Website security is a constant battle against malicious actors attempting to compromise your digital assets. One of the most effective defensive strategies is identifying repeat attackers and blocking their IP addresses at the edge level. In this comprehensive guide, we'll walk through the process of using Wazuh to identify attacking IPs and Cloudflare to block them effectively.

Step 1: Identifying Malicious IPs with Wazuh

Setting Up Your Wazuh Query

The first step is to identify which IP addresses are repeatedly attacking your website. We'll use a specific Wazuh rule that filters out private IP ranges and focuses only on public IPs that are generating attack patterns.

The Wazuh Filter Rule:

rule.groups:attack AND NOT data.srcip:172.31.* AND NOT data.srcip:192.168.* AND NOT data.srcip:10.*

Understanding the Filter Components

Let's break down this rule:

• rule.groups:attack - Captures all events classified as attacks

• NOT data.srcip:172.31.* - Excludes AWS private IP range

• NOT data.srcip:192.168.* - Excludes private network range

• NOT data.srcip:10.* - Excludes internal network range

This ensures you're only seeing public IP addresses that are genuinely external threats.

Executing the Query in Wazuh

1. Access Wazuh Dashboard

   • Log into your Wazuh dashboard

   • Navigate to the "Discover" section

2. Apply the Filter

   • In the search bar, enter your filter rule

   • Set an appropriate time range (last 24 hours, 7 days, etc.)

   • Click "Search" to execute the query

3. Analyze the Results

   • Look for patterns in the data.srcip field

   • Sort by frequency to identify the most active attacking IPs

   • Note the types of attacks each IP is attempting

Identifying Top Attacking IPs

To get a clear view of the most problematic IPs:

1. Create a Visualization

   • Go to "Visualize" in Wazuh

   • Create a new "Data Table" visualization

   • Use your attack filter as the base query

   • Add data.srcip as a bucket aggregation

   • Sort by count (descending)

   • 

2. Export the Data

   • Export the top 20-50 attacking IPs

   • Include attack counts and types for documentation

   • Save this data for your Cloudflare blocking process

Step 2: Blocking IPs in Cloudflare Using Custom Rules

Now that you've identified the malicious IPs from Wazuh, it's time to block them using Cloudflare's Custom Rules feature. This method provides the most flexibility and is the recommended approach for blocking malicious IPs.

Using Cloudflare Custom Rules (Recommended Method)

1. Navigate to Security Rules

   • Log into your Cloudflare dashboard

   • Select your domain

   • Go to "Security" → "Security Rules"

   • Click on "Custom Rules"

1. Create a New Custom Rule

   • Click "Create custom rule" button

   • Give your rule a descriptive name: "Block Malicious IPs - [Date]"

   • 

2. Configure the Rule Fields For Single IP Address:

   • Field: Select "IP Source Address"

   • Operator: Select "equals"

   • Value: Enter the malicious IP address (e.g., 192.168.1.100)

   • 

     

For Multiple IP Addresses (Recommended):

• Field: Select "IP Source Address"

• Operator: Select "is in"

• Value: Enter multiple IPs separated by spaces:

•     192.168.1.100 203.0.113.45 198.51.100.78 203.0.113.156
  

  

3. For IP Ranges/CIDR:

   • Field: Select "IP Source Address"

   • Operator: Select "is in"

   • Value: Enter CIDR notation (e.g., 192.168.1.0/24)

4. Set the Action

   • Choose "Block" from the action dropdown

   • Optionally, you can add a custom response message

5. Save and Deploy

   • Click "Save and Deploy" to activate the rule

   • The rule will be active immediately