What's new

Welcome to Admin Junkies, Guest — join our community!

Register or log in to explore all our content and services for free on Admin Junkies.

Log in Register now

Use CloudFlare? Share your ASN blocks

Latest updates... these are both my URI and my IP/ASN lists... if you use WordPress... you probably don't want to use the URI one without editing it as it's targeted towards XenForo (or any other script not using WordPress).
All of these are based upon reviews of my site activity logs, active visitors whose IP shows as spam (generally a hosting provider, ergo the ASN listing) or similar.

URI list (you can install this using the CloudFlare WAF edit function
Code: 
(http.request.uri.path contains "/alfacgiapi/") or (http.request.uri.path contains "/wp-includes") or (http.request.uri.path contains "/cgi_bin/") or (http.request.uri.path contains "/remote/login") or (http.request.uri.path contains "/webfig/") or (http.request.uri.path contains "/solr/") or (http.request.uri.path contains "/owa/") or (http.request.uri.path contains "/mgmt/") or (http.request.uri.path contains "/symfony") or (http.request.uri.path contains "aws.yml") or (http.request.uri.path contains "/_profiler/") or (http.request.uri.path contains "/public/client/") or (http.request.uri.path contains "templates/editor-preload-container") or (http.request.uri.path contains "template/custom/content-editor") or (http.request.uri.path contains "templates2/viewpagetemplate.action") or (http.request.uri.path contains "pages/doenterpagevariables.action") or (http.request.uri.path contains "/wiki/pages/createpage-entervariables.action") or (http.request.uri.path contains "/wiki/pages") or (http.request.uri.path contains "/confluence/pages") or (http.request.uri.path contains "/login.phtml") or (http.request.uri.path contains ".aspx") or (http.request.uri.path contains ".pho") or (http.request.uri.path contains "/pages/createpage.action") or (http.request.uri.path contains "app?service=page/PrinterList") or (http.request.uri.path contains "/mgmt/tm/util/bash") or (http.request.uri.path contains "saas./resttosaasservlet") or (http.request.uri.path contains "/cpanel/") or (http.request.uri.path contains "/_all_dbs") or (http.request.uri.path contains "jira-webapp-dist") or (http.request.uri.path contains "microsoft.exchange.ediscovery") or (http.request.uri.path contains "/server-status") or (http.request.uri.path contains "/view?panel=config") or (http.request.uri.path contains "/remote/login?lang=en") or (http.request.uri.path contains "/alfa-rex.php7") or (cf.threat_score ge 50) or (http.request.uri.path contains "/_ignition") or (http.request.uri.path contains "/vendor/phpunit") or (http.request.uri.path contains "/administrator/index.php") or (http.request.uri.path contains " /geoserver") or (http.request.uri.path contains "onvif/device_service") or (http.request.uri.path contains "/remote/logincheck") or (http.request.uri.path contains "/Autodiscover/Autodiscover.xml") or (http.request.uri.path contains "/WPnBr.dll") or (http.request.uri.path contains "/templates/editor-preload-container") or (http.request.uri.path contains "/templates2") or (http.request.uri.path contains "/createpage.action?spaceKey=myproj") or (http.request.uri.path contains "/doenterpagevariables.action") or (http.request.uri.path contains "/createpage-entervariables.action") or (http.request.uri.path contains ".php7") or (http.request.uri.path contains "FD873AC4-CF86-4FED-84EC-4BD59C6F17A7") or (http.request.uri.query contains "phpstorm") or (http.request.uri.path contains "/wsman") or (http.request.uri.path contains "/testing/") or (http.request.uri.path contains "main/get") or (http.request.uri.path contains "_data/config/config/get") or (http.request.uri.path contains "app/login") or (http.request.uri.path contains "member/showSign") or (http.request.uri.path contains "web/goWeb/") or (http.request.uri.path contains "ajax/index_b_trends") or (http.request.uri.path contains "login/smsRand") or (http.request.uri.path contains "/live/getRealIP") or (http.request.uri.path contains "market/home/query") or (http.request.uri.path contains ".shtml") or (http.request.uri.path contains "/publics/") or (http.request.uri.path contains "/market/index/") or (http.request.uri.path contains "+CSCOE+/logon.html") or (http.request.uri.path eq "global-protect/login.esp") or (http.request.uri.path contains "/magento_version") or (http.request.uri.path contains "/gank.php.PhP") or (http.request.uri.path contains "vpn/index.html") or (http.request.uri.path contains "owa/auth.owa") or (http.request.uri.path contains "/gank.php.PhP") or (http.request.uri.path contains "/magento_version")

