使用Cloudflare屏蔽机器人和漏洞利用的WAF规则

用法

在Cloudflare WAF里添加自定义规则，点击Edit expressions，直接粘贴下面的规则。

1. 机器人屏蔽（直接block）

• 阻止流行的不良用户代理
• 按端口阻止连接（通常只有僵尸bot会这样做）
• 阻止过时版本的 HTTP (1.0)
• 阻止 cloudflare 标记的不良威胁
• 阻止不良方法请求
• 拦截可疑的 X-Forwarded-For
• 阻止来自 Tor 网络的请求
• 拦截 ASN 列表中最著名的代理搜刮网站
• 阻止非标准 cookie

下面的代码块很长，注意全选：

V1

(http.request.version in {"HTTP/1.0"} and not cf.client.bot) or (http.user_agent eq "") or (http.user_agent eq " ") or (http.user_agent eq "-") or (http.user_agent eq "'") or (http.user_agent contains "/x/") or (http.user_agent contains "'XOR(") or (http.user_agent contains "ALittle") or (http.user_agent contains "got (") or (http.user_agent contains "quic-go-HTTP") or (http.user_agent contains "Go-http-client") or (http.user_agent contains "fasthttp") or (http.user_agent contains "python") or (http.user_agent contains "java") or (http.user_agent contains "PHP") or (http.user_agent contains "Nmap") or (http.user_agent contains "scrapy" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bing" and not http.user_agent contains "google" and not http.user_agent contains "yandex" and not http.user_agent contains "duckduckgo" and not http.user_agent contains "facebook" and not http.user_agent contains "linkedIn" and not http.user_agent contains "twitter" and not http.user_agent contains "yahoo" and not cf.client.bot) or (cf.threat_score ge 20 and not cf.client.bot) or (http.request.method in {"PURGE" "PUT" "OPTIONS" "DELETE" "PATCH"}) or (http.x_forwarded_for contains "192.0.") or (http.x_forwarded_for contains ".0.0") or (ip.geoip.country in {"T1" "XX"} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not cf.client.bot) or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "wrk") or (http.user_agent contains "hey/") or (ip.geoip.asnum in {14061 60631 28438 60592 30823 4134 32505 27715 22773 131090 135905 55330 16629 4755 53363 34549 135330 47285 60798 207590 203087 198651 43289 14576 207319 201978 208425 201094 18978 52000 204601 199883 8220 36351 45011 8560 23969 45629 20207 6471 8075 45899 31400 208556 12271 7552 26496 21769 6876 45102 5617 199490 35816 131293 20860 31898 131428 8881 25429 29802 4788 3326 39284 13448 46484 174 577 29286 5056 9009 63949 212708 40788 12989 11351 11426 7029 42652 18403 54538 209 62044 3269 395003 8100 4190 12874 19740 197540 45458 136258 50837 51852 4826 195 49588 57613 34248 197099 29287 29066 30083 9534 42905 35804 45012 7303 25961 61317 5610 35320 262187 263693 20552 266706 49327 47232 32098 28429 3255 28431 14117 18734 24088 263196 41096 52228 8069 398101 28725 132196 61154 58199 6877 265537 32097 62240 3329 6830 133199 12334 270110 22884 54600 213375 206092 41009 213251 36444} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not cf.client.bot) or (http.host contains ":80") or (http.host contains ":443") or (http.cookie contains "cf_use_ob=" and not http.cookie contains "0" and not http.cookie contains "80" and not http.cookie contains "443" and not cf.client.bot)

