CD
Cloudflare Developers3mo ago
kelbs

block malicious probing requests

my web app gets requests like these: 
get myapp.com/wp-login.php
get myapp.com/sitemap.xml
get myapp.com/.git/config
get myapp.com/wp-content/themes/sketch/404.php
get myapp.com/wp-login.php
get myapp.com/sitemap.xml
get myapp.com/.git/config
get myapp.com/wp-content/themes/sketch/404.php
which seem to be probing for vulnerabilities since none of the urls exist and e.g. my site isn't a wordpress site. Is there any way to easily block these? I could create WAF custom rules but would that turn into wack-a-mole if I need to manually specify every invalid URL being requested? I'm currently on the free plan so I could upgrade to pro to enable more managed rules, but its unclear to me if that'll solve the issue. It's not a lot of traffic so its not hurting too much. The biggest annoyance for me is it creates errors in my observability data, making it harder to find real issues amongst these phantom issues.
4 Replies
semaja2
semaja23mo ago
Do you have a paid plan? the .git one is usually blocked by default with the WAF managed rules turned on
Chaika
Chaika3mo ago
.git would be blocked by Pro or higher's CF Managed Ruleset. For the rest, if you're not using php or wordpress at all, you can use Custom Rules to blanket block them pretty easily, ex: (ends_with(http.request.uri.path, ".php")) or (http.request.uri.path contains "wp-") The sitemap xml is a legit one which is helpful to search engines so they can know all the pages to crawl/when they updated/frequency/etc
kelbs
kelbs3mo ago
I'm currently on the free plan so I could upgrade to pro to enable more managed rules, but its unclear to me if that'll solve the issue.
yeah, not on paid plan but have been considering it. Only reason I haven't pulled trigger is I wasn't sure if it would help or not. Thank you for the ideas! I'll use these and see if there are more commonalities across the requests for easy blocking is the ends_with functionality also only available on paid plans? Doesn't seem to be an option for me
az
az3mo ago
i generally block these with contains "wp" on free
Want results from more Discord servers?
Add your server
More Posts
Availability of Attack-Support in GermanyI work for a multi Billion US dollar company in Germany. We recently had a very severe cyberattack aHow to access secrets added in the dashboard locally?Hello! I added the Supabase integration in the Workers dashboard, which automatically added two secIs there a pattern that would allow me to clear a cache item for every worker in the CDN?I would like to clear the worker cache for every location. My workflow is that someone will make an Cloudflare Radar CategoryWhy can I not get the same category for the domain on Cloudflare Radar website? And are there anywayDomain Transfer questionsHow much does it cost to transfer a domain to cloudflare? and do I have to disable DNSSEC even if I'google emails result in domain could not be foundI'm having an issue where emails from gmail aren't resolving. It doesn't seem to be finding the domaAstro Hybrid output with Server Endpoints (API Routes)Has anyone managed to get Astro with `output: "hybrid"` mode working in CloudFlare pages with **ServCloudflare Sub-Domain Caching + GitBookHi there, A couple weeks ago, I set up a CNAME record for my `https://docs.website.com` subdomain foCant verify my accountHey guys, since 4 days I am trying to verify my account. But after clicking the button resend verifiHow to change nameserver in my baught domain?Hello, I baught a domain in an account in cloudflare, and I've total 2 domains. I would like to chan