Resource icon

Cloudflare Firewall Rule: Ban Country Codes from Registration

Ntown

Well-known member
HammerDown submitted a new resource:

Cloudflare Firewall Rule: Ban Country Codes from Registration - Quickly add a Cloudflare Firewall Rule to block registration from specific countries.

Quickly add a Cloudflare Firewall Rule to block registration from specified countries.

Go to Cloudflare > Firewall > Firewall Rules > Create a firewall rule
Look for small text link as you scroll down to Edit expression

Paste the following rule.

The action is Block.

Code:
(ip.geoip.country in {"AF" "AL" "DZ" "AO" "AM" "AZ" "BD" "BJ" "BY" "BA" "BN" "KH" "CM" "BI" "CF" "TD" "CN" "CG" "CD" "DJ" "GQ" "ER" "ET" "GA" "GM" "GH" "HT" "IN" "IR" "IQ" "KZ" "KE" "KP" "KG" "KR" "XK"...

Read more about this resource...
 
I've done this for known spammers. China especially. I've set it up to have URI so that those countries can still browse if they are legit users. Out of the last 4 months we've had it, we've been contacted only once asking why they can't register.

This is what my expression looks like:
(http.request.uri.path eq "/register/" and ip.geoip.country eq "CN") or (http.request.uri.path eq "/register/" and ip.geoip.country eq "RU") or (http.request.uri.path eq "/register/" and ip.geoip.country eq "UA") or (http.request.uri.path eq "/register/" and ip.geoip.country eq "IN") or (http.request.uri.path eq "/register/" and ip.geoip.country eq "NG") or (http.request.uri.path eq "/register/" and ip.geoip.asnum in {4133})

You can see I've also found an ASN that was spamming us, so we blocked that as well. I've looked through our spam cleaner logs and it appears the only ones that have made it through are human spammers since we deployed this. None of which have been the Chinese spam we were getting. Prior to this, I used other spam addons, using the keywords found in these Chinese posts and it rarely ever caught the Chinese posts.
 
HammerDown updated Cloudflare Firewall Rule: Ban Country Codes from Registration with a new update entry:

1.2

Updated the Code.

Switched the order to check URI Path first. Much more efficient this way, as all requests not going to "register" URL now don't have to go through Country Code check. Also added more countries.

Important: if your forum is 99% from the US or some other small set of countries, change the operator and include those countries only. If you need help, PM me.

Read the rest of this update entry...
 
I use the cloudflare challenge instead of outright block method. I have two rules, one that allows known bots to allow, thus trusted bots by Cloudflare are allowed through the firewall, all else is not. The second is to challenge all these countries with captcha. People travel (albeit not right now with Covid), plenty of English speaking people live in countries around the world that also use my site and want to contribute.

Just food for thought if you go this route... maybe just try adding countries into the OR challenge with captcha as a simpler approach. We have always had pretty good anti-spam in place, but this wiped out all but the most dedicated person who has to go through the full process to spam, can't use a bot to do it due to DNS blocking of them already, and their IP / IP block is easily added to the DNS firewall once they did do it.

It has allowed me to remove all third party addons in relation to spam management, and can rely solely now on XF default systems which are by themselves not totally satisfactory, but combined with the above single DNS management method, 99.9% effective.

Added: My expression is as follows, based on looking at the spam industries top country lists, excluding US, UK:

(ip.geoip.country eq "CN") or (ip.geoip.country eq "RU") or (ip.geoip.country eq "TH") or (ip.geoip.country eq "VN") or (ip.geoip.country eq "SG") or (ip.geoip.country eq "HK") or (ip.geoip.country eq "UA") or (ip.geoip.country eq "JP") or (ip.geoip.country eq "KP") or (ip.geoip.country eq "KR") or (ip.geoip.country eq "IN") or (ip.geoip.country eq "IR") or (ip.geoip.country eq "BR") or (ip.geoip.country eq "ID") or (ip.geoip.country eq "DZ") or (ip.geoip.country eq "PK") or (ip.geoip.country eq "EG") or (ip.geoip.country eq "VE") or (ip.geoip.country eq "MX") or (ip.geoip.country eq "TR") or (ip.geoip.country eq "MA") or (ip.geoip.country eq "IT") or (ip.geoip.country eq "ES") or (ip.geoip.country eq "PL") or (ip.geoip.country eq "AR") or (ip.geoip.country eq "CO") or (ip.geoip.country eq "FR") or (ip.geoip.country eq "SA") or (ip.geoip.country eq "CL") or (ip.geoip.country eq "IL")
 