V2

(
    http.request.version in {"HTTP/1.0"} and not cf.client.bot
) or (
    http.user_agent in {"" " " "-" "'"}
) or (
    http.user_agent contains "/x/"
) or (
    http.user_agent contains "'XOR("
) or (
    http.user_agent contains "ALittle"
) or (
    http.user_agent contains "got ("
) or (
    http.user_agent contains "quic-go-HTTP"
) or (
    http.user_agent contains "Go-http-client"
) or (
    http.user_agent contains "fasthttp"
) or (
    http.user_agent contains "python"
) or (
    http.user_agent contains "java"
) or (
    http.user_agent contains "PHP"
) or (
    http.user_agent contains "Nmap"
) or (
    http.user_agent contains "scrapy" and not cf.client.bot
) or (
    http.user_agent contains "spider" and not cf.client.bot
) or (
    http.user_agent contains "crawl" and not cf.client.bot
) or (
    http.user_agent contains "bot" and 
    not (http.user_agent contains "bing" or 
         http.user_agent contains "google" or 
         http.user_agent contains "yandex" or 
         http.user_agent contains "duckduckgo" or 
         http.user_agent contains "facebook" or 
         http.user_agent contains "linkedin" or 
         http.user_agent contains "twitter" or 
         http.user_agent contains "yahoo") and 
    not cf.client.bot
) or (
    cf.threat_score ge 20 and not cf.client.bot
) or (
    not http.request.method in {"GET" "POST" "HEAD"}
) or (
    http.x_forwarded_for contains "192.0." or 
    http.x_forwarded_for contains ".0.0"
) or (
    ip.geoip.country in {"T1"} and 
    not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and 
    not cf.client.bot
) or (
    http.user_agent contains "lient" and http.user_agent contains "ttp"
) or (
    http.user_agent contains "libweb"
) or (
    http.user_agent contains "libwww"
) or (
    http.user_agent contains "wrk"
) or (
    http.user_agent contains "hey/"
) or (
    ip.geoip.asnum in {
        14061 60631 28438 60592 30823 4134 32505 27715 22773 
        131090 135905 55330 16629 4755 53363 34549 135330 47285 
        60798 207590 203087 198651 43289 14576 207319 201978 
        208425 201094 18978 52000 204601 199883 8220 36351 45011 
        8560 23969 45629 20207 6471 8075 45899 31400 208556 
        12271 7552 26496 21769 6876 45102 5617 199490 35816 
        131293 20860 31898 131428 8881 25429 29802 4788 3326 
        39284 13448 46484 174 577 29286 5056 9009 63949 212708 
        40788 12989 11351 11426 7029 42652 18403 54538 209 
        62044 3269 395003 8100 4190 12874 19740 197540 45458 
        136258 50837 51852 4826 195 49588 57613 34248 197099 
        29287 29066 30083 9534 42905 35804 45012 7303 25961 
        61317 5610 35320 262187 263693 20552 266706 49327 
        47232 32098 28429 3255 28431 14117 18734 24088 263196 
        41096 52228 8069 398101 28725 132196 61154 58199 6877 
        265537 32097 62240 3329 6830 133199 12334 270110 
        22884 54600 213375 206092 41009 213251 36444
    } and 
    not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and 
    not cf.client.bot
) or (
    http.cookie contains "cf_use_ob=" and 
    not (http.cookie contains "0" or 
         http.cookie contains "80" or 
         http.cookie contains "443") and 
    not cf.client.bot
)

触发上述规则后的动作请选：block

2. 漏洞利用修复屏蔽（直接block）

• 阻止 SQL 漏洞利用
• 阻止 XSS 漏洞利用
• 阻止流行的 PHP 漏洞利用

V1

(http.request.uri.query contains ")/*") or (http.request.uri.query contains ")--") or (http.request.uri.query contains "benchmark(") or (http.request.uri.query contains "'0:0:20'") or (http.request.uri.query contains "MD5(") or (http.request.uri.query contains "%20waitfor%20delay%20") or (http.request.uri.query contains "%22") or (http.request.uri.query contains "%20/*") or (http.request.uri.query contains "%20--") or (http.request.uri.query contains "%20%23") or (http.request.uri.query contains ")%23") or (http.request.uri.query contains "script>") or (http.request.uri.query contains "%40") or (http.request.uri.query contains "%00") or (http.request.uri.query contains "<?php") or (http.request.uri.query contains "0x00") or (http.request.uri.query contains "0x08") or (http.request.uri.query contains "0x09") or (http.request.uri.query contains "0x0a") or (http.request.uri.query contains "0x0d") or (http.request.uri.query contains "0x1a") or (http.request.uri.query contains "0x22") or (http.request.uri.query contains "0x25") or (http.request.uri.query contains "0x27") or (http.request.uri.query contains "0x5c") or (http.request.uri.query contains "0x5f") or (http.request.uri.query contains "SELECT") or (http.request.uri.query contains "concat") or (http.request.uri.query contains "union") or (http.request.uri.query contains "0x50") or (http.request.uri.query contains "DROP") or (http.request.uri.query contains "WHERE") or (http.request.uri.query contains "ONION") or (http.request.uri.query contains "0x3c62723e3c62723e3c62723e") or (http.request.uri.query contains "0x3c696d67207372633d22") or (http.request.uri.query contains "OR") or (http.request.uri.query contains "0x3e") or (http.request.uri.query contains "<img") or (http.request.uri.query contains "<image") or (http.request.uri.query contains "document.cookie") or (http.request.uri.query contains "onerror()") or (http.request.uri.query contains "alert(") or (http.request.uri.query contains "window.") or (http.request.uri.query contains "String.fromCharCode(") or (http.request.uri.query contains "javascript:") or (http.request.uri.query contains "onmouseover=") or (http.request.uri.query contains "<BODY onload") or (http.request.uri.query contains "<style") or (http.request.uri.query contains "svg onload")

V2

(http.request.uri.query contains ")/*") or (http.request.uri.query contains ")--") or (http.request.uri.query contains "benchmark(") or (http.request.uri.query contains "'0:0:20'") or (http.request.uri.query contains "MD5(") or (http.request.uri.query contains "%20waitfor%20delay%20") or (http.request.uri.query contains "%22") or (http.request.uri.query contains "%20/*") or (http.request.uri.query contains "%20--") or (http.request.uri.query contains "%20%23") or (http.request.uri.query contains ")%23") or (http.request.uri.query contains "script>") or (http.request.uri.query contains "%40") or (http.request.uri.query contains "%00") or (http.request.uri.query contains "<?php") or (http.request.uri.query contains "0x00") or (http.request.uri.query contains "0x08") or (http.request.uri.query contains "0x09") or (http.request.uri.query contains "0x0a") or (http.request.uri.query contains "0x0d") or (http.request.uri.query contains "0x1a") or (http.request.uri.query contains "0x22") or (http.request.uri.query contains "0x25") or (http.request.uri.query contains "0x27") or (http.request.uri.query contains "0x5c") or (http.request.uri.query contains "0x5f") or (http.request.uri.query contains "SELECT") or (http.request.uri.query contains "concat") or (http.request.uri.query contains "union") or (http.request.uri.query contains "0x50") or (http.request.uri.query contains "DROP") or (http.request.uri.query contains "WHERE") or (http.request.uri.query contains "ONION") or (http.request.uri.query contains "0x3c62723e3c62723e3c62723e") or (http.request.uri.query contains "0x3c696d67207372633d22") or (http.request.uri.query contains "OR") or (http.request.uri.query contains "0x3e") or (http.request.uri.query contains "<img") or (http.request.uri.query contains "<image") or (http.request.uri.query contains "document.cookie") or (http.request.uri.query contains "onerror()") or (http.request.uri.query contains "alert(") or (http.request.uri.query contains "window.") or (http.request.uri.query contains "String.fromCharCode(") or (http.request.uri.query contains "javascript:") or (http.request.uri.query contains "onmouseover=") or (http.request.uri.query contains "<BODY onload") or (http.request.uri.query contains "<style") or (http.request.uri.query contains "svg onload")

