So I am trying to set up some rules to JSChallenge anyone from outside of the United states and its minor outlying areas. My engine building company does not ship outside the USA, so our primary focus is US based customers. So making it slightly more challenging for those outside of our area is ok if it can possibly eliminate some spam/attacks on my website. My question is to the best way to implement this. From poking around, it looks like I will be doing this with my 1 of 5 Firewall rules, or doing it via IP Access Rules. I am getting a little confused on which to use and whether or not one would take priority over the other and vice versa. I temporarily tried the following firewall rule which SEEMED to work, but until I get to work and re-test, connecting to it using a VPN routed through Russia, I wont know for sure if the JSChallenge part is functional. For now it is disabled until I hear back from you guys:
Country is NOT equal to United States
Country is NOT equal to United States Outlying Areas
*** BUT…I also do NOT want to block good bots. I want all good bots to be able to scan my website. How or where would I add this into the mix if using the above rule set? Would I add it inside the existing above rule or would it be a completely separate rule? If separate rule, would I place it above or below the current one, or does that order even matter? Or, can I use IP Access rules instead, for the same stuff as above, so as to not waste Firewall rules since I only have 5? Thanks!
With access rules you cannot negate and whitelisting the US and challenging everyone else might not be a good idea as that would literally whitelist all US requests, even those which are usually blocked.
Your best bet might be a firewall rule of this sort
I did not even realize I could add multiple values inside the value box. Thats great news versus adding additional ANDs for each country. One last question. What would be the difference between what you proposed “is not in” and using “does not equal” for the operator in my scenario? Thanks for your quick response!
Does it matter what order my rules are organized? Does this one need to be before or after my country challenge one? And last, is there a more compact or cleaner way to achieve what I am doing in this particular rule, just like there was in the country block rule? Thanks!
On the topic or order, do IP Access rules override or get overridden by Firewall rules or vice versa, and does ordering matter in IP Access?
The only reason I have those in there is that somehow throughout the last year of building the site (which by the way, I have not had all this Cloudflare setup properly the whole time unfortunately), those specific domains somehow attached SPAM backlinks to my domain and google noted these crappy backlinks in google search console. I am just trying to make sure that there is not a way specifically for these domains to attach to me as SPAM backlinks. I also plan to disavow them to try remove the links in Google’s eyes. Am I wasting my time with that?
OK excellent, so it looks like IP Access take priority so good to know. I will be careful in how I add these things in that regard? Let me ask this, if I have two firewall rules like I do now, with the two we have discussed, does the order of those two matter?
Also, per the comment floripare made. Would adding a threat level of “15” to even my allowed countries do anything different than what is already being done via my general “Security Level” being set to “Medium”? Or are they completely different things?
Good question! I’m not so sure I can give you a definite answer, because Cloudflare itself provides slightly different answers to what Security Level means on its Firewall tab > Security Level > Help and here.
The one benefit I see in putting the cf.threat_score on a Firewall Rule is that you have a means to fine-tune this control.
So if with “greater than”, say, 14, you keep seeing bad visitors making it to your origin server, you could change that to 13, then to 12 etc, until you find the best balance between protecting your website and not scaring away your legitimate visitors.
While if you see bad actors coming to you website under Security Level = Medium, your only option would be to elevate that to High, which would jump from 14 to 0 according to the page linked above.
Actually, my recent experience would indicate that, except for the Allow action, the most stringent rule prevails.
I have a second rule with Action = Block for certain known WordPress URLs hackers like to probe, such as /author= and /installer.php etc, and they are always triggered, even when, like most guys trying this kind of stuff, they come from countries where my first rule (JS Challenge) would apply. Even this morning I had about 50 hits with sequential URLs starting with /author=1 to /author=50 coming from an authorized country and they were all beautifully blocked