Block Tor and VPNs from accessing my website

Hi,

Is there a way to Block users that are using Tor and VPNs from accessing my domain? I have the pro plan.

Thanks

Tor, with a firewall rule

VPNs are more difficult. Cloudflare does not classify them, hence you would need to go the manual route. This was actually discussed only a few days ago -> Challenge all VPN traffic?

Hi, Thanks, please see below, did I do it right?

Right depends on what you wanted to do. This doesnt block VPNs but countries and one British network.

Most of the problem users are from those countries. I will probably have to block all of the IPs from this list because i have seen these IPs spamming my server: https://udger.com/resources/datacenter-list

Let me know if there is another method besides countries and AS. I think AS is also ASN. Right?

You mean the requests come from these countries, not the users necessarily, right? Because if it is just the users, they can easily change their location with a said VPN.

The current configuration actually wont work as you AND’ed everything (and a request cant come from two countries at the same time). You will need to use OR, respectively better simplify the whole list with one is in operator instead.

Yes, those countries, i want to keep blocked.
Last question: Can I import list of blacklistIPs.txt ?

Not via the UI. You could write a short script which uses the API and creates respective entries.

I dont know how would I write that script. Is there a guide?

On Google :slight_smile:

You just need to write a script (in whatever language you prefer) to add entries, using either https://api.cloudflare.com/#firewall-access-rule-for-a-zone-create-access-rule or https://api.cloudflare.com/#firewall-rules-create-firewall-rules

Thank you.
It seems very complicated. I think I will have to ban those IPs manually :frowning:

Thanks for the info and help.

Check if these IP addresses have anything in common. Maybe you can block more ASNs.

Also, I wouldnt necessarily block all these countries. A captcha challenge might be a better idea. Still blocks automated requests but will give legitimate users still the chance to access your site.

My users are legitimate but are the problem users that spams. I cannot find a ASN for amazon. I tried.

Amazon will have quite number of ASes, but these three might be a start

  • 14618
  • 16509
  • 38895

Thanks, I will go with the ASN blocking. Thanks a lot for the help:)

There are services dedicated to detecting VPNs, however, these come with a cost and you would have to implement them with cloudflare.
Its up to you whether if its worth the effort/price that blocking VPNs come with.

This topic was automatically closed after 30 days. New replies are no longer allowed.