New firewall action: blacklist

Currently actions are Challenge, JSChallenge, Block etc.

The Block action works for blocking access to the requested url but has no consequences for subsequent requests. If someone is is requesting all sorts of Wordpress ■■■■, like wp-login etc on a non Wordpress site, that someone definitely has no good intentions and is certainly not welcome.

Adding single, specific ip’s to a firewall rule is time consuming and not very efficient, so I would welcome an additional action for firewall rules: Add to blacklist.

This is highly risky for at least two reasons:

  1. A legitimate bot or user that hits an unwanted URL will be blocked permanently.
  2. A legitimate user who inherits a blacklisted IP address can no longer reach your site.

Both of these frequently result in irate Cloudflare customers upset that legitimate access to their site has been blocked and they don’t know how to track it down. Customer support is expensive and Cloudflare works hard to reduce false positives.

You can already implement this with fail2ban, and then customize it to your specific requirements.

1 Like

Just came here to suggest a similar feature - I’d love to be able to shun this traffic to my zone for a pre-defined period of time to avoid sustained brute forcing - i.e.:

So sort of like rate limiting but the input would be a consistent set of WAF block/challenge events which would invoke the shun for X mins where they would be allowed again after the block expires.

I can throw it in a new suggestion if people think its worth-while.

If it’s in the Firewall then it could be just the case of the Administrator adding "not cf.client.bot) to the rule and blocking known bots wouldn’t be a problem.

The block could be for a pre-determined period of time - up to a max of [x minutes] - something like 30 minutes.

The main problem is that because of the number of available IPv4 addresses being rapidly used, many ISPs are using CGNAT, which to a server looks like lots of people coming from the same public IP address - so one Person Doing Bad Things ™ could cause an entire area or even an entire ISP to be blocked.