触发上述规则后的动作请选：block

3. 可选，可疑的methods（强制验证码 不要直接block）

(http.user_agent eq "109e15941c57") or (http.user_agent eq "d1b2df322c91") or (http.request.uri.query eq "--+") or (http.user_agent eq "84bd2cfee733") or (http.request.uri.query eq "d=1") or (http.user_agent eq "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)") or (http.request.uri.query eq "daksldlkdsadas=1") or (http.request.full_uri contains "\\x03\\x00\\x00/*\\xE0\\x00\\x00\\x00\\x00\\x00Cookie: mstshash=Administr") or (http.request.full_uri contains "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "T\\x83\\xF8\\xCCu\\x18\\xA8\\xABw*w\\xF5j\\x91\\xE4[") or (http.request.full_uri contains "-\\x11\\xBERB#:\\xE4.\\xC6\\xFFHA\\x1A\\x03\\xD7") or (http.request.full_uri contains "MGLNDD_") or (http.request.full_uri contains "\\x03\\x00\\x00\\x13\\x0E\\xE0\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x03\\x00\\x00\\x00") or (http.request.full_uri contains "fI4y") or (http.request.full_uri contains "o\\xFA\\xC0\\xBE\\xB8\\xC0\\xA4\\xC9\\x89\\xA2\\xC2\\x8F\\x83\\xAF\\x91\\x97\\xBE\\xCD\\xB9\\xCF\\xAC\\x9B\\xB0\\xAB\\xA0\\xB6\\xB1\\xAA\\x9D\\x9C\\x9F\\x96\\x8D\\x93\\xCE\\xB4\\xB3\\xB5\\x98\\xCD\\xA6\\xFA\\xFA\\xFA\\xFA\\x12\\xFD\\xD8\\xF8\\xFA\\xFA\\xC2\\xFA\\xFA\\xFA\\xFA\\x1Af\\xEC\\xF9\\xFA\\xFA\\xFA\\xFA\\xFB\\xE5q\\xF2\\xFA\\xFA\\xFA\\xFA\\xFA\\xFA\\xF9wh\\x97ui\\xBA\\xEA=E\\xF0\\x1B/\\xA7XJ\\xF11Y\\x0B\\xBF\\xB1K\\x1F\\x00\\xFA\\xF8\\xAF5Y\\xDB\\xA1\\xA2 \\xE00\\xCC\\xBAU]<\\x15\\x14\\xBA\\xC7W7c\\x02\\x98\\xC996\\x95\\x1C\\xC5\\x164yR\\xE7\\x8C\\x90\\x8E\\x06\\x92w\\xCD\\xE9\\x0E\\x14!\\x19\\x87KE\\xE1\\x86 ,)\\xEA\\x85_\\x16I(\\x86\\x8B?\\xADXx\\xD7\\xE7\\xB67\\x83\\xF1\\xFC;\\x83\\xC8\\x0F\\xAE\\xDD\\x1A\\xCA\\xBF\\xD3\\xF0\\x98\\xAA\\xD9=\\xD0\\xD0\\xD6\\xEF\\xABQZ`\\xBCrhc@[\\x9Cz\\xEA\\x8AJ|\\x8F\\xEF\\x86V\\x11\\xDC\\xBB\\x5C\\xF8T\\xF3=\\x9B\\xAF\\x11\\xBD8\\x96\\xAD\\xE7e~`ov\\xCC\\xB6\\xCA\\xDE\\xB78\\xDC\\xD88w9\\x91\\x8C\\xD1\\xDE/\\x98\\xCA\\x8D%\\xDC\\x85+sb\\xAE\\xE5&\\xCA\\x08\\x06\\xFF\\x9Ev\\xA5\\x96\\xED\\x0F\\xBC\\xEA2\\xFA\\x1F7\\x03\\xC9g\\x83)TF$H\\xA8\\xD2\\xA24\\x91\\x80\\xABg\\x0CF+\\xBFx*w\\x19\\x01\\x0E\\xFF\\xCF\\x1B\\xA8\\x9AJrF.\\x0B\\x9D\\x84\\xF2\\xEE\\x80Y\\x18\\xD4\\x12\\xFE\\x14\\x89\\x9B\\x8C\\x9AL6\\x17\\x09\\xF25\\x5C\\xEDb\\x02\\x89\\xCD\\xA7|\\xC9zL\\x97\\x81\\x92\\x96\\xA3\\xC4g\\xB4(\\xE3k\\x82Gk\\xC1\\x90B\\xE6][\\xE1\\x02\\x9B\\x86?Tua\\x1C\\xE0\\xFC\\x9F\\x8D\\xEB\\x01\\xAB\\xC0\\xE5\\xD6\\x98\\xD5\\xE0<\\x93\\xEA\\x00\\x8DT\\xE9\\x05\\x04y-G\\x0E\\xC5R\\x0E\\x18\\xF4\\xC1\\xD6\\x8E\\xBDi\\xBBf\\xBC1Z-\\xFD\\x90N\\x16\\x81\\x07C*mk\\x11\\xBCZ\\x02\\x85\\x95a\\xDE\\xAB\\xA8\\xB7\\xA3\\xA7;\\x19\\xDE\\xB3\\xD7") or (http.request.full_uri contains "\\x00\\x00\\x00") or (http.request.full_uri contains "\\x02") or (http.request.full_uri contains "v\\xF0m\\xB0b\\xAF\\x8F\\x883\\xE4U)8\\x99E\\x14") or (http.request.full_uri contains "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "!\\xFA\\xAC\\x8E\\x12^\\x87\\x1F9E\\xF8\\xBBT5\\x18\\xBF\\xE3\\x0Fc\\xB0\\xC3+!\\xB0y\\xA7\\xE0\\x1B\\xCF+!\\xB0\\xC2/c\\xB0\\xC3+\\x22\\xB8\\xC3+!\\xB0\\xC3+!\\xB0i+!\\xB0\\xC3+") or (http.request.full_uri contains "\\x00\\x0E8\\x89\\x99\\xDCZFS\\xEDM\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "j\\x00\\xFD U\\x8De\\xC2G\\xB6\\x9A\\x83g\\xA3-\\xB6") or (http.request.full_uri contains "SSTP_DUPLEX_POST") or (http.request.full_uri contains "sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}")

