Skip to content

Instantly share code, notes, and snippets.

@teknikqa
Created July 9, 2019 07:09
Show Gist options
  • Save teknikqa/9346bc8d0e84ad144bc363e84ed5c50c to your computer and use it in GitHub Desktop.
Save teknikqa/9346bc8d0e84ad144bc363e84ed5c50c to your computer and use it in GitHub Desktop.
Custom Cloudflare WAF rules for Drupal
#!/usr/bin/env bash
#
# Script to import custom WAF rules using the Cloudflare API.
#
# Taken from https://www.pixelite.co.nz/article/custom-cloudflare-waf-rules-that-every-drupal-site-should-run/
# Blocks:
# 1. Unfriendly Drupal 7 URLs
# 2. Autodiscover of Microsoft Exchange
# 3. Wordpress PHP scripts
# 4. Wordpress common folders (excluding content)
# 5. Wordpress content folder
# 6. SQL injection in URL
# 7. Drupal 8 install script
# 8. Microsoft Office/Skype for Business POST requests
# 9. Microsoft Active Sync
curl 'https://api.cloudflare.com/client/v4/zones/XXXXXXXXXXXXXX/firewall/rules' \
-H 'X-Auth-Email: XXXXXXXXXXXXXX' \
-H 'X-Auth-Key: XXXXXXXXXXXXXX'
-H 'Accept: application/json' \
-H 'Content-Type: application/json'
-H 'Accept-Encoding: gzip'
-X POST \
-d '[{"ref":"","description":"Autodiscover","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path matches \"\/autodiscover\\.xml$\") or (http.request.uri.path matches \"\/autodiscover\\.src\/\")"}},{"ref":"","description":"Drupal 7 Unfriendly URLs (bots)","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.query matches \"q=user\/register\") or (http.request.uri.query matches \"q=node\/add\")"}},{"ref":"","description":"Install script","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path eq \"\/core\/install.php\")"}},{"ref":"","description":"Microsoft Active Sync","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path eq \"\/Microsoft-Server-ActiveSync\")"}},{"ref":"","description":"Microsoft Office\/Skype for Business POST requests","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.method eq \"POST\") and (http.user_agent matches \"Microsoft Office\" or http.user_agent matches \"Skype for Business\")"}},{"ref":"","description":"SQLi in URL","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path contains \"select unhex\") or (http.request.uri.path contains \"select name_const\") or (http.request.uri.path contains \"unhex(hex(version()))\") or (http.request.uri.path contains \"union select\") or (http.request.uri.path contains \"select concat\")"}},{"ref":"","description":"Wordpress common folders (excluding content)","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path matches \"\/wp-(admin|includes|json)\/\")"}},{"ref":"","description":"Wordpress content folder","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path matches \"\/wp-content\/\")"}},{"ref":"","description":"Wordpress PHP scripts","paused":false,"action":"block","priority":null,"filter":{"expression":"(http.request.uri.path matches \"\/wp-.*\\.php$\")"}}]'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment