Cloudflare屏蔽
Double`C 收录于 技术 和 Cloudflare
目录
Cloudflare屏蔽方法
用法
在Cloudflare WAF里添加自定义规则,点击Edit expressions,直接粘贴下面的规则。
1. 机器人屏蔽(直接block)
- 阻止流行的不良用户代理
- 按端口阻止连接(通常只有僵尸bot会这样做)
- 阻止过时版本的 HTTP (1.0)
- 阻止 cloudflare 标记的不良威胁
- 阻止不良方法请求
- 拦截可疑的 X-Forwarded-For
- 阻止来自 Tor 网络的请求
- 拦截 ASN 列表中最著名的代理搜刮网站
- 阻止非标准 cookie
下面的代码块很长,注意全选:
|
|
触发上述规则后的动作请选:block
2. 漏洞利用修复屏蔽(直接block)
- 阻止 SQL 漏洞利用
- 阻止 XSS 漏洞利用
- 阻止流行的 PHP 漏洞利用
(http.request.uri.query contains ")/*") or (http.request.uri.query contains ")--") or (http.request.uri.query contains "benchmark(") or (http.request.uri.query contains "'0:0:20'") or (http.request.uri.query contains "MD5(") or (http.request.uri.query contains "%20waitfor%20delay%20") or (http.request.uri.query contains "%22") or (http.request.uri.query contains "%20/*") or (http.request.uri.query contains "%20--") or (http.request.uri.query contains "%20%23") or (http.request.uri.query contains ")%23") or (http.request.uri.query contains "script>") or (http.request.uri.query contains "%40") or (http.request.uri.query contains "%00") or (http.request.uri.query contains "<?php") or (http.request.uri.query contains "0x00") or (http.request.uri.query contains "0x08") or (http.request.uri.query contains "0x09") or (http.request.uri.query contains "0x0a") or (http.request.uri.query contains "0x0d") or (http.request.uri.query contains "0x1a") or (http.request.uri.query contains "0x22") or (http.request.uri.query contains "0x25") or (http.request.uri.query contains "0x27") or (http.request.uri.query contains "0x5c") or (http.request.uri.query contains "0x5f") or (http.request.uri.query contains "SELECT") or (http.request.uri.query contains "concat") or (http.request.uri.query contains "union") or (http.request.uri.query contains "0x50") or (http.request.uri.query contains "DROP") or (http.request.uri.query contains "WHERE") or (http.request.uri.query contains "ONION") or (http.request.uri.query contains "0x3c62723e3c62723e3c62723e") or (http.request.uri.query contains "0x3c696d67207372633d22") or (http.request.uri.query contains "OR") or (http.request.uri.query contains "0x3e") or (http.request.uri.query contains "<img") or (http.request.uri.query contains "<image") or (http.request.uri.query contains "document.cookie") or (http.request.uri.query contains "onerror()") or (http.request.uri.query contains "alert(") or (http.request.uri.query contains "window.") or (http.request.uri.query contains "String.fromCharCode(") or (http.request.uri.query contains "javascript:") or (http.request.uri.query contains "onmouseover=") or (http.request.uri.query contains "<BODY onload") or (http.request.uri.query contains "<style") or (http.request.uri.query contains "svg onload")触发上述规则后的动作请选:block
3. 可疑的methods(强制验证码 不要直接block)
(http.user_agent eq "109e15941c57") or (http.user_agent eq "d1b2df322c91") or (http.request.uri.query eq "--+") or (http.user_agent eq "84bd2cfee733") or (http.request.uri.query eq "d=1") or (http.user_agent eq "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)") or (http.request.uri.query eq "daksldlkdsadas=1") or (http.request.full_uri contains "\\x03\\x00\\x00/*\\xE0\\x00\\x00\\x00\\x00\\x00Cookie: mstshash=Administr") or (http.request.full_uri contains "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "T\\x83\\xF8\\xCCu\\x18\\xA8\\xABw*w\\xF5j\\x91\\xE4[") or (http.request.full_uri contains "-\\x11\\xBERB#:\\xE4.