This security advisory highlights a simple yet effective method to protect web domains from bot and spam activity using Cloudflare's Web Application Firewall (WAF). By implementing a strict geographic block (Geo-block) through Cloudflare's WAF, one can significantly reduce the number of unwanted connections originating from regions not relevant to the domain's user base. This approach can effectively mitigate up to 90% of bot traffic and malicious activity targeting common directories such as .env or wp-admin. Additional customization includes blocking specific tools like ffuf and sqlmap, which are commonly used for automated directory scanning and SQL injection attempts. To ensure accessibility is not compromised, an 'Allow' rule should be set for the user's home IP address to prevent accidental lockouts.
- Cloudflare-managed domains
- Web applications behind Cloudflare
- Log in to your Cloudflare account and navigate to the WAF (Web Application Firewall) section of the dashboard.
- Create a new rule with an 'IP Geolocation' condition to block traffic from unwanted countries. Exclude countries where you or your users reside.
- Add another rule with a custom HTTP(S) request header match to block common bot tools like ffuf and sqlmap using the User-Agent header.
- Ensure there is an explicit 'Allow' rule for your home IP address at the top of the ruleset.
This solution primarily impacts any web applications managed by Cloudflare, which can include a wide range of technologies such as WordPress, Django, and Node.js servers. The impact on homelab stacks is minimal provided they are behind Cloudflare.