We have the business pro plan. We often see malicious port and vulnerability scanning. What are the best practices when we see these in the WAF firewall logs? We’ve been blocking the Source IP addresses with Managed Firewall Rules as we see them, but that does not seem to be very affective. Any other recommendations? And is there a way to also setup alerts when these occur?
Block the ASNs of the scanners. They usually run via cloud services such as OVH & Amazon. There is no legitimate traffic that comes from cloud based “visitors”.
Actually there are legit ones, uptime and site monitoring services may leverage these cloud hosting providers too. So a blanket ban isn’t ideal. You can do targetted blocks to specific paths that you know are not legit requests i.e. your admin, login, register, contact us type pages. Though some legit uptime providers do provide a list of IPs for you to allow too.
Monitoring and going through your origin web server logs for Apache/Nginx/Litespeed, Firewall events logs and even Cloudflare Firewall GraphQL API https://developers.cloudflare.com/analytics/graphql-api and https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-firewall-events can give you insights to see what to ban.
You can further reduce the exposure, by looking at common User Agents used by scanners though they can change the User Agents but at least you’re reducing the exposure still.
Also go through Cloudflare managed WAF rules to ensure you have ones enabled specific to your web application/usage patterns that can help too. And as you’re a CF Biz plan user, contact CF support to see if there’s any custom WAF rules that can be setup for your web app which under CF Firewall Managed WAF rules would be eventually listed under the heading
Customer Requested Rules
Payload Inspection Rules which have been created on request by Cloudflare specifically for this zone.
You’re absolutely correct. Hardenize, Qualys, Mozilla, etc do so. The legit ones are fairly simple to figure out, as you stated,