Cloudflare Firewall Rule: Ban Country Codes from Registration

[Anthony Parsons]

It blocked me on a private window in normal connection in a country that should be allowed. On paper it all looks fine, so not sure what went wrong

Yer... I tend to hold a cautious approach towards firewall rules, for this exact reason. This is why I only use the captcha challenge for all the nasty countries that I do not want their traffic, whilst catering the legitimate handful of people who may access the site from said countries, but otherwise I don't implement country rules on any country that has a significant user base for my site.

For all those, I have progressively built-up a good set of blocks in the IP rules. I have near 150 /24 IP blocks, blocking all and any set of IP's from servers used for spamming my site over the years. Combined with my outright country blocks, we see maybe 1 spam message per day / couple of days. That is years of slow work to do that. We have isolated all our spam for years, not just deleted it, then looked at all the private servers used for spamming, and blocked them.

 

[HJW]

Do you think Cloudflare made a mistake or you did?

Usually I'd say it's probs user error, but it was blocking me and plenty of others in the US, UK and Germany. I doubt they were all tor or "uknown states.." and weren't in the blocked countries. Could using a private window trigger it?

 

[WoodiE]

Could using a private window trigger it?

Doubtful.

If you're using the Register link that opens in a modal window then the firewall rule will block it. If you use the Register link that loads the full page it will work.

I've detailed the issue here and a workaround by editing your theme/style template. Maybe @HammerDown might have a Cloudflare workaround?

 

[Ntown]

Aren;t they two different URLs?

/register/
/?register

 

[Sportsoutlaw]

Just an FYI.

I set this up exactly how it is listed with the add-on. Thought I was doing really well with spam because I hadn't had to remove any in several days.

Then, I set up the brave browser to see how it worked. Checked the settings and it uses TOR. I was thinking about removing that in case there is an increase in people using this browser, but decided to go try to register first. Sure enough, it blocked me on the brave browser.

Out of curiosity, I hit the register link on chrome, firefox, and Edge. I was blocked from registering on all those browsers as well.

After further review (been too busy to check this lately), I have had zero registrations since adding this to cloudflare, and about 500 blocked registrations. My current IP addresses this evening are included in the blocks IP's.

 

[Ntown]

Just an FYI.

I set this up exactly how it is listed with the add-on. Thought I was doing really well with spam because I hadn't had to remove any in several days.

Then, I set up the brave browser to see how it worked. Checked the settings and it uses TOR. I was thinking about removing that in case there is an increase in people using this browser, but decided to go try to register first. Sure enough, it blocked me on the brave browser.

Out of curiosity, I hit the register link on chrome, firefox, and Edge. I was blocked from registering on all those browsers as well.

After further review (been too busy to check this lately), I have had zero registrations since adding this to cloudflare, and about 500 blocked registrations. My current IP addresses this evening are included in the blocks IP's.

I use Brave too (wish everyone would! F google) but I guess I'm not configured to use the Tor routing.

Yeah, just take out the conditionals for Tor and Unknown Countries.

500 blocked registrations would be a win for me, but I don't know your board.

 

[Sportsoutlaw]

I use Brave too (wish everyone would! F google) but I guess I'm not configured to use the Tor routing.

Yeah, just take out the conditionals for Tor and Unknown Countries.

500 blocked registrations would be a win for me, but I don't know your board.

I removed those but still couldn't access the registration page with the firewall rule on.

 

[Anthony Parsons]

This is the problem with blocking something like registration via DNS. In my experience, the more tricky I have tried to be, the more consequences I have discovered. You need to be 110% about actions at firewalls, otherwise you need to opt for safer solutions.

 

[Cooking Ketogenic]

Is there a way to challenge all registration not from North America?

 

[Aluminum Pints]

we have been using DragonByte security for quit some time to block countries ... just put a check in the box for the country and click save. pretty simple to do versus cloudfare.

 

[Chromaniac]

Is there a way to challenge all registration not from North America?

This is what I am using.

 

[Anthony Parsons]

we have been using DragonByte security for quit some time to block countries ... just put a check in the box for the country and click save. pretty simple to do versus cloudfare.

Addons do something at your site, instead of at DNS. Big difference. Cloudflare can do all the blocking for free vs paid addon.

 

[Ntown]

Addons do something at your site, instead of at DNS. Big difference. Cloudflare can do all the blocking for free vs paid addon.

...and I'm guessing a LOT faster.

 

[Ntown]

I tried something new with Firewall Rules and thought you might be interested in the results.

First rule: ALLOW all US, Canada and UK traffic with a threat level of 0.
Second rule: CHALLENGE everything else.
It's caught no one in 48 hrs. Not a single challenge. Not sure if that's because no one triggered it or the Cloudflare Secruity setting is catching them first? Either way, looks like it's redundant so I'm pausing those rules and when will run them again as a test in 30 days.

 

[Anthony Parsons]

...and I'm guessing a LOT faster.

Yup... I'll put my money on Cloudflare doing it faster and better than an addon at your server, which is really where you don't want the traffic to be in the first place, using resources that you're paying for.

I have progressively implemented more at Cloudflare over the years, and I've taken my site numbers from normal 500+ online, to just 100+ online. As such, things like ElasticSearch have no more issues, I have reduced server resource allocation, things are slightly cheaper for me and faster and more stable for my users.

Honestly, I couldn't recommend Cloudflare free services enough to every website owner. Why anyone isn't using them... I just don't know. Total SSL security, CDN and amazing firewall, redirects, etc etc.

 

[Chromaniac]

Heh yeah. I have to keep a list of things that would break if I dump Cloudflare some day because of whatever reasons. I am so much dependent upon the free account. I do wish though if they offered mirage and polish as a pay per use service.

 

[Ntown]

I totally agree but wish their billing structure was simplified. I also wish you could buy Pro licenses for blocks of sites. I would have gladly paid for Pro for years now, but I can't justify $20/month per site.

 

[Chromaniac]

Yeah. It's more than what I am paying for two droplets for my site. Very hard to justify.

 

[Anthony Parsons]

Yer, ditto, I did pro for a while to try it out, but just couldn't justify the handful of additions for that money per month.

 

[Anthony Parsons]

I tried something new with Firewall Rules and thought you might be interested in the results.

First rule: ALLOW all US, Canada and UK traffic with a threat level of 0.
Second rule: CHALLENGE everything else.
It's caught no one in 48 hrs. Not a single challenge. Not sure if that's because no one triggered it or the Cloudflare Secruity setting is catching them first? Either way, looks like it's redundant so I'm pausing those rules and when will run them again as a test in 30 days.

Wouldn't this need to be the other way round? You want the first rule to block everything, and the second to allow x with a threat level of x.

Can that fit into a single rule? Block everything that does not match x.