WAF
cloudflare offers free WAF services. Here.
There are some examples rules I used:
allow some credible bots with the credible source ip.
Details
((cf.verified_bot_category eq “Search Engine Crawler”) or (cf.verified_bot_category eq “Security”) ) and (ip.src in $google_bots)
for example, ip of google bot can be find at here, you need to add to cloudflare a ip list.
block bots with wierd user-agent
Details
(http.user_agent contains “bot”) or (http.user_agent contains “Bot”) or (http.user_agent contains “http”) or (http.user_agent contains “Go”) or (http.user_agent contains “go”) or (http.user_agent eq “-“) or (http.user_agent contains “MSIE”) or (http.user_agent contains “; +”) or (http.user_agent contains “\x09”) or (http.user_agent contains “Trident”) or (http.user_agent contains “Headless”) or (http.user_agent contains “{“) or (http.user_agent contains “$”) or (http.user_agent contains “<”) or (http.user_agent contains “script”) or (http.user_agent eq “”)
block some strange uri
Details
(not http.request.method in {“GET” “POST” “PUT” “HEAD” “OPTIONS”}) or (http.request.full_uri contains “well-known”) or (len(http.request.headers[“via”]) > 0) or (http.request.uri.path contains “//“) or (http.x_forwarded_for contains “.”) or (len(http.request.headers[“x-forwarded-host”]) > 0) or (len(http.request.headers[“cdn-loop”]) > 0) or (len(http.request.headers[“cf-ew-via”]) > 0) or (http.request.uri contains “–+”) or (http.request.uri contains “\x”) or (any(http.request.headers[“sec-fetch-site”][] contains “cr”) and any(http.request.headers[“sec-fetch-mode”][] contains “no”))
challange other requests
Details
(http.request.version in {“HTTP/1.0” “HTTP/1.1” “HTTP/1.2”}) or (ip.src.asnum in {211590})