Last edited:
I use the cloudflare challenge instead of outright block method. I have two rules, one that allows known bots to allow, thus trusted bots by Cloudflare are allowed through the firewall, all else is not. The second is to challenge all these countries with captcha. People travel (albeit not right now with Covid), plenty of English speaking people live in countries around the world that also use my site and want to contribute.

Just food for thought if you go this route... maybe just try adding countries into the OR challenge with captcha as a simpler approach. We have always had pretty good anti-spam in place, but this wiped out all but the most dedicated person who has to go through the full process to spam, can't use a bot to do it due to DNS blocking of them already, and their IP / IP block is easily added to the DNS firewall once they did do it.

It has allowed me to remove all third party addons in relation to spam management, and can rely solely now on XF default systems which are by themselves not totally satisfactory, but combined with the above single DNS management method, 99.9% effective.

Added: My expression is as follows, based on looking at the spam industries top country lists, excluding US, UK:
Very interesting! However, I think if CHALLENGE was the action, I'd just challenge everyone outside the forum's base country. For us, we'd challenge everyone outside US and Canada. This is certainly an intriguing option! Thank you.
 
Great stuff @HammerDown.

In order to cut down Contact form spam as well I've changed my firewall rule to include the /misc/contact page as well.

Code:
(http.request.uri.path contains "/misc/contact") or (http.request.uri.path contains "/register") or (http.request.uri.path contains "/?register" and ip.geoip.country in {"AF" "DZ" "AO" "AM" "AZ" "BH" "BD" "BY" "BJ" "BT" "BA" "BW" "BN" "BG" "BF" "BI" "KH" "CM" "CF" "CV" "TD" "CN" "CG" "CD" "CI" "HR" "CZ" "DJ" "EG" "GQ" "ER" "EE" "ET" "GF" "GA" "GM" "GE" "GH" "GW" "GN" "HT" "HU" "IN" "ID" "IR" "IQ" "JO" "KZ" "KP" "KR" "KE" "XK" "KW" "KG" "LA" "LV" "LB" "LS" "LR" "LY" "LT" "MK" "MG" "MW" "MY" "ML" "MR" "YT" "MD" "MN" "ME" "MA" "MZ" "MM" "NA" "NP" "NE" "NG" "OM" "PK" "PG" "PL" "RO" "QA" "RU" "RW" "SA" "SY" "ZM" "XX" "T1" "ZW" "YE" "EH" "TN" "TM" "AE" "UZ" "TR" "UY" "VN" "UG" "TJ" "SR" "SD" "SZ" "LK" "SS" "VE" "UA" "TG" "SO" "SI" "SL" "RS" "SN" "SK" "TZ" "TH" "TL"})
 
Probably a stupid question, but gotta ask since I am not sure of the answer, LOL.

in the code, you are putting http. Would you need to put https for SSL purposes, or does http do the trick for both in this case?
 
Would you need to put https for SSL purposes, or does http do the trick for both in this case?
It's an expression: https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions/

Using Cloudflare, they do the rest with their system.
I think if CHALLENGE was the action, I'd just challenge everyone outside the forum's base country
Depends what you want. You are allowing the world, but blocking registration. My site is global, but English speaking, so I want people to be able to register from around the world who speak English and require the community.

If you ran a gaming forum, you would usually want the world too.

If you wanted to block all bad bots globally, then use the action of JS Challenge would be the best, with another rule to allow known good bots, as JS Challenge will automatically allow all browser access to bypass the action.

I allow guest posting that goes via moderation, so removes annoying captcha for the user per post, but if they reside in a high spam known country, using Captcha Challenge stops everything, requiring to solve the captcha once every 30 - 45 minutes via Cloudflare DNS, so they can use the site, but will require to solve it at those cookie timeout periods.

I honestly like how diverse Cloudflare allows us to be... using your approach with URL specific, or just broader. Cloudflare rocks.
 
