When the request from an IP address Matches */etc/passwd we would like to block all subsequent requests from that IP address for a period of one day.
We are unable to accomplish this using the UI for Rate Limiting Rules. Those rules only block subsequent requests that match the URL pattern. How do others accomplish this?
For example, one Malicious IP address requests /etc/passwd. It then goes on to request /wp_admin.php. Then it requests /wp_login.php and so on. What we’d like to do is when it makes a request for any page on our list of pages that indicate malicious behavior, we would like to block all subsequent requests no matter what they request. In other words, block that IP for a period of time like 1 day.
What is the appropriate approach to take?
The tool to be used in this case is Rate Limiting, available under the Firewall > Tools.
Only Business and Enterprise plans can block for a day. Free and Pro plans can block for only 1 hour.
Alternatively, you could try to script a solution using the Cloudflare API. You may be able to find such a solution already developed on GitHub.
You may also want to consider Access to block all attempts to hit certain URLs.
Thanks for your suggestions. Yes, we are an Enterprise account so we are able to block for one day.
Yes, a Rate Limiting Rule comes close, but fails to accomplish what we are trying to accomplish.
A Rate Limiting rule will only block subsequent requests that continue to match the specified pattern. If the Rate Limiting Rule is written to match /etc/passwd and the IP address subsequently requests /wp_admin.php and subsequently requests /Login.php the rule will not block those subsequent requests because they do not match the original URL pattern "/etc/passwd".
Once the IP address requests /etc/passwd we know it is malicious. Whatever it requests subsequently should be blocked. A Rate Limiting rule won’t do that.
Further, a Rate Limiting rule cannot be written to trigger on 1 request. The smallest “count” that can be specified is “more than 1”. A small point, but another limitation.
There must be a better approach.
We would like to write a rule as follows:
If the request is http or https and matches “/etc/passwd" or "/wp_admin.php” then block all requests from this IP address for 1 day. We simply don’t see how this can be accomplished.
Thank you for the detailed explanation.
I believe (but I’m not sure) that you may be able to accomplish what you need using Workers. You may want to add to your post the category Developers > Workers, to bring this subject to the attention of developers who could help you with that.
Another alternative, though one that would also not block since the first request, would be to use some integration of Cloudflare API with Fail2ban.
This topic was automatically closed after 30 days. New replies are no longer allowed.