Cloudflare Firewall Rules For DevOps Engineer

Cloudflare is one of the best things you can do for safety of websites you manage as a DevOps Engineer.
Here are a few rules I recommend implementing when you move your sites to Cloudflare.


Block User Agents

Website scans usually come in from certain user agents. People scanning your websites are usually lazy – they use off-the-shelf tools. This means they forget to change the user agents of their scanning tools. Blocking user agents is probably simplest way to secure your site from these mass scans. Here is what I recommend using:

Block User Agents

I also recommend adding “Ubuntu” to the list, but that is up to you.


Block URLs

Blocking vulnerable locations on your website is another way of securing your website.

For example, here are some rules for Magento:

Block Magento vulnerable locations


Block File Downloads

Just in case you forget a backup file in your /public_html folder, why not block all requests containing “zip”?

Block Zip file downloads

or .sql files:

Block SQL file downloads


Block Tor and Unknown Countries

Obviously, you should block or at least challenge any requests from Tor or Unknown Country traffic.

Block Tor or Unknown Country Traffic


Block SQL terms

You can also try blocking SQL injection attempts. It will probably work against drive-by injections, but wont help against a human trying to break your website.

There are more rules you could add, like blocking specific countries that usually send you all these bots (China, Russia, Ukraine). But these basic rules should get you started.

If you want passive firewall to ban bad incoming traffic automatically, check out my Cloudflare Passive Firewall post.

Leave a Reply