Thanks for this! Trying it out with a VPN connection but the browser gives me a
Code:
Oops! We ran into some problems.
The requested page could not be found.

The rest works. Any idea why the browser does this?

The console of the browser gives me a 403 forbidden on the url
Code:
https://www.domain.tld/register/?_xfRequestUri=/&_xfWithData=1&_xfToken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&_xfResponseType=json

And after that a lot of Cloudflare stuff (snippit):
Code:
<head> <title>Attention Required! | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]--> <style type="text/css">body{margin:0;padding:0}</style>
 
If you wanted to block all bad bots globally, then use the action of JS Challenge would be the best, with another rule to allow known good bots, as JS Challenge will automatically allow all browser access to bypass the action.
So I've been struggling with trying to understand how to put this into Firewall Rules. (I'm assuming the paid But Management does it all for you?)

In theory, it's:
1.) First rule: let all known bots through
2.) Challenge all other JS traffic

Correct? If so, how do you set that up? I can't figure it out and can't find a tutorial.
 
Yes.

Annotation 2020-08-14 123724.webp

I only limit specific countries for captcha challenge, and they're all in one rule, so free accounts.

Annotation 2020-08-14 123758.webp

Use the OR operator, so it matches one OR another per request.

My expression only targeting spam site known major spam countries, is:

(ip.geoip.country eq "CN") or (ip.geoip.country eq "RU") or (ip.geoip.country eq "TH") or (ip.geoip.country eq "VN") or (ip.geoip.country eq "SG") or (ip.geoip.country eq "HK") or (ip.geoip.country eq "UA") or (ip.geoip.country eq "JP") or (ip.geoip.country eq "KP") or (ip.geoip.country eq "KR") or (ip.geoip.country eq "IN") or (ip.geoip.country eq "IR") or (ip.geoip.country eq "BR") or (ip.geoip.country eq "ID") or (ip.geoip.country eq "DZ") or (ip.geoip.country eq "PK") or (ip.geoip.country eq "EG") or (ip.geoip.country eq "VE") or (ip.geoip.country eq "MX") or (ip.geoip.country eq "TR") or (ip.geoip.country eq "MA") or (ip.geoip.country eq "IT") or (ip.geoip.country eq "ES") or (ip.geoip.country eq "PL") or (ip.geoip.country eq "AR") or (ip.geoip.country eq "CO") or (ip.geoip.country eq "FR") or (ip.geoip.country eq "SA") or (ip.geoip.country eq "CL") or (ip.geoip.country eq "IL")

I think if I were to use JS Challenge, which allows all browser views automatically through, then I would probably ban all with the OR operator, and the first rule would be for good bots. This would ensure that everyone in the world has to access the site via a browser, otherwise they would be rejected, other than known good bots that are approved by Cloudflare.

For me personally, I went with my approach because there are a lot of countries who pay people to sit in front of a computer and spam sites via their browser. I want to piss those people off with my approach, making it more annoying, as it fits my member model.

I think if you wanted to use three rules, the first for allow all good bots, the second for allow JS Challenge, then a third to outright block countries you have zero doubt that you do not want their traffic at your site, is maybe an even better approach. I might take that up myself actually.

Thanks for this discussion... its giving me food for thought too.
 
Thanks for this! Trying it out with a VPN connection but the browser gives me a
Code:
Oops! We ran into some problems.
The requested page could not be found.

The rest works. Any idea why the browser does this?

The console of the browser gives me a 403 forbidden on the url
Code:
https://www.domain.tld/register/?_xfRequestUri=/&_xfWithData=1&_xfToken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&_xfResponseType=json

And after that a lot of Cloudflare stuff (snippit):
Code:
<head> <title>Attention Required! | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]--> <style type="text/css">body{margin:0;padding:0}</style>

What style are you using? What "Register" link did you click on - was it a link that opens the register page in a modal window or the full register page?

@HammerDown I too have seen what @duderuud has experienced and I believe I've found the issue, but not sure of the fix yet.

I'm running the Flat Awesome+ theme by PixelExit and in the main navigation the "Register" button opens a modal register window for users to register on the forum. When that is click and the cloudflare firewall rule is in place I get the following error message:

opps-broken.webp

Looking at the browser console I too see the following information:

403.webp

Now if I disable the cloudflare firewall rule, the link works perfectly fine.

