Block access by IP if client hit URL


#1

I have a website, it does not have phpMyAdmin, but I see (via access log) someone trying to access /phpMyAdmin and many other sensitive urls. I know - it’s a bot, it scans my website.
I need to automatically BLOCK this bot by IP address instantly when he hit some url (ex: */phpMyAdmin)
Can I do it ?

Similar functionality is provided by Rate Limit function, it works exactly as I expect if I configure (1 hit per 1 minute, then block for 1 hour) BUT, it blocks access ONLY to specified URL, but I need block by IP to entire web-site.

Could it be archived with cloudflare?


#2

Not that I’m aware of. Even if you could, you would need a way to eventually unblock that IP address, as you’ll end up with a very long list.

Having a website probed for vulnerabilities is normal, and if you blocked every IP address that probed every vulnerability, you’d end up with a very very long list.

Since you’ve checked your log and know it’s a bot, does it have a consistent User Agent string you can block? “User Agent Blocking” is a feature on the Cloudflare Firewall settings page.


#3

what is user agent block?
user agnet block belongs to any browser or ip?


#4

You could use the API to add a firewall block rule for the offending IP easily enough.

Google has thrown up this as an example in PHP (no idea if it works or not):

If it was something I was after I might try integrating this call with fail2ban or something instead.


#5

I know how to block IP manually, its not a solution, I dont want to monitor access log everyday. I asked about another question.


#6

So, scripting work is definetly required, right? No builtin functionality in cloudflare?


#7

Nothing built-in, no. The only thing you can play with to pattern match the access of certain paths is ‘Page Rules’ but that is nowhere near sophisticated enough to be able use on its own to provide what you want.

As already mentioned you can block by user-agent if these bots are ‘obvious’ (e.g. they use cURL, say). However user-agent blocking only matches exact user-agent strings (no pattern-matching) so you end up needing multiple rules just to block the most common versions and variants on the usual script-kiddie tools.

That being said, it might be of use if you’re being targeted in some way.