Integrate Fail2ban with Cloudflare API (V4) to mitigate HTTP flooding attacks using Nginx and Roboo.
- Roboo (https://github.com/yuri-gushin/Roboo)
- A Cloudflare account (https://www.cloudflare.com/a/sign-up)
- Ruby 1.9.3 or later
Get your Cloudflare API Key
- Signup to Cloudflare: https://www.cloudflare.com/a/sign-up
- Go to https://www.cloudflare.com/a/account/my-account and select
View API Key.
- Setup your site(s) to use Cloudflare
Fail2banon the server running Nginx and Roboo.
- Add the
nginx-roboo.conffile to your
- Add the
cloudflare.conffile to your
- Edit the
cloudflare_api_manager.rbfile and set your
CLOUDFLARE_API_KEY(line 8 and 9).
- Optional add any proxy information if you need to access Cloudflare via a proxy server (line 15 to 18).
- Add the following to your
[nginx-roboo] enabled = true port = all filter = nginx-roboo banaction = cloudflare logpath = /var/log/nginx/challenged.log maxretry = 250
- Add the
cloudflare_api_manager.rbscript to a location accessible to the
fail2banuser and set appropriate permissions. Remember that your Cloudflare API keys are stored in this script so handle with care!
- Verify that an IP is added to your Cloudflare firewall by banning an IP:
/path/to/ruby /path/to/cloudflare_api_manager.rb ban 126.96.36.199
- Verify that the IP is removed from your Cloudflare firewall by unbanning the IP:
/path/to/ruby /path/to/cloudflare_api_manager.rb unban 188.8.131.52
This will make
Fail2ban monitor the file
/var/log/nginx/challenged.log and each client with more than 250 challenge attempts will be banned using the
Bad clients will automatically be banned (presented with a Google reCAPTCHA challenge) at Cloudflare instead of continuously hitting your server. After the defined
bantime clients are automatically removed from the blacklist again.
It might be a good idea to whitelist the IP range of Cloudflare in
Fail2ban using the
ignoreip section. A current list of the IP ranges of Cloudflare can be found here: https://www.cloudflare.com/ips/
NOTE: At the moment
Fail2ban doesn’t work with IPv6 so it might be a good idea to disable IPv6 support in the Cloudflare admin interface for each site you want to protect using Fail2ban.