Blocking Bots with Cloudflare (Custom WAF Rule)

by
Tiempo de lectura: < 1 minuto

You often receive aggressive bot analysis on your websites.

Today we are going to learn how to add rules in CloudFlare so that not many of them enter.

This expression blocks:

Basically: kills 90% of basic bot scraping / vuln scanners

Paso 1: Enter Cloudflare

Go to https://dash.cloudflare.com

Select your domain

Paso 2: Go to the WAF

It depends on the panel:

Name: Block bot scanning paths

In the Expression Editor, paste exactly this:

( (http.request.uri.path matches "(?i)^/wp-") or (http.request.uri.path matches "(?i)^/(administrator|adminer|autodiscover|confluence|drupal|ecp|grafana|jenkins|kibana|nifi|owa|phpmyadmin|pma|solr|sites/default|user/login|wiki|webmin|plesk|cpanel|horizon|telescope|myadmin)(/|$)") or (http.request.uri.path matches "(?i)^/(cgi-bin|cgi-bin2|cgi-mod|cgi-sys|scgi-bin)(/|$)") or (http.request.uri.path matches "(?i)^/(webjars/swagger-ui|swagger|api-docs|openapi)(/|$)") or (http.request.uri.path matches "(?i)^/(actuator|management|heapdump|threaddump|jolokia|server-status|server-info|env|beans|metrics|health/*)(/|$)") or (http.request.uri.path matches "(?i)^/(_profiler|_debugbar|_ignition|debug|telescope)(/|$)") or (http.request.uri.path matches "(?i)^/(jmx-console|web-console|manager/html|invoker)(/|$)") or (http.request.uri.path matches "(?i)^/(elasticsearch|_cat|_nodes|_cluster|couchdb|redis|mongo)(/|$)") or (http.request.uri.path contains "+CSCOT+") or (http.request.uri.path contains "+CSCOE+") or (http.request.uri.path matches "(?i)^/CFIDE(/|$)") or (http.request.uri.path matches "^/\\.[^/]" and not http.request.uri.path matches "^/\\.well-known(/|$)") or (http.request.uri.path matches "(?i)phpunit") or (http.request.uri.path matches "(?i)(c99|r57|alfa|b374k|wso|indoxploit)") or (http.request.uri.path matches "(?i)\\.(aspx?|jsp|do|action|cgi|pl|cfm|shtml)($|[/?])") or (http.request.uri.path matches "(?i)\\.(key|pem|sql|sh|yml|yaml|bak|swp|swo|tar|zip|gz|log|inc|dump|old|rar)$") or (http.request.uri.path matches "(?i)(^|/)(composer\\.(json|lock)|package\\.json|docker-compose\\.yml|Dockerfile|Jenkinsfile|secrets\\.yml|\\.env\\..*|database\\.yml|credentials|local_settings)($|[./])") or (http.request.uri.path matches "(?i)\\.php($|[/?])" and not http.request.uri.path matches "(?i)^/index\\.php($|[/?])") ) and not cf.client.bot

Action: Block

Place: First

Post Views: 0

Leave a Comment