How to correctly filter this traffic? (WAF)

I would like to filter out a specific type of hit. This is “hacking” type of traffic, trying to find Wordpress vulnerable sites (/wp-login.php). So it’s not legit traffic at all. The problem is that it comes from Microsoft ASN (8075). I can’t block Microsoft ASN completely because Bing will be blocked as well, and I want Bing to crawl my website. What type of filter should I implement to correctly “Block” this traffic with WAF? Here is the full request (sensible data has been replaced):

{
  "request": {
    "cf": {
      "asOrganization": "Microsoft Azure",
      "asn": 8075,
      "city": "Tappahannock",
      "clientTcpRtt": 8,
      "colo": "IAD",
      "continent": "NA",
      "country": "US",
      "edgeRequestKeepAliveStatus": 1,
      "httpProtocol": "HTTP/1.1",
      "latitude": "37.92730",
      "longitude": "-76.85450",
      "metroCode": "556",
      "postalCode": "22560",
      "region": "Virginia",
      "regionCode": "VA",
      "timezone": "America/New_York",
      "tlsCipher": "ECDHE-ECDSA-AES128-GCM-SHA256",
      "tlsClientAuth": {
        "certPresented": "0",
        "certRevoked": "0",
        "certVerified": "NONE"
      },
      "tlsExportedAuthenticator": {
        "clientFinished": "123123123",
        "clientHandshake": "123123123",
        "serverFinished": "123123123",
        "serverHandshake": "123123123"
      },
      "tlsVersion": "TLSv1.2"
    },
    "headers": {
      "accept": "*/*",
      "accept_encoding": "gzip",
      "cf_connecting_ip": "20.102.42.104",
      "cf_ipcountry": "US",
      "cf_ray": "123123123123",
      "cf_visitor": "{\"scheme\":\"https\"}",
      "connection": "Keep-Alive",
      "content_length": "127",
      "content_type": "application/x-www-form-urlencoded",
      "cookie": "wp-settings-time-1=1390368100; wordpress_test_cookie=WP+Cookie+check; bdshare_firstime=1388392036818",
      "host": "website.com",
      "user_agent": "Mozilla/5.0",
      "x_forwarded_proto": "https",
      "x_real_ip": "20.102.42.104"
    },
    "ipData": {
      "city": "Hampden Sydney",
      "country": "US",
      "ip": "20.102.42.104",
      "loc": "37.3058,-78.5462",
      "org": "AS8075 Microsoft Corporation",
      "postal": "23960",
      "region": "Virginia",
      "timezone": "America/New_York"
    },
    "method": "POST",
    "url": "https://website.com/wp-login.php"
  },
  "response": {
    "headers": {
      "access_control_allow_origin": "*",
      "cache_control": "no-cache, must-revalidate, max-age=0",
      "cf_cache_status": "DYNAMIC",
      "cf_ray": "123123123-IAD",
      "connection": "keep-alive",
      "content_type": "text/html; charset=UTF-8",
      "date": "Wed, 31 Aug 2022 13:41:40 GMT",
      "expires": "Wed, 11 Jan 1984 05:00:00 GMT",
      "server": "cloudflare",
      "set_cookie": "wordpress_test_cookie=WP%20Cookie%20check; path=/; secure",
      "strict_transport_security": "max-age=15768000;",
      "transfer_encoding": "chunked",
      "vary": "Accept-Encoding",
      "x_frame_options": "SAMEORIGIN",
      "x_powered_by": "PHP/8.1.9"
    },
    "origin_time": 124,
    "status_code": 200
  }
}

I’d either approach to this by creating and using Firewall Rules as follows:

  1. Block each request except my own country for wp-login.php (1st rule)
    1.1. Challenge each request on wp-login.php (2nd rule)
    1.2. Put Google reCaptcha on the login form via WP plugin

  2. Challenge each request on wp-login.php (1st rule)
    2.1. Put Google reCaptcha on the login form via WP plugin

  3. Setup and use Cloudflare Access / Zero Trust for wp-login (no rules used):

1 Like

What about enabling “Bot Fight Mode”? Will that option filter out these type of visits?

I want to take a more holistic approach to filter out these visits, because “wp-login.php” is not the only URI Path these scripts check when trying to find website vulnerabilities.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.