\\xC6\\xFFHA\\x1A\\x03\\xD7") or (http.request.full_uri contains "MGLNDD_") or (http.request.full_uri contains "\\x03\\x00\\x00\\x13\\x0E\\xE0\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x03\\x00\\x00\\x00") or (http.request.full_uri contains "fI4y") or (http.request.full_uri contains "o\\xFA\\xC0\\xBE\\xB8\\xC0\\xA4\\xC9\\x89\\xA2\\xC2\\x8F\\x83\\xAF\\x91\\x97\\xBE\\xCD\\xB9\\xCF\\xAC\\x9B\\xB0\\xAB\\xA0\\xB6\\xB1\\xAA\\x9D\\x9C\\x9F\\x96\\x8D\\x93\\xCE\\xB4\\xB3\\xB5\\x98\\xCD\\xA6\\xFA\\xFA\\xFA\\xFA\\x12\\xFD\\xD8\\xF8\\xFA\\xFA\\xC2\\xFA\\xFA\\xFA\\xFA\\x1Af\\xEC\\xF9\\xFA\\xFA\\xFA\\xFA\\xFB\\xE5q\\xF2\\xFA\\xFA\\xFA\\xFA\\xFA\\xFA\\xF9wh\\x97ui\\xBA\\xEA=E\\xF0\\x1B/\\xA7XJ\\xF11Y\\x0B\\xBF\\xB1K\\x1F\\x00\\xFA\\xF8\\xAF5Y\\xDB\\xA1\\xA2 \\xE00\\xCC\\xBAU]<\\x15\\x14\\xBA\\xC7W7c\\x02\\x98\\xC996\\x95\\x1C\\xC5\\x164yR\\xE7\\x8C\\x90\\x8E\\x06\\x92w\\xCD\\xE9\\x0E\\x14!\\x19\\x87KE\\xE1\\x86 ,)\\xEA\\x85_\\x16I(\\x86\\x8B?\\xADXx\\xD7\\xE7\\xB67\\x83\\xF1\\xFC;\\x83\\xC8\\x0F\\xAE\\xDD\\x1A\\xCA\\xBF\\xD3\\xF0\\x98\\xAA\\xD9=\\xD0\\xD0\\xD6\\xEF\\xABQZ`\\xBCrhc@[\\x9Cz\\xEA\\x8AJ|\\x8F\\xEF\\x86V\\x11\\xDC\\xBB\\x5C\\xF8T\\xF3=\\x9B\\xAF\\x11\\xBD8\\x96\\xAD\\xE7e~`ov\\xCC\\xB6\\xCA\\xDE\\xB78\\xDC\\xD88w9\\x91\\x8C\\xD1\\xDE/\\x98\\xCA\\x8D%\\xDC\\x85+sb\\xAE\\xE5&\\xCA\\x08\\x06\\xFF\\x9Ev\\xA5\\x96\\xED\\x0F\\xBC\\xEA2\\xFA\\x1F7\\x03\\xC9g\\x83)TF$H\\xA8\\xD2\\xA24\\x91\\x80\\xABg\\x0CF+\\xBFx*w\\x19\\x01\\x0E\\xFF\\xCF\\x1B\\xA8\\x9AJrF.\\x0B\\x9D\\x84\\xF2\\xEE\\x80Y\\x18\\xD4\\x12\\xFE\\x14\\x89\\x9B\\x8C\\x9AL6\\x17\\x09\\xF25\\x5C\\xEDb\\x02\\x89\\xCD\\xA7|\\xC9zL\\x97\\x81\\x92\\x96\\xA3\\xC4g\\xB4(\\xE3k\\x82Gk\\xC1\\x90B\\xE6][\\xE1\\x02\\x9B\\x86?Tua\\x1C\\xE0\\xFC\\x9F\\x8D\\xEB\\x01\\xAB\\xC0\\xE5\\xD6\\x98\\xD5\\xE0<\\x93\\xEA\\x00\\x8DT\\xE9\\x05\\x04y-G\\x0E\\xC5R\\x0E\\x18\\xF4\\xC1\\xD6\\x8E\\xBDi\\xBBf\\xBC1Z-\\xFD\\x90N\\x16\\x81\\x07C*mk\\x11\\xBCZ\\x02\\x85\\x95a\\xDE\\xAB\\xA8\\xB7\\xA3\\xA7;\\x19\\xDE\\xB3\\xD7") or (http.request.full_uri contains "\\x00\\x00\\x00") or (http.request.full_uri contains "\\x02") or (http.request.full_uri contains "v\\xF0m\\xB0b\\xAF\\x8F\\x883\\xE4U)8\\x99E\\x14") or (http.request.full_uri contains "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "!\\xFA\\xAC\\x8E\\x12^\\x87\\x1F9E\\xF8\\xBBT5\\x18\\xBF\\xE3\\x0Fc\\xB0\\xC3+!\\xB0y\\xA7\\xE0\\x1B\\xCF+!\\xB0\\xC2/c\\xB0\\xC3+\\x22\\xB8\\xC3+!\\xB0\\xC3+!\\xB0i+!\\xB0\\xC3+") or (http.request.full_uri contains "\\x00\\x0E8\\x89\\x99\\xDCZFS\\xEDM\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "j\\x00\\xFD U\\x8De\\xC2G\\xB6\\x9A\\x83g\\xA3-\\xB6") or (http.request.full_uri contains "SSTP_DUPLEX_POST") or (http.request.full_uri contains "sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}")触发上述规则后的动作请选:interactive challenge
4. 可疑的网络和客户端(强制验证码 不要直接block)
- 检查过期的 HTTP 版本(1.1、1.2)
- 检查允许大量恶意流量的国家/地区
- 检查 cloudflare 标记的不良威胁
- 检查不安全请求(非 SSL 请求)
- 检查来源不明的请求(无引用源)
(http.request.version in {"HTTP/1.1" "HTTP/1.2"} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not ip.geoip.asnum in {13238 15169 8075 32934} and not cf.client.bot) or (cf.threat_score ge 10 and not cf.client.bot) or (not ssl) or (ip.geoip.continent in {"AF" "AS" "AN" "EU" "NA" "OC" "SA" "RU" "MD" "BY" "UA"} and not ip.geoip.asnum in {13238 15169 8075 47541 32934} and not cf.client.bot) or (http.referer eq "" and not cf.client.bot)触发上述规则后的动作请选:interactive challenge
在cloudflare-rules基础上做了一些改进。
8G Firewall
另外推荐8G Firewall(和上面的CF没有关系)适合WP站,但别的站也可以用。
8G Firewall 说明
8G Firewall 下载
把这些内容添加到 .htaccess 里就行了。