Cloudflare WAF to AbuseIPDB ☁️🕵️

This project offers an automated script that collects and reports IP addresses that have triggered Cloudflare firewall events. In simple terms, it enables the reporting of incidents detected by Cloudflare WAF to the AbuseIPDB database.

If you're looking for effective WAF Expressions, you're in the right place! Check out sefinek/Cloudflare-WAF-Expressions. Also, take a look at sefinek/UFW-AbuseIPDB-Reporter for UFW.

If you like this repository or find it useful, I would greatly appreciate it if you could give it a ⭐ star. Thanks a lot!

🛠️ Requirements

• Node.js + npm
• PM2 (npm i -g pm2)
• Git

✅ Features

1. Easy Configuration - The config.js file allows for quick and simple configuration.
2. Simple Installer - Enables fast and seamless deployment and integration.
3. Bulk Reporting Support - If the script hits a rate limit, it will immediately start buffering IP addresses and send a bulk report once the limit is lifted.
4. Self-IP Protection (IPv4 & IPv6) - Automatically excludes the server's own public and local IPs from reports, including dynamic addresses.
5. Discord Webhooks Integration:
   • Critical notifications
   • Script error alerts
   • Daily summaries of reported IPs
6. Automatic Updates - The script regularly fetches and applies the latest updates. You can disable this if you prefer.

📃 Information

If you want to make changes to the script from this repository, please kindly fork it first.

🌌 Example Report

Triggered Cloudflare WAF (securitylevel) from T1.
Action taken: MANAGED_CHALLENGE
ASN: 53667 (PONYNET)
Protocol: HTTP/1.0 (GET method)
Endpoint: /
Timestamp: 2024-11-09T19:20:18Z
Rule ID: badscore
UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5042.0 Safari/537.36

This report was generated by:
https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB

📥 Installation

1. Clone the repository.

   git clone --recurse-submodules https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB.git 

2. Install dependencies.

   cd Cloudflare-WAF-To-AbuseIPDB && npm install

3. Create a new configuration file.

   cp config.default.js config.js

4. Paste the tokens into the config.js file.

   nano config.js

5. Run the script.

   node .

6. If you want to run the process 24/7, install the PM2 module.

   npm install -g pm2

7. Modify the log paths in the ecosystem.config.js file to be correct and existing. You don't need to create .log files, just ensure the directory structure is accurate.
8. Run the process continuously using PM2 to ensure constant operation and automatic restart in case of a failure.

   pm2 start

9. Save a snapshot of the currently running Node.js processes.

   pm2 save

10. Add PM2 to startup.

eval "$(pm2 startup | grep sudo)"

11. That's it! Monitor logs using the pm2 logs command.

🔐 Configuration – Required Tokens & IDs

CLOUDFLARE_ZONE_IDS

• Accepts a string or an array of Zone IDs:

  CLOUDFLARE_ZONE_IDS: 'zone-id-1'

• If you manage multiple zones, pass them as an array:

  CLOUDFLARE_ZONE_IDS: ['zone-id-1', 'zone-id-2']

• Screenshot for reference:

CLOUDFLARE_API_KEY

1. Go to dash.cloudflare.com/profile/api-tokens.
2. Click Create Token.
3. Select Create Custom Token.
4. Refer to the screenshot for required permissions:

ABUSEIPDB_API_KEY

Visit www.abuseipdb.com/account/api and copy your API key.

😉 Issues and Pull requests

If you need help or have any questions, feel free to create a new Issue. If you'd like to contribute to the project, go ahead and open a Pull request. Thank you!

📑 GPL-3.0 License

Copyright 2024-2025 © by Sefinek. All Rights Reserved.