You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently bought the domain name davidx.top and put it under Cloudflare. However, just a few days later, the analytics showed that there were an unusual number of visitors.
Yes, more than 400 requests from Russia and over 600 requests in a single hour. This is definitely not human.
So I set up the WAF and tried to analyze the situation.
My WAF Rules
Firstly, I blocked visitors from Tor and those with IP security score of 15+. Those have a really high risk of scam. I tested this by visiting the site through Tor and it was blocked.
In CloudFlare, Tor is a continent and also a country name, so it’s quite easy to set up a block on it.
Secondly, I set up a rule to block visitors whose UA doesn’t contain Mozilla/5.0. I tested this by using curl and python’s requests library and both were blocked. As the UA can be faked, cloudscraper can still easily bypass this.
To let search engines through, I let verified bots bypass this rule. (Although it seems like Googlebot and Bingbot all have Mozilla/5.0 in their UA.)
Thirdly, I added a CAPTCHA challenge for everyone who visits the sites that are served by my own server (flask-gpt and free-chat) because they are a demo site and a free AI service respectively. I don’t want them to be abused by bots (for example, reverse-engineering the AI to make it become a public API).
Finally, to analyze the problem of Russian visitors and other potential threats, I set up a rule to challenge visitors either from Russia, with an IP risk score of 3+, X-Forwarded-For of ., or HTTP version of 1.x. Those are all characteristics of a bot.
Results
The firewall has been unning for nearly 24 hours and here are the results.
Seems like nobody from Russia are humans. None of them passed the CAPTCHA at all. They were mostly trying to access wp-admin although my site is certainly not a WordPress site.
The Tor-blocking rule hasn’t blocked many visitors, however.
300+ visitors were blocked by the UA rule, which is about the same as the number of Russian visitors. Many were using Go-http and were accessing wp-admin.
About 30 visitors were blocked by CAPTCHA on chat sites. (Among them were Bingbot. Well, it doesn’t matter very much as I don’t want my chat site to appear on search engines anyway.)
If you have a short domain name, consider setting up a WAF, especially if you’re using WordPress. It’s a must-have for security.
The text was updated successfully, but these errors were encountered:
https://blog.davidx.top/cloudflare-waf-configuration/?
Introduction
I recently bought the domain name davidx.top and put it under Cloudflare. However, just a few days later, the analytics showed that there were an unusual number of visitors.
Yes, more than 400 requests from Russia and over 600 requests in a single hour. This is definitely not human.
So I set up the WAF and tried to analyze the situation.
My WAF Rules
Firstly, I blocked visitors from Tor and those with IP security score of 15+. Those have a really high risk of scam. I tested this by visiting the site through Tor and it was blocked.
In CloudFlare, Tor is a continent and also a country name, so it’s quite easy to set up a block on it.
Secondly, I set up a rule to block visitors whose UA doesn’t contain Mozilla/5.0. I tested this by using curl and python’s requests library and both were blocked. As the UA can be faked, cloudscraper can still easily bypass this.
To let search engines through, I let verified bots bypass this rule. (Although it seems like Googlebot and Bingbot all have Mozilla/5.0 in their UA.)
Thirdly, I added a CAPTCHA challenge for everyone who visits the sites that are served by my own server (flask-gpt and free-chat) because they are a demo site and a free AI service respectively. I don’t want them to be abused by bots (for example, reverse-engineering the AI to make it become a public API).
Finally, to analyze the problem of Russian visitors and other potential threats, I set up a rule to challenge visitors either from Russia, with an IP risk score of 3+, X-Forwarded-For of ., or HTTP version of 1.x. Those are all characteristics of a bot.
Results
The firewall has been unning for nearly 24 hours and here are the results.
Seems like nobody from Russia are humans. None of them passed the CAPTCHA at all. They were mostly trying to access wp-admin although my site is certainly not a WordPress site.
The Tor-blocking rule hasn’t blocked many visitors, however.
300+ visitors were blocked by the UA rule, which is about the same as the number of Russian visitors. Many were using Go-http and were accessing wp-admin.
About 30 visitors were blocked by CAPTCHA on chat sites. (Among them were Bingbot. Well, it doesn’t matter very much as I don’t want my chat site to appear on search engines anyway.)
If you have a short domain name, consider setting up a WAF, especially if you’re using WordPress. It’s a must-have for security.
The text was updated successfully, but these errors were encountered: