Hi,
I am using CF to protect my website. Website contains various back office software which also sits behind CF.
I have noticed a lot of pentesting requests coming from CF ips, for example:
172.68.27.60 - - [12/Mar/2024:01:36:51 +0000] “GET /wp-login.php HTTP/2.0” 200 1964 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
172.68.27.212 - - [12/Mar/2024:00:42:40 +0000] “GET //xmlrpc.php?rsd HTTP/2.0” 200 1957 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36”
172.68.26.225 - - [12/Mar/2024:03:48:09 +0000] “GET //wp-content/plugins/fix/up.php HTTP/2.0” 301 169 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36”
172.68.27.70 - - [12/Mar/2024:04:23:54 +0000] “GET /.well-known/acme-challenge/iR7SzrsOUEP.php HTTP/1.1” 301 169 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0”
172.68.26.63 - - [12/Mar/2024:06:16:00 +0000] “GET /wp-includes/SimplePie/about.php HTTP/2.0” 200 1976 “-” “-”
172.68.27.229 - - [12/Mar/2024:06:16:00 +0000] “GET /wp-content/banners/about.php HTTP/2.0” 301 169 “-” “-”
As well as gazillion scraping requests masquerading as BingBot:
172.68.27.145 - - [12/Mar/2024:06:17:18 +0000] “GET /xxx HTTP/2.0” 200 5311 “-” “Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36”
172.68.26.211 - - [12/Mar/2024:06:17:42 +0000] “GET /xxx HTTP/2.0” 200 5526 “-” “Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36”
How do I block this traffic considering the fact that some of my internal services also use the same ip ranges ?
Thank you