Is there a way to timeout an IP if it fails a WAF rule? I’d find that pretty handy.
Do you mean firewall rules?
Yes, but I mean, after a firewall rule blocks a particular request, that IP would be added to a ban-by-ip list for a set period. This is similar to how rate-limiting works.
Personally, I’d set the time period to infinite for IPs that are clearly infected computers running scanners.
We need to be careful when implementing similar measures, IPs are constantly changing and permanently banning an IP seems very wrong.
Cloudflare already has a reputation IP that is more or less aggressive depending on the history of the IP, it might not be as strict as you’d like (as an individual) but this is a trade-off to avoid punishing legitimate users.
Your best bet I’d say is enabling the WAF and set it to block requests, if you are still concerned about those ips, just fetch the events using the graphql api and add the “bad” IPs to an IP list.
At this point, most IPv4 addresses are not only not static, they are shared among multiple people. That kind of rule would be a pretty bad idea as a general case. (At this point, IPv4 should mainly be in use by time travelers from 1997, but unfortunately a lot of people still insist on using it for some reason.) Also, compromised systems tend to get fixed at some point.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.