# Cloudflare WAF to AbuseIPDB β˜οΈπŸ•΅οΈ This project offers an automated script that collects and reports IP addresses that have triggered Cloudflare firewall events. In simple terms, it enables the reporting of incidents detected by Cloudflare WAF to the AbuseIPDB database. If you're looking for **effective WAF Expressions**, you're in the right place! Check out [sefinek/Cloudflare-WAF-Expressions](https://github.com/sefinek/Cloudflare-WAF-Expressions). Also, take a look at [sefinek/UFW-AbuseIPDB-Reporter](https://github.com/sefinek/UFW-AbuseIPDB-Reporter) for UFW. > If you like this repository or find it useful, I would greatly appreciate it if you could give it a star ⭐. Thanks a lot! ## πŸ› οΈ Prerequisites - [Node.js + npm](https://nodejs.org) - [PM2](https://www.npmjs.com/package/pm2) (recommended) ## πŸ“ƒ Information If you want to make changes to the script from this repository, please kindly [fork](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB/fork) it first. ## 🌌 Example Report ``` Triggered Cloudflare WAF (securitylevel) from T1. Action taken: MANAGED_CHALLENGE ASN: 53667 (PONYNET) Protocol: HTTP/1.0 (method GET) Endpoint: / Timestamp: 2024-11-09T19:20:18Z Ray ID: 8e0028cb79ab3a96 Rule ID: badscore UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5042.0 Safari/537.36 Report generated by Cloudflare-WAF-To-AbuseIPDB: https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB ```
My profile: https://www.abuseipdb.com/user/158699
## πŸ“₯ Installation 1. Clone the repository. ```bash git clone https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB.git ``` 2. Install dependencies. ```bash npm install ``` 3. Create a new configuration file. ```bash cp config.default.js config.js ``` 4. Paste the tokens into the `config.js` file. Make sure that `NODE_ENV` is set to `production`. ```bash nano config.js ``` 5. Run the script. ```bash node . ``` 6. If you want to run the process 24/7, install the [PM2](https://www.npmjs.com/package/pm2) module. ```bash npm install pm2 -g ``` 7. Modify the log paths in the `ecosystem.config.js` file to be correct and existing. You don't need to create `.log` files, just ensure the directory structure is accurate. 8. Run the process continuously using `PM2` to ensure constant operation and automatic restart in case of a failure. ```bash pm2 start ``` 9. Save a snapshot of the currently running `Node.js` processes. ```bash pm2 save ``` 10. Add `PM2` to startup. ```bash pm2 startup ``` 11. Execute the command generated by PM2, e.g.: ```bash sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u sefinek --hp /home/sefinek ``` 12. That’s it! Monitor logs using the `pm2 logs` command. ## πŸ”€ How to Get Tokens? ### `CLOUDFLARE_ZONE_ID` ![](images/brave_UY5737SsDdlS.png) ### `CLOUDFLARE_API_KEY` 1. Go to [dash.cloudflare.com/profile/api-tokens](https://dash.cloudflare.com/profile/api-tokens). 2. Click the `Create Token` button. 3. Select `Create Custom Token`. 4. ![](images/brave_oWibgugvXlTH.png) ### `ABUSEIPDB_API_KEY` Visit [www.abuseipdb.com/account/api](https://www.abuseipdb.com/account/api). ## πŸ˜‰ Issues and Pull requests If you need help or have any questions, feel free to create a new [Issue](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB/issues). If you'd like to contribute to the project, go ahead and open a [Pull request](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB/pulls). Thank you! ## πŸ’• Credits This project is inspired by the [MHG-LAB/Cloudflare-WAF-to-AbuseIPDB](https://github.com/MHG-LAB/Cloudflare-WAF-to-AbuseIPDB) repository. I'm not particularly fond of Python and usually try to avoid using this programming language, which is why I decided to create this repository. ## πŸ“‘ [MIT License](LICENSE) Copyright 2024-2025 Β© by [Sefinek](https://sefinek.net). All Rights Reserved.