Doing some routine firewall tinkering in Cloudflare, I happened to notice that my IP whitelist – which I have never deliberately added anything to – had grown huge. Apparently it had been growing slowly over the years, I just didn’t notice.
Delving deeper, the whitelisted IPs seemed to belong to previous webhosts that I had used. It turns out that every time I add a site to my Cloudflare account, the IP address for that site is automatically added to my IP whitelist. If I later change hosts, and thus change IPs, the new IP is added, but the old one is not deleted. If I delete the site from Cloudflare – well, I didn’t check that, but I suspect the IP stays in the whitelist.
I had added and deleted a number of sites, and changed hosts a number of times, over the last decade. Each time my IP whitelist grew incrementally. Since I didn’t notice for a very long time, it got huge. And the risk is – well, really minimal I suspect. It seems infeasible that a bud guy or gal would guess or figure out an IP address that I had used years ago, and also guess that the IP was whitelisted in my Cloudflare account and could be used to thwart my Cloudflare security.
But, a giant IP whitelist full of obsolete numbers is untidy at best. So, I cleaned it up.
