Is there a way to block any visitor that exceeds a number of 404s?

In our server log we see 'bots that send penetration probes every few seconds all day long to various known files and folders that it is looking for in our install to find vulnerability. It receives 404 ‘page not found’ responses all day long.

Is there a way in Cloudflare to block any IP address after it has reached X number of 404s over a given time period? For instance, if it has received 10 404 responses within 2 minutes, block that IP address.

We didn’t see this in any Cloudflare settings

Apart from rate limiting, the WAF is stateless and evaluates requests in, not responses out.

We do what you are describing, but the 404 count is tracked across the origin servers and any IPs that exceed the rate/count limit are blocked by using the Cloudflare API to update a list that is in a WAF challenge rule.

4 Likes

You can configure fail2ban to use the Cloudflare API, which means that anything that you can block locally with fail2ban should be able to be blocked at your Cloudflare, too.

2 Likes

Thanks! It sounds like we have to monitor the 404s on our origin server(s) because that is the response from the server, and Cloudflare only monitors the incoming traffic. (That makes sense).

So we would have to track on our origin server and then pass that to Cloudflare through the Cloudflare API. And Fail2Ban is a good option.

Thanks.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.