触发上述规则后的动作请选：interactive challenge

4. 可选，可疑的网络和客户端（强制验证码 不要直接block）

• 检查过期的 HTTP 版本（1.1、1.2）
• 检查允许大量恶意流量的国家/地区
• 检查 cloudflare 标记的不良威胁
• 检查不安全请求（非 SSL 请求）
• 检查来源不明的请求（无引用源）

V1

(http.request.version in {"HTTP/1.1" "HTTP/1.2"} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not ip.geoip.asnum in {13238 15169 8075 32934} and not cf.client.bot) or (cf.threat_score ge 10 and not cf.client.bot) or (not ssl) or (ip.geoip.continent in {"AF" "AS" "AN" "EU" "NA" "OC" "SA" "RU" "MD" "BY" "UA"} and not ip.geoip.asnum in {13238 15169 8075 47541 32934} and not cf.client.bot) or (http.referer eq "" and not cf.client.bot)

V2

(
    http.request.version in {"HTTP/1.1" "HTTP/1.2"} and 
    not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and 
    not ip.geoip.asnum in {13238 15169 8075 32934} and 
    not cf.client.bot
) or (
    cf.threat_score ge 10 and not cf.client.bot
) or (
    not ssl
) or (
    ip.geoip.continent in {"AF" "AS" "AN" "EU" "NA" "OC" "SA" "RU" "MD" "BY" "UA"} and 
    not ip.geoip.asnum in {13238 15169 8075 47541 32934} and 
    not cf.client.bot
) or (
    http.referer eq "" and not cf.client.bot
)

触发上述规则后的动作请选：interactive challenge

在cloudflare-rules基础上做了一些改进。

8G Firewall

另外推荐8G Firewall（和上面的CF没有关系）适合WP站，但别的站也可以用。

说明 https://perishablepress.com/8g-firewall
下载 https://perishablepress.com/sdc_download/20218/?key=yss7r75q6b2jddp9806qf4edn2dq8g