I applied a rule to block user agents that contain ‘contact(’, yet the bots are still getting through
What steps have you taken to resolve the issue?
Here’s the full rule:
(http.request.uri contains “/wp-login”) or (http.request.uri contains “/wp-include”) or (http.request.uri contains “/wp-content”) or (http.request.uri contains “/wp-admin”) or (http.request.uri contains “/wp-json”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “vendor/phpunit”) or (http.request.uri contains “.sql.”) or (http.request.uri contains “/.ssh/”) or (http.request.uri contains “/filezilla”) or (http.request.uri contains “/winscp”) or (http.request.uri contains “/WS_FTP”) or (http.request.uri eq “*.cfg”) or (http.request.uri contains “/modules/”) or (http.request.uri contains “/phpunit/”) or (http.request.uri contains “/vendor/”) or (http.request.uri contains “eval-stdin.php”) or (http.request.uri contains “.zip”) or (http.request.uri contains " /administrator/") or (http.request.uri contains “/manager/”) or (http.request.uri contains “/a2billing/”) or (http.request.uri contains “/filemanager/”) or (http.request.uri contains “/vtigercrm/”) or (http.request.uri contains “/laravel/”) or (http.request.uri contains “/mailchimp/”) or (http.request.uri contains “/phpThumb/”) or (http.request.uri contains “union+all+select”) or (http.request.uri contains “CONCAT(”) or (http.request.uri contains “/phpthumb/”) or (http.request.uri contains “COUNT(”) or (http.request.uri contains “floor(”) or (http.request.uri contains “0x3a6f79753a”) or (http.request.uri contains “/plugins/”) or (http.request.uri eq “/themes/”) or (http.request.uri contains “/.env”) or (http.request.uri contains “+and+1=”) or (http.request.uri contains “/administrator/”) or (http.request.uri contains “/temp/”) or (http.request.uri contains “wallet.dat”) or (http.request.uri contains “/phpMyAdmin”) or (http.request.uri contains “INFORMATION_SCHEMA”) or (http.request.uri contains “CHARACTER_SETS”) or (http.request.uri contains “%20AND%20”) or (http.request.uri contains “wlwmanifest.xml”) or (http.request.uri contains “/horde/”) or (http.request.uri contains “%20ORDER”) or (http.request.uri contains “%20UNION%20SELECT”) or (http.request.uri contains “concat(”)
What are the steps to reproduce the issue?
For some reason the “concat(” rule does not work. I’m still receiving:
Edge status codes
404 Not Found
226
When I visit the links with concat( in them, it appears to block me. I’m confused why these ips are being served with 404 not found.
Something is wrong here, any of the above terms in your custom WAF rule are passed through to your origin as I got 403 served from the origin server, instead of Cloudflare page.
Is the rule still enabled?
Are both A www and A infinitesweeps.com (or CNAME) proxied ?
Is it the only custom WAF rule on the list or you’ve got some other as well?
Is it the 1st from above on the list?
Despite there are some ideas for optimization and changes, it works for me:
(http.request.uri contains "/wp-login") or (http.request.uri contains "/wp-include") or (http.request.uri contains "/wp-content") or (http.request.uri contains "/wp-admin") or (http.request.uri contains "/wp-json") or (http.request.uri contains "phpmyadmin") or (http.request.uri contains "vendor/phpunit") or (http.request.uri contains ".sql.") or (http.request.uri contains "/.ssh/") or (http.request.uri contains "/filezilla") or (http.request.uri contains "/winscp") or (http.request.uri contains "/WS_FTP") or (http.request.uri eq "*.cfg") or (http.request.uri contains "/modules/") or (http.request.uri contains "/phpunit/") or (http.request.uri contains "/vendor/") or (http.request.uri contains "eval-stdin.php") or (http.request.uri contains ".zip") or (http.request.uri contains " /administrator/") or (http.request.uri contains "/manager/") or (http.request.uri contains "/a2billing/") or (http.request.uri contains "/filemanager/") or (http.request.uri contains "/vtigercrm/") or (http.request.uri contains "/laravel/") or (http.request.uri contains "/mailchimp/") or (http.request.uri contains "/phpThumb/") or (http.request.uri contains "union+all+select") or (http.request.uri contains "CONCAT(") or (http.request.uri contains "/phpthumb/") or (http.request.uri contains "COUNT(") or (http.request.uri contains "floor(") or (http.request.uri contains "0x3a6f79753a") or (http.request.uri contains "/plugins/") or (http.request.uri eq "/themes/") or (http.request.uri contains "/.env") or (http.request.uri contains "+and+1=") or (http.request.uri contains "/administrator/") or (http.request.uri contains "/temp/") or (http.request.uri contains "wallet.dat") or (http.request.uri contains "/phpMyAdmin") or (http.request.uri contains "INFORMATION_SCHEMA") or (http.request.uri contains "CHARACTER_SETS") or (http.request.uri contains "%20AND%20") or (http.request.uri contains "wlwmanifest.xml") or (http.request.uri contains "/horde/") or (http.request.uri contains "%20ORDER") or (http.request.uri contains "%20UNION%20SELECT") or (http.request.uri contains "concat(")