套cf后 站点WAF防火墙规则设定 这2+1就够了 全能防御恶意流量攻击!

套cf后 站点WAF防火墙规则设定 这2+1就够了 全能防御恶意流量攻击!

wszx01
2024-08-27 / 0 评论 / 2 阅读

套cf后 站点WAF防火墙规则设定 这2+1就够了 全能防御恶意流量攻击!
转自 科技L

自己网站受攻击是正常的,下面说说怎么在cf防范

打开cf网站受攻击的域名,安全性---WAF---自定义规则,一般可免费创建五个规则,下面是网友建好的,当然规则是死的,人是活的,许多地方可以举一反三,灵活修改【遇到强烈攻击时,宁可错杀一千不放过一个ip的原则选择交互式质询或阻止,规则先后秩序一般是 先放行后阻止

1、放行跳过机器人扫描规则-KJL

(cf.client.bot) or (http.user_agent contains "duckduckgo") or (http.user_agent contains "facebookexternalhit") or (http.user_agent contains "Feedfetcher-Google") or (http.user_agent contains "LinkedInBot") or (http.user_agent contains "Mediapartners-Google") or (http.user_agent contains "msnbot") or (http.user_agent contains "Slackbot") or (http.user_agent contains "TwitterBot") or (http.user_agent contains "ia_archive") or (http.user_agent contains "yahoo")

2、全球用户js质询访问记录
全球所有的用户访问都会有ip记录,方便你追踪,通过5s盾保护安全

(ip.geoip.continent eq "AF") or (ip.geoip.continent eq "AN") or (ip.geoip.continent eq "AS") or (ip.geoip.continent eq "EU") or (ip.geoip.continent eq "NA") or (ip.geoip.continent eq "OC") or (ip.geoip.continent eq "SA") or (ip.geoip.continent eq "T1")

3、恶意流量托管质询规则-KJL【可修改威胁分数值,值越大越严格,当然也可以把托管质询修改为更严格的 交互式质询或阻止
2025年8月8日修改

(cf.threat_score ge 15 and not cf.client.bot) or (not http.request.version in {"HTTP/1.1" "HTTP/2" "HTTP/3"}) or (not http.user_agent contains "Mozilla/")

原来规则

(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"}) or (not http.user_agent contains "Mozilla/")

4、可适当添加速率限制规则
限制时间窗口(比如 10 秒)
限制请求数(比如 10 次)【可修改为20次、30次等】
超过就 阻止/质询(block/challenge)
/
/login
/api/
三个网站页面

(http.request.uri.path eq "/") or (http.request.uri.path eq "/login") or (http.request.uri.path eq "/api/")

其它规则

阻止:

(
  /* --- 固定 IP 黑名单 --- */
  ip.src in {
    136.243.216.232
    43.134.171.180
    54.175.182.99
    3.85.24.248
    179.43.191.18
    92.204.239.20
  }

  /* --- User-Agent 黑名单:扫描工具 / 爬虫。常见的扫描器、爬虫、自动化工具(Censys、Expanse、HeadlessChrome、python-requests 等) --- */
  or http.user_agent contains "InternetMeasurement"
  or http.user_agent contains "Censys"
  or http.user_agent contains "HeadlessChrome"
  or http.user_agent contains "Expanse"
  or http.user_agent contains "OPD"
  or http.user_agent contains "fasthttp"
  or http.user_agent contains "ALittle Client"
  or http.user_agent contains "ct-git-scanner"
  or http.user_agent contains "python-requests"

  /* --- ASN 黑名单:ASN 多是云厂商、IDC、代理/VPN 节点(比如 AWS:16509、DigitalOcean、Hetzner、OVH、M247、Leaseweb 等),常见攻击来源。 --- */
  or ip.geoip.asnum in {
    14168 16509 211298 45102 63023 200593 399486 7713 135377 14061
    209854 401120 206092 36903 48693 8758 216167 14987 208161 204428
    8560 31898 137409 48090 16276 210558 198953 212238 51167 202425
    58224 60068 9009 401116 174 28573 52053 206216 396356 62240 43641
    8075 22295 62610 25369 19871 211590 197540 198605 49870
  }

  /* --- 国家黑名单:来源国家是 塞舌尔 (SC) 或 爱尔兰 (IE),直接拦截。 --- */
  or ip.src.country in {"SC" "IE"}

  /* --- 敏感目录扫描:如果请求的 URL 路径包含 /.git 或 /.env,直接拦截。 --- */
  or http.request.uri.path contains "/.git"
  or http.request.uri.path contains "/.env"
)

这条规则的作用就是:

拦截已知的恶意 IP
拦截常见扫描工具 / 爬虫
拦截高风险 ASN(IDC/云厂商)
拦截指定国家来源的流量
拦截探测敏感文件路径的扫描请求
等于是 一条“黑名单大合集规则”,只要命中任意条件,就会被挡住。

拦截:针对监控/探测类爬虫

(
  http.user_agent contains "UptimeRobot"
  or http.user_agent contains "SemrushBot"
  or http.user_agent contains "AhrefsBot"
  or http.user_agent contains "MJ12bot"
  or http.user_agent contains "DotBot"
  or http.user_agent contains "ZoominfoBot"
  or http.user_agent contains "Python-urllib"
  or http.user_agent contains "python-requests"
  or http.user_agent contains "Go-http-client"
  or http.user_agent contains "curl"
)

解释

UptimeRobot → 网站监控工具
SemrushBot / AhrefsBot / MJ12bot / DotBot / ZoominfoBot → 常见 SEO 爬虫,通常会大量抓取页面(可能影响性能,不一定有益处)
Python-urllib / python-requests / Go-http-client / curl → 常见脚本/扫描器的 User-Agent

允许

(cf.client.bot) or (http.user_agent contains "UptimeRobot")

跳过组件勾选:所有其余自定义规则,用户代理封禁,浏览器完整性验证

01

0

评论 (0)

取消