Cloudflare WAF to AbuseIPDB ☁️🕵️

This project offers an automated script that collects and reports IP addresses that have triggered Cloudflare firewall events. In simple terms, it enables the reporting of incidents detected by Cloudflare WAF to the AbuseIPDB database.

If you're looking for effective WAF Expressions, you're in the right place! Check out sefinek/Cloudflare-WAF-Expressions.
Also, take a look at sefinek/UFW-AbuseIPDB-Reporter for UFW.

If you like this repository or find it useful, I would greatly appreciate it if you could give it a star ⭐. Thanks a lot!

🛠️ Prerequisites

• Node.js + npm
• PM2 (recommended)

📃 Information

If you want to make changes to the script from this repository, please kindly fork it first.

🌌 Example Report

Triggered Cloudflare WAF (securitylevel) from T1.
Action taken: MANAGED_CHALLENGE
ASN: 53667 (PONYNET)
Protocol: HTTP/1.0 (method GET)
Domain: blocklist.sefinek.net
Endpoint: /
Timestamp: 2024-11-09T19:20:18Z
Ray ID: 8e0028cb79ab3a96
Rule ID: badscore
UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5042.0 Safari/537.36

Report generated by Cloudflare-WAF-To-AbuseIPDB:
https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB

My profile: https://www.abuseipdb.com/user/158699

📥 Installation

1. Clone the repository.

   git clone https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB.git

2. Install dependencies.

   npm install

3. Environment variables. Create a new .env.default file with the same content, then rename it to .env. Fill it with your tokens, etc. Remember to set NODE_ENV to production!
4. Run the script.

   node .

5. If you want to run the process 24/7, install the PM2 module.

   npm install pm2 -g

6. Modify the log paths in the ecosystem.config.js file to be correct and existing. You don't need to create .log files, just ensure the directory structure is accurate.
7. Run the process continuously using PM2 to ensure constant operation and automatic restart in case of a failure.

   pm2 start

8. Save a snapshot of the currently running Node.js processes.

   pm2 save

9. Add PM2 to startup.

   pm2 startup

10. Execute the command generated by PM2, e.g.:

sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u sefinek --hp /home/sefinek

11. That’s it! Monitor logs using the pm2 logs command.

🔤 How to Get Tokens?

CLOUDFLARE_ZONE_ID

CLOUDFLARE_API_KEY

1. Go to dash.cloudflare.com/profile/api-tokens.
2. Click the Create Token button.
3. Select Create Custom Token.
4. 

ABUSEIPDB_API_KEY

Visit www.abuseipdb.com/account/api.

😉 Issues and Pull requests

If you need help or have any questions, feel free to create a new Issue. If you'd like to contribute to the project, go ahead and open a Pull request. Thank you!

💕 Credits

This project is inspired by the MHG-LAB/Cloudflare-WAF-to-AbuseIPDB repository. I'm not particularly fond of Python and usually try to avoid using this programming language, which is why I decided to create this repository.

📑 MIT License

Copyright 2024 © by Sefinek. All Rights Reserved.