ASN/IP list - I don't use block, but managed challenge for these in case there are actually users coming in via a private VPN.
Code: 
(ip.geoip.asnum eq 132203) or (ip.src eq 217.146.82.231) or (ip.src eq 83.97.73.89) or (ip.geoip.asnum eq 45899) or (ip.geoip.asnum eq 50565) or (ip.src eq 64.137.97.230) or (ip.geoip.asnum eq 135407) or (ip.geoip.asnum eq 208312) or (ip.geoip.asnum eq 35913) or (ip.geoip.asnum eq 149428) or (ip.geoip.asnum eq 21859) or (ip.src eq 20.219.13.191) or (ip.geoip.asnum eq 208312) or (ip.geoip.asnum eq 22363) or (ip.geoip.asnum eq 136557) or (ip.geoip.asnum eq 36352) or (ip.geoip.asnum eq 54538) or (ip.geoip.asnum eq 58057) or (ip.geoip.asnum eq 55286) or (ip.geoip.asnum eq 9009) or (ip.geoip.asnum eq 212238) or (ip.geoip.asnum eq 203020) or (ip.geoip.asnum eq 14061) or (ip.geoip.asnum eq 25159) or (ip.geoip.asnum eq 965) or (ip.geoip.asnum eq 398101) or (ip.geoip.asnum eq 36352) or (ip.geoip.asnum eq 62904) or (ip.geoip.asnum eq 206092) or (ip.geoip.asnum eq 207651) or (ip.geoip.asnum eq 16276) or (ip.geoip.asnum eq 39134) or (ip.geoip.asnum eq 56067) or (ip.geoip.asnum eq 12552) or (ip.geoip.asnum eq 16509) or (ip.geoip.asnum eq 135258) or (ip.geoip.asnum eq 58461) or (ip.geoip.asnum eq 57523) or (ip.geoip.asnum eq 4134) or (ip.geoip.asnum eq 208323) or (ip.geoip.asnum eq 12876) or (ip.geoip.asnum eq 12876) or (ip.geoip.asnum eq 51167) or (ip.geoip.asnum eq 32613) or (ip.geoip.asnum eq 12389) or (ip.geoip.asnum eq 51430) or (ip.geoip.asnum eq 24444)
 
