Cloudflare Integration

Automatically block malicious IPs using Cloudflare’s Web Application Firewall.

Prerequisites

• A Cloudflare account
• Your website proxied through Cloudflare
• An API token with appropriate permissions

Creating a Cloudflare API Token

1. Log into Cloudflare Dashboard

2. Go to My Profile → API Tokens

3. Click Create Token

4. Use Custom Token with these permissions:

   Resource	Permission
   Zone > Firewall Services	Edit
   Zone > Zone Settings	Read
   Zone > Zone	Read

5. Copy the generated token (shown only once)

Setting Up the Integration

1. Go to Integrations → Cloudflare

2. Click Add Cloudflare Integration

3. Enter your credentials:

   Field	Description
   API Token	Your Cloudflare API token
   Account ID	Your Cloudflare account ID
   Zone ID	The zone (domain) to protect
   Zone Name	Domain name (e.g., yoursite.com)

4. Click Connect

5. WebDecoy verifies the connection

Finding Your Account ID and Zone ID

Account ID:

1. Go to any domain in Cloudflare dashboard
2. Look in the right sidebar under “API”
3. Copy the “Account ID”

Zone ID:

1. Go to the specific domain
2. Look in the right sidebar under “API”
3. Copy the “Zone ID”

Creating Blocking Rules

After connecting Cloudflare, set up automatic blocking:

1. Go to Integrations → Cloudflare → Rules

2. Click Add Rule

3. Configure the rule:

   Setting	Description
   Rule Type	Block All or Block by Score
   Decoy	Which decoy triggers the rule
   Score Threshold	Minimum score to trigger (if by score)
   Block Duration	How long to block (hours)

4. Click Create Rule

Rule Types

Block All:

• Blocks any IP that triggers the selected decoy
• Best for honeypots that should never be accessed

Block by Score:

• Only blocks IPs with threat score above threshold
• Recommended for most use cases
• Reduces false positives

Recommended Settings

Scenario	Score Threshold	Block Duration
High security	50+	72 hours
Standard protection	70+	24 hours
Conservative	85+	12 hours

How Blocking Works

Detection Created (score: 85)
        │
        ▼
Cloudflare Rule Evaluated
        │
        ├── Score >= Threshold? → Yes
        │
        ▼
Create Firewall Rule in Cloudflare
        │
        ├── Action: Block
        ├── IP: 192.168.1.100
        └── Expires: 24 hours
        │
        ▼
IP Blocked at Cloudflare Edge

Managing Blocked IPs

Viewing Blocked IPs

1. Go to Integrations → Cloudflare
2. Click View Blocked IPs
3. See list of currently blocked IPs with:
   • IP address
   • Block reason (detection ID)
   • Expiration time
   • Manual unblock option

Unblocking an IP

1. Find the IP in the blocked list
2. Click Unblock
3. Confirm the action
4. IP is immediately removed from Cloudflare firewall

Best Practices

Do’s

• ✅ Use a dedicated API token (not global API key)
• ✅ Start with high score threshold (75+) and adjust down
• ✅ Set reasonable block durations (24h is a good default)
• ✅ Test with a known IP before production use
• ✅ Monitor blocked IP list for false positives

Don’ts

• ❌ Use your global Cloudflare API key
• ❌ Set threshold too low initially (causes false positives)
• ❌ Set block duration to “forever” (IPs change hands)
• ❌ Block without monitoring results

Troubleshooting

”Invalid API Token” Error

1. Verify token was copied correctly (no extra spaces)
2. Check token hasn’t expired
3. Ensure token has required permissions
4. Try creating a new token

”Zone Not Found” Error

1. Verify Zone ID is correct
2. Ensure token has access to that zone
3. Check zone is active in Cloudflare

IPs Not Being Blocked

1. Verify integration is connected (green status)
2. Check rule is enabled
3. Verify detection score meets threshold
4. Check Cloudflare firewall rules directly

Blocks Not Expiring

1. Check block duration setting
2. Note: Cloudflare may cache rules briefly
3. Blocks should auto-expire based on duration

---

Next Steps

• Webhooks - Custom event processing
• Slack - Real-time notifications
• Overview - All integrations