非凡居

非凡居

fail2ban-cloudflare – for Cloudflare Api

feifanLinux/Win, 未分类

Integrate Fail2ban with Cloudflare API (V4) to mitigate HTTP flooding attacks using Nginx and Roboo.

Requirements:

  1. Nginx
  2. Roboo (https://github.com/yuri-gushin/Roboo)
  3. Fail2ban
  4. A Cloudflare account (https://www.cloudflare.com/a/sign-up)
  5. Ruby 1.9.3 or later

Get your Cloudflare API Key

  1. Signup to Cloudflare: https://www.cloudflare.com/a/sign-up
  2. Go to https://www.cloudflare.com/a/account/my-account and select View API Key.
  3. Setup your site(s) to use Cloudflare

Configure Fail2ban

  1. Install Fail2ban on the server running Nginx and Roboo.
  2. Add the nginx-roboo.conf file to your filter.d dir.
  3. Add the cloudflare.conf file to your action.d dir.
  4. Edit the cloudflare_api_manager.rb file and set your CLOUDFLARE_USERNAME and CLOUDFLARE_API_KEY (line 8 and 9).
  5. Optional add any proxy information if you need to access Cloudflare via a proxy server (line 15 to 18).
  6. Add the following to your jail.conf file: 
    [nginx-roboo]
enabled   = true
port      = all
filter    = nginx-roboo
banaction = cloudflare
logpath   = /var/log/nginx/challenged.log
maxretry  = 250
  7. Add the cloudflare_api_manager.rb script to a location accessible to the fail2ban user and set appropriate permissions. Remember that your Cloudflare API keys are stored in this script so handle with care!
  8. Verify that an IP is added to your Cloudflare firewall by banning an IP: 
    /path/to/ruby /path/to/cloudflare_api_manager.rb ban 1.2.3.4
  9. Verify that the IP is removed from your Cloudflare firewall by unbanning the IP: 
    /path/to/ruby /path/to/cloudflare_api_manager.rb unban 1.2.3.4
  10. Restart Fail2ban

This will make Fail2ban monitor the file /var/log/nginx/challenged.log and each client with more than 250 challenge attempts will be banned using the cloudflare filter.

Bad clients will automatically be banned (presented with a Google reCAPTCHA challenge) at Cloudflare instead of continuously hitting your server. After the defined bantime clients are automatically removed from the blacklist again.

It might be a good idea to whitelist the IP range of Cloudflare in Fail2ban using the ignoreip section. A current list of the IP ranges of Cloudflare can be found here: https://www.cloudflare.com/ips/

NOTE: At the moment Fail2ban doesn’t work with IPv6 so it might be a good idea to disable IPv6 support in the Cloudflare admin interface for each site you want to protect using Fail2ban.

继续阅读

滑动侧栏

非凡居

最新发布

分类目录

文章归档

标签

Armbian centos centos7 CentOS7修改DNS CentOS7修改IP地址 CentOS7修改网关 Cloudflare dz dz3.4 ffmpeg linux Office365开发版E5 PackageKit php php数组 Railgun ssl证书 Ubuntu vestacp wget win10激活 win10系统激活 windows Windows Server 2019 Datacenter Windows Server 2019 Standard yum 临时收信 临时收信搭建 临时邮箱 临时邮箱搭建 临时邮箱绑定域名 域名选择 如何选择域名 宝塔 宝塔专业版破解 搭建邮箱 树莓派 武汉加油 武汉加油php 武汉加油头像 注册域名的选择 用户ip 甲骨文 绑定域名 阿里小号

友情链接

字符猫