Advertisement Placeholder
And have added a few more... most of the new ASN's are bots trying to hit the wp-login link, but not all of them. Some of these are TOR exit nodes...
Again, I want to remind you, this should not be a total block WAF rule, but a managed challenge as even through TOR there can be valid users. That way, valid humans can get through.... but the majority of these are from data centers and you should be getting few to zero users through them. This is the entire listing I use, not thenew ones added. These new ones cover the ASNs of several IPv6 connections also.
Code: 
(ip.geoip.asnum eq 132203) or (ip.src eq 217.146.82.231) or (ip.src eq 83.97.73.89) or (ip.geoip.asnum eq 45899) or (ip.geoip.asnum eq 50565) or (ip.src eq 64.137.97.230) or (ip.geoip.asnum eq 135407) or (ip.geoip.asnum eq 208312) or (ip.geoip.asnum eq 35913) or (ip.geoip.asnum eq 149428) or (ip.geoip.asnum eq 21859) or (ip.src eq 20.219.13.191) or (ip.geoip.asnum eq 208312) or (ip.geoip.asnum eq 22363) or (ip.geoip.asnum eq 136557) or (ip.geoip.asnum eq 36352) or (ip.geoip.asnum eq 54538) or (ip.geoip.asnum eq 58057) or (ip.geoip.asnum eq 55286) or (ip.geoip.asnum eq 9009) or (ip.geoip.asnum eq 212238) or (ip.geoip.asnum eq 203020) or (ip.geoip.asnum eq 14061) or (ip.geoip.asnum eq 25159) or (ip.geoip.asnum eq 965) or (ip.geoip.asnum eq 398101) or (ip.geoip.asnum eq 36352) or (ip.geoip.asnum eq 62904) or (ip.geoip.asnum eq 206092) or (ip.geoip.asnum eq 207651) or (ip.geoip.asnum eq 16276) or (ip.geoip.asnum eq 39134) or (ip.geoip.asnum eq 56067) or (ip.geoip.asnum eq 12552) or (ip.geoip.asnum eq 16509) or (ip.geoip.asnum eq 135258) or (ip.geoip.asnum eq 58461) or (ip.geoip.asnum eq 57523) or (ip.geoip.asnum eq 4134) or (ip.geoip.asnum eq 208323) or (ip.geoip.asnum eq 12876) or (ip.geoip.asnum eq 12876) or (ip.geoip.asnum eq 51167) or (ip.geoip.asnum eq 32613) or (ip.geoip.asnum eq 12389) or (ip.geoip.asnum eq 51430) or (ip.geoip.asnum eq 24444) or (ip.geoip.asnum eq 26347) or (ip.geoip.asnum eq 200651) or (ip.geoip.asnum eq 62240) or (ip.geoip.asnum eq 62240) or (ip.geoip.asnum eq 40021) or (ip.geoip.asnum eq 9044) or (ip.geoip.asnum eq 31034) or (ip.geoip.asnum eq 4760) or (ip.geoip.asnum eq 12876) or (ip.geoip.asnum eq 37963) or (ip.geoip.asnum eq 212238) or (ip.geoip.asnum eq 132198) or (ip.geoip.asnum eq 34665) or (ip.geoip.asnum eq 60068) or (ip.geoip.asnum eq 210558) or (ip.geoip.asnum eq 51784) or (ip.geoip.asnum eq 26496) or (ip.geoip.asnum eq 45903) or (ip.geoip.asnum eq 45903) or (ip.geoip.asnum eq 56694) or (ip.geoip.asnum eq 9198) or (ip.geoip.asnum eq 17501) or (ip.geoip.asnum eq 49453) or (ip.geoip.asnum eq 211871) or (ip.geoip.asnum eq 58466) or (ip.geoip.asnum eq 7506) or (ip.geoip.asnum eq 10961) or (ip.geoip.asnum eq 19527) or (ip.geoip.asnum eq 140292) or (ip.geoip.asnum eq 20773) or (ip.geoip.asnum eq 20312) or (ip.geoip.asnum eq 26347)
 
Last edited:
I should note also... this "may" impact sites that content that is on your site that may have been shared with elsewhere.... I'm currently investigating some possible issues.
 

Log in or register to unlock full forum benefits!

Log in or register to unlock full forum benefits!

Register

Register on Admin Junkies completely free.

Register now
Log in

If you have an account, please log in

Log in

Similar threads

Tracy
CloudFlare WAF for blocking ASN's
Replies
1
Views
203
Tracy
Tracy
M
Ensure your Business Continuity for Better Business Results
Replies
1
Views
264
daysiedarla
D
Alex
How to Qualify for Online Surveys (Tips & Tricks)
Replies
8
Views
3K
Sincerem
S
B
Centohost.com - Fast Hosting| cPanel Based| US/EU Datacenter - Instant Setup!
Replies
0
Views
1K
Bitumino
B
B
Centohost.com - Fast Hosting| cPanel Based| US/EU Datacenter - Instant Setup!
Replies
0
Views
1K
Bitumino
B
Who read this thread (Total readers: 0)
No registered users viewing this thread.

Unread Posts

New Threads

Would You Rather #9

  • Start a forum in a popular but highly competitive niche

    Votes: 9 27.3%

  • Initiate a forum within a limited-known niche with zero competition

    Votes: 24 72.7%
See comments…
Win this space by entering the Website of The Month Contest
81K
Threads
998K
Messages
24.1K
Members
festusgervin
Latest member

Theme editor

Theme customizations

Dark mode

Opt for a darker theme for a sleek look.

Wider view

Experience a wider, more expansive forum layout.

Grid view

You can switch to a grid view by changing the forums listing structure.

Illustrated grid view

You can turn on/off the background images assigned for forums in the grid view.

Open/Close sidebar

Close the sidebar for a cleaner forum view.

Sticky sidebar

Enjoy a scroll-sensitive sticky sidebar for easy navigation.

Header area animation

You can turn on/off the moving particles in the header area.

Graphic Backgrounds

Granite Backgrounds