I have my own set of filters / rules, which I use to ban IP addresses. Some of these rules are probably handled by CF, but some of them are very targeted, and cannot be handled by CF.
For these requests, I return a specific http response. Without CF, I’d just ban the IP with for example fail2ban.
My question: How can I (temporarily) ban an IP address based on the origin response code?
Ideally this would either be after 1 request (severe threat) or after a number (5 for example) requests with that specific response code.
A ban / block could be the action, but I can imagine that something like “increase_threat_score” could be the action as a result of the response code.