Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/sefinek/cloudflare-waf-to-abuseipdb

A Node.js script that automates the reporting of incidents detected by Cloudflare WAF to AbuseIPDB ☁️🕵️
https://github.com/sefinek/cloudflare-waf-to-abuseipdb

abuseipdb abuseipdb-api abuseipdb-integration abuseipdb-reporting-tool cloudflare cloudflare-waf cloudflare-waf-expression cloudflare-waf-expressions cloudflare-waf-rules javascript nodejs nodejs-project reporting reporting-tool

Last synced: about 1 month ago
JSON representation

A Node.js script that automates the reporting of incidents detected by Cloudflare WAF to AbuseIPDB ☁️🕵️

Awesome Lists containing this project

README 

          
# Cloudflare WAF to AbuseIPDB ☁️🕵️

This project offers an automated script that collects and reports IP addresses that have triggered Cloudflare firewall events.

In simple terms, it enables the reporting of incidents detected by Cloudflare WAF to the AbuseIPDB database.



If you're looking for **effective WAF Expressions**, you're in the right place! Check out [sefinek/Cloudflare-WAF-Expressions](https://github.com/sefinek/Cloudflare-WAF-Expressions).

Also, take a look at [sefinek/UFW-AbuseIPDB-Reporter](https://github.com/sefinek/UFW-AbuseIPDB-Reporter) for UFW.



> If you like this repository or find it useful, I would greatly appreciate it if you could give it a ⭐ star. Thanks a lot!



> [!IMPORTANT]

> - If you'd like to make changes to any files in this repository, please start by creating a [public fork](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB/fork).



## 🛠️ Requirements

- [Node.js + npm](https://gist.github.com/sefinek/fb50041a5f456321d58104bbf3f6e649)

- [PM2](https://www.npmjs.com/package/pm2) (`npm i -g pm2`)

- [Git](https://gist.github.com/sefinek/1de50073ffbbae82fc901506304f0ada)



## ✅ Features

1. **Easy Configuration** - The [`config.js`](config.default.js) file allows for quick and simple configuration.

2. **Simple Installer** - Enables fast and seamless deployment and integration.

3. **Bulk Reporting Support** - If the script hits a rate limit, it will immediately start buffering IP addresses and send a bulk report once the limit is lifted.

4. **Self-IP Protection (IPv4 & IPv6)** - Automatically excludes the server's own public and local IPs from reports, including dynamic addresses.

5. **Discord Webhooks Integration**:

   - Critical notifications

   - Script error alerts

   - ~~Daily summaries of reported IPs~~

6. **Automatic Updates** - The script regularly fetches and applies the latest updates. You can disable this if you prefer.



## 📃 Command-line options

| Name               | Description                                                       |

|--------------------|-------------------------------------------------------------------|

| `--help`           | Displays this help message.                                       |

| `--run-on-start`   | Starts the IP reporting cycle immediately after launch.           |

| `--report-to-sapi` | Sends collected IPs to the Sefinek API immediately after launch.  |



## 🌌 Example Report

```

Triggered Cloudflare WAF (securitylevel) from T1.

Action taken: MANAGED_CHALLENGE

ASN: 53667 (PONYNET)

Protocol: HTTP/1.0 (GET method)

Endpoint: /

Timestamp: 2024-11-09T19:20:18Z

Rule ID: badscore

UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5042.0 Safari/537.36



This report was generated by:

https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB

```



## 📥 Installation

1. Clone the repository.

   ```bash

   git clone --recurse-submodules https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB.git 

   ```

2. Install dependencies.

   ```bash

   cd Cloudflare-WAF-To-AbuseIPDB && npm install

   ```

3. Create a new configuration file.

   ```bash

   cp config.default.js config.js

   ```

4. Paste the tokens into the `config.js` file.

   ```bash

   nano config.js

   ```

5. Run the script.

   ```bash

   node .

   ```

6. If you want to run the process 24/7, install the [PM2](https://www.npmjs.com/package/pm2) module.

   ```bash

   npm install -g pm2

   ```

7. Modify the log paths in the `ecosystem.config.js` file to be correct and existing. You don't need to create `.log` files, just ensure the directory structure is accurate.

8. Run the process continuously using `PM2` to ensure constant operation and automatic restart in case of a failure.

   ```bash

   pm2 start

   ```

9. Save a snapshot of the currently running `Node.js` processes.

   ```bash

   pm2 save

   ```

10. Add `PM2` to startup.

   ```bash

   eval "$(pm2 startup | grep sudo)"

   ```

11. That's it! Monitor logs using the `pm2 logs` command.



## 🔐 Configuration – Required Tokens & IDs

### `CLOUDFLARE_ZONE_IDS`

- Accepts a **string** or an **array** of Zone IDs:

  ```js

  CLOUDFLARE_ZONE_IDS: 'zone-id-1'

  ```

- If you manage multiple zones, pass them as an array:

   ```js

  CLOUDFLARE_ZONE_IDS: ['zone-id-1', 'zone-id-2']

  ```

- Screenshot for reference:

  ![](images/brave_UY5737SsDdlS.png)



### `CLOUDFLARE_API_KEY`

1. Go to [dash.cloudflare.com/profile/api-tokens](https://dash.cloudflare.com/profile/api-tokens).

2. Click **Create Token**.

3. Select **Create Custom Token**.

4. Refer to the screenshot for required permissions:

   ![](images/brave_oWibgugvXlTH.png)



### `ABUSEIPDB_API_KEY`

Visit [www.abuseipdb.com/account/api](https://www.abuseipdb.com/account/api) and copy your API key.



## 😉 Issues and Pull requests

If you need help or have any questions, feel free to create a new [Issue](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB/issues). If you'd like to contribute to the project, go ahead and open a [Pull request](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB/pulls). Thank you!



## 📑 [GPL-3.0 License](LICENSE)

Copyright 2024-2025 © by [Sefinek](https://sefinek.net). All Rights Reserved.