewall rules before traffic reaches your server.
Real-world use: DodaZIP's engineering team manages hundreds of Linux servers via SSH. Before Spectrum, the SSH gateway was hit by credential stuffing attacks daily. After proxying SSH through Spectrum with IP whitelisting, blocked attack traffic dropped from 12,000 requests per day to zero.
Spectrum SSH Architecture
flowchart TD
DEV[Developer] --> EDG[Cloudflare Edge]
EDG --> NET[Cloudflare Network]
NET --> ORG[Origin SSH Gateway]
subgraph DDoS Protection
EDG
NET
end
ATT[Attacker] --> EDG
ATT -.->|Blocked| EDG
EDG -.->|DDoS dropped| DISCARD
style DEV fill:#09c,color:#fff
style ORG fill:#090,color:#fff
style ATT fill:#c00,color:#fff
style DISCARD fill:#c00,color:#fff
Configuring Spectrum for SSH
Follow these steps to proxy SSH through Cloudflare Spectrum.
# Step 1: Create a Spectrum app for SSH
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json" \
-d '{
"protocol": "tcp/22",
"dns": {
"type": "CNAME",
"name": "ssh.dodazip.com"
},
"origin_direct": ["tcp://10.0.0.5:22"],
"proxy_protocol": "v1",
"tls": "off",
"ip_firewall": true,
"edge_ips": {
"type": "dedicated"
}
}'
# Proxy Protocol v1 adds the client IP to the TCP header
# so the origin can log or filter by real visitor IP
# Step 2: Update origin SSH server to accept Proxy Protocol
# Edit /etc/ssh/sshd_config and add:
# Match superseded by sshd ProxyProtocol support
# Install haproxy and configure to strip proxy protocol header:
# listen ssh_proxy
# bind :2222
# mode tcp
# server origin 127.0.0.1:22 send-proxy-v2
# This preserves the original client IP for audit logging
Configuring Spectrum for RDP
RDP on port 3389 is frequently targeted by ransomware groups. Spectrum hides it from internet scans.
# Create a Spectrum app for RDP
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json" \
-d '{
"protocol": "tcp/3389",
"dns": {
"type": "CNAME",
"name": "rdp.dodazip.com"
},
"origin_direct": ["tcp://10.0.0.10:3389"],
"proxy_protocol": "v1",
"tls": "on",
"ip_firewall": true,
"edge_ips": {
"type": "dedicated"
}
}'
# TLS termination at the edge encrypts traffic between client and Cloudflare
# Configure Windows RDP firewall to allow only Cloudflare IPs
# PowerShell command to add firewall rule:
# New-NetFirewallRule -DisplayName "Allow Cloudflare RDP" `
# -Direction Inbound -Protocol TCP -LocalPort 3389 `
# -RemoteAddress 173.245.48.0/20,103.21.244.0/22,...
# This blocks all RDP traffic not originating from Cloudflare IPs
IP Whitelisting with Spectrum
The most effective security measure is restricting access to known IP addresses or ranges.
# Create IP Access Rule to whitelist only your team's IPs
# Navigate to Security > WAF > IP Access Rules
# Add rule: IP is in {203.0.113.0/24, 198.51.100.0/24}
# Action: Allow
# Then add a second rule: IP is not in those ranges
# Action: Block
# Do the same via API
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/ip_access_rules \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json" \
-d '{
"mode": "whitelist",
"configuration": {
"target": "ip_range",
"value": "203.0.113.0/24"
},
"notes": "Allow engineering team IPs for SSH access"
}'
TLS Termination for RDP
Enabling TLS termination on Spectrum encrypts RDP traffic between the client and Cloudflare. Your origin RDP server does not need its own certificate.
# Verify TLS termination for RDP
# When tls: "on", Cloudflare terminates TLS at the edge
# and forwards plain TCP to the origin
# Client connects to rdp.example.com:3389 over TLS
# Cloudflare forwards to origin:3389 over plain TCP
# This offloads TLS processing from your RDP server
FAQ
Practice Questions
- Why is it important to hide SSH and RDP ports from internet-wide scans?
- How does Proxy Protocol preserve client IPs when traffic is proxied through Spectrum?
- What is the benefit of enabling TLS termination on Spectrum for RDP traffic?
Summary
Cloudflare Spectrum protects SSH and RDP services by proxying TCP traffic through the global edge network, hiding origin IPs, and absorbing DDoS attacks. Combined with IP whitelisting and Proxy Protocol, it provides enterprise-grade security for remote access infrastructure. TLS termination offloads encryption overhead from RDP servers while maintaining end-to-end security.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro