Ban / block IP based on http reponse / train WAF

I have my own set of filters / rules, which I use to ban IP addresses. Some of these rules are probably handled by CF, but some of them are very targeted, and cannot be handled by CF.

For these requests, I return a specific http response. Without CF, I’d just ban the IP with for example fail2ban.

My question: How can I (temporarily) ban an IP address based on the origin response code?
Ideally this would either be after 1 request (severe threat) or after a number (5 for example) requests with that specific response code.

A ban / block could be the action, but I can imagine that something like “increase_threat_score” could be the action as a result of the response code.

If the response code would be a universal response code for Cloudflare, CF could investigate these responses to improve the global WAF.

The reason I don’t want to use an api to block ip’s manually is that I also want to unban them after a while, and I don’t really want Cloudflare tokens/keys on those servers.

This is possible with Cloudflare rate limiting on certain plan types or with workers.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.