OR... If I click on a Register link that takes users to the FULL register page (NOT modal/pop-up window) then that page also works fine (after the Cloudflare challenge of course).

As awesome as PixelExit is, @Russ did provide a workaround for the Flat Awesome+ theme:

Make a manual edit inside PAGE_CONTAINER

click inside the editor, click CTRL-F:

Code:
{{ link('register') }}

Remove this bit in that link item:

Code:
data-xf-click="overlay"

Ctrl-G will find the next instance of the register link(it's there twice), then save the template.


This may or may not fix the issue for other themes as well, I don't know as I only use PixelExit themes, but I'm not crazy about that work around as I'd have to remember to make that change each time I update my forum/forum style.

I haven't found an option yet within Xenforo to make the full page the default behavior and disable the modal/pop-up window.
 
Yes.

View attachment 232849

I only limit specific countries for captcha challenge, and they're all in one rule, so free accounts.

View attachment 232851

Use the OR operator, so it matches one OR another per request.

My expression only targeting spam site known major spam countries, is:



I think if I were to use JS Challenge, which allows all browser views automatically through, then I would probably ban all with the OR operator, and the first rule would be for good bots. This would ensure that everyone in the world has to access the site via a browser, otherwise they would be rejected, other than known good bots that are approved by Cloudflare.

For me personally, I went with my approach because there are a lot of countries who pay people to sit in front of a computer and spam sites via their browser. I want to piss those people off with my approach, making it more annoying, as it fits my member model.

I think if you wanted to use three rules, the first for allow all good bots, the second for allow JS Challenge, then a third to outright block countries you have zero doubt that you do not want their traffic at your site, is maybe an even better approach. I might take that up myself actually.

Thanks for this discussion... its giving me food for thought too.
You're right; excellent food for thought.

I have two questions for you.

1.) Does your first rule above simultaneously ALLOW Known Bots while blocking bad bots? Otherwise, I don't see the value of having that first rule. If you're not going to handle bad bots in your next two firewall rules, why allow known bots in the first one?

2.) I don't understand why you're using OR for each country code instead of just having them in one list?

Edit: I just discovered Cloudflare Bot Fight Mode and turned it on. Not sure if that requires ALLOW of known bots or not?
 
Last edited:
My understanding that is if you create a rule to block or challenge from x, then everything not x is allowed. But if x contains known good bots, then adding that rule will allow from x but block everything else from x. So it works with other rules, not as a single use bad bot blocker.


The table below lists the actions available in Firewall Rules. These actions are listed in order of precedence. If the same request matches two different rules which have the same priority, precedence determines the action to take.

For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.

The only exception to this behavior involves the Log action. Unlike the other actions, Log does not terminate further evaluation within Firewall Rules. This means that if a request matches two different rules and one of those rules specifies the Log action, the second action will be triggered instead, even though Log has precedence. Although Firewall Rules would not trigger the Log action in this case, Firewall Analytics would still record the hit as an “additional match.”
As allow takes precedence over block and challenge, you allow known good bots, then below that you would instigate your block or challenge rules, thus blocking or challenging ALL bots from those that meet the rule, but allowing known good bots automatically from those rules.

As for a list, I'm not sure if it works when listing due to per request nature of this rule. It is probably easier if you wanted to block the world, to just allow the small handful of countries you want accessing your site, and blocking / challenging everyone else that is outside that small list. The rule to my understanding, to work correctly, needs to be one OR another of the options on a per request basis.

Do you have a workable rule that does not create a CF error for challenge?
 
Tried this, but it was mostly blocking people from my major countries - US, UK and Germany. Set to challenge but as stated above because of the ajax the challenge didn't work.

It blocked me on a private window in normal connection in a country that should be allowed. On paper it all looks fine, so not sure what went wrong
 
Tried this, but it was mostly blocking people from my major countries - US, UK and Germany. Set to challenge but as stated above because of the ajax the challenge didn't work.

It blocked me on a private window in normal connection in a country that should be allowed. On paper it all looks fine, so not sure what went wrong
Do you think Cloudflare made a mistake or you did? :p
 
Top Bottom