This project offers an automated script that collects and reports IP addresses that have triggered Cloudflare firewall events. In simple terms, it enables the reporting of incidents detected by Cloudflare WAF to the AbuseIPDB database.
If you're looking for effective WAF Expressions, you're in the right place! Check out sefinek/Cloudflare-WAF-Expressions. Also, take a look at sefinek/UFW-AbuseIPDB-Reporter for UFW.
If you like this repository or find it useful, I would greatly appreciate it if you could give it a β star. Thanks a lot!
Important
- If you'd like to make changes to any files in this repository, please start by creating a public fork.
- Node.js + npm
- PM2 (
npm i -g pm2) - Git
- Easy Configuration - The
config.jsfile allows for quick and simple configuration. - Simple Installer - Enables fast and seamless deployment and integration.
- Self-IP Protection (IPv4 & IPv6) - Automatically excludes the server's own public and local IPs from reports, including dynamic addresses.
- IP Filtering - Local and special-purpose IP addresses will never be reported.
- IP Whitelist - Maintain a
whitelist.txtfile with IP addresses that should never be reported (e.g., your home IP when running on a VPS). The file is watched for changes and reloaded automatically. - Report Cooldown - Prevents duplicate reports of the same IP within a configurable time window.
- Bulk Reporting Support - If the script hits a rate limit, it will immediately start buffering IP addresses and send a bulk report once the limit is lifted.
- Discord Webhooks Integration:
- Critical notifications
- Script error alerts
Daily summaries of reported IPs
- Automatic Updates - The script regularly fetches and applies the latest updates. You can disable this if you prefer.
| Name | Description |
|---|---|
--help |
Displays this help message. |
--run-on-start |
Starts the IP reporting cycle immediately after launch. |
--report-to-sapi |
Sends collected IPs to the Sefinek API immediately after launch. |
Triggered Cloudflare WAF (securitylevel) from T1.
Action taken: MANAGED_CHALLENGE
ASN: 53667 (PONYNET)
Protocol: HTTP/1.0 (GET method)
Endpoint: /
Timestamp: 2024-11-09T19:20:18Z
Rule ID: badscore
UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5042.0 Safari/537.36
This report was generated by:
https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB
- Clone the repository.
git clone --recurse-submodules https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB.git
- Install dependencies.
cd Cloudflare-WAF-To-AbuseIPDB && npm install
- Create a new configuration file.
cp config.default.js config.js
- Paste the tokens into the
config.jsfile.nano config.js
- Run the script.
node . - If you want to run the process 24/7, install the PM2 module.
npm install -g pm2
- Modify the log paths in the
ecosystem.config.jsfile to be correct and existing. You don't need to create.logfiles, just ensure the directory structure is accurate. - Run the process continuously using
PM2to ensure constant operation and automatic restart in case of a failure.pm2 start
- Save a snapshot of the currently running
Node.jsprocesses.pm2 save
- Add
PM2to startup.
eval "$(pm2 startup | grep sudo)"- That's it! Monitor logs using the
pm2 logscommand.
- Accepts a string or an array of Zone IDs:
CLOUDFLARE_ZONE_IDS: 'zone-id-1' - If you manage multiple zones, pass them as an array:
CLOUDFLARE_ZONE_IDS: ['zone-id-1', 'zone-id-2']
- Screenshot for reference:
- Go to dash.cloudflare.com/profile/api-tokens.
- Click Create Token.
- Select Create Custom Token.
- Refer to the screenshot for required permissions:
Visit www.abuseipdb.com/account/api and copy your API key.
If you need help or have any questions, feel free to create a new Issue. If you'd like to contribute to the project, go ahead and open a Pull request. Thank you!
π GPL-3.0 License
Copyright Β© 2024-2026 Sefinek
