Skip to content

nesrual/fail2ban-cloudflare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
README.md
README.md
 
 
cloudflare.conf
cloudflare.conf
 
 
cloudflare_api_manager.rb
cloudflare_api_manager.rb
 
 
nginx-roboo.conf
nginx-roboo.conf
 
 

Repository files navigation

fail2ban-cloudflare - for Cloudflare API V4

Integrate Fail2ban with Cloudflare API (V4) to mitigate HTTP flooding attacks using Nginx and Roboo.

Requirements:

  1. Nginx
  2. Roboo (https://github.com/yuri-gushin/Roboo)
  3. Fail2ban
  4. A Cloudflare account (https://www.cloudflare.com/a/sign-up)
  5. Ruby 1.9.3 or later

Get your Cloudflare API Key

  1. Signup to Cloudflare: https://www.cloudflare.com/a/sign-up

  2. Go to https://www.cloudflare.com/a/account/my-account and select View API Key.

  3. Setup your site(s) to use Cloudflare

Configure Fail2ban

  1. Install Fail2ban on the server running Nginx and Roboo.

  2. Add the nginx-roboo.conf file to your filter.d dir.

  3. Add the cloudflare.conf file to your action.d dir.

  4. Edit the cloudflare_api_manager.rb file and set your CLOUDFLARE_USERNAME and CLOUDFLARE_API_KEY (line 8 and 9).

  5. Optional add any proxy information if you need to access Cloudflare via a proxy server (line 15 to 18).

  6. Add the following to your jail.conf file:

    [nginx-roboo]
enabled   = true
port      = all
filter    = nginx-roboo
banaction = cloudflare
logpath   = /var/log/nginx/challenged.log
maxretry  = 250

  7. Add the cloudflare_api_manager.rb script to a location accessible to the fail2ban user and set appropriate permissions. Remember that your Cloudflare API keys are stored in this script so handle with care!

  8. Verify that an IP is added to your Cloudflare firewall by banning an IP:

    /path/to/ruby /path/to/cloudflare_api_manager.rb ban 1.2.3.4

  9. Verify that the IP is removed from your Cloudflare firewall by unbanning the IP:

    /path/to/ruby /path/to/cloudflare_api_manager.rb unban 1.2.3.4

  10. Restart Fail2ban

This will make Fail2ban monitor the file /var/log/nginx/challenged.log and each client with more than 250 challenge attempts will be banned using the cloudflare filter.

Bad clients will automatically be banned (presented with a Google reCAPTCHA challenge) at Cloudflare instead of continuously hitting your server. After the defined bantime clients are automatically removed from the blacklist again.

It might be a good idea to whitelist the IP range of Cloudflare in Fail2ban using the ignoreip section. A current list of the IP ranges of Cloudflare can be found here: https://www.cloudflare.com/ips/

NOTE: At the moment Fail2ban doesn't work with IPv6 so it might be a good idea to disable IPv6 support in the Cloudflare admin interface for each site you want to protect using Fail2ban.

About

Integrate fail2ban with Cloudflare API

Resources

Readme
Activity

Stars

23 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages