Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#
# Author: Antoine Aflalo
# Source: https://gist.github.com/Belphemur/986ced5abe0aea303707c6df62f2c9c4/
# Referenced from: https://www.aaflalo.me/2017/03/fail2ban-and-cloudflare/
#
# To get your Cloudflare API key: https://www.cloudflare.com/my-account
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = /usr/local/sbin/cloudflare-firewall <cfuser> <cftoken> <cfzone> add <ip> "<name> after <failures> failures at <time>"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = /usr/local/sbin/cloudflare-firewall <cfuser> <cftoken> <cfzone> remove <ip>
[Init]
# Default Cloudflare API token
cftoken = API_KEY
# Default Cloudflare username
cfuser = USER_NAME
# Default Zone
cfzone = ZONE_ID
#Name of ban
name = fail2ban
#!/bin/bash
# Antoine Aflalo (https://www.aaflalo.me)
# Create a IP ban on CloudFlare.
# Remove a IP ban on CloudFlare.
#
# usage: cloudflare-firewall <cfuser> <cftoken> <cfzoneid> <note>
# <cfuser> : You CloudFlare username
# <cftoken> : CF API Token in your profile
# <cfzoneid> : The ID assigned by CloudFlare to your website
# <note> : An optional note to the firewall rule
add() {
local IP="${1}"; shift
local NOTE="$@"
curl -g -X POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules" \
-H "X-Auth-Email: $CF_USER" \
-H "X-Auth-Key: $CF_TOKEN" \
-H "Content-Type: application/json" \
--data @- << EOF
{"mode":"challenge","configuration":{"target":"ip","value":"$IP"},"notes":"$NOTE"}
EOF
}
remove() {
local IP="${1}"
local RULE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules?configuration_target=ip&configuration_value=${IP}" \
-H "X-Auth-Email: $CF_USER" \
-H "X-Auth-Key: $CF_TOKEN" \
-H "Content-Type: application/json" | jq ".result|.[]|.id")
RULE_ID="${RULE_ID%\"}"
RULE_ID="${RULE_ID#\"}"
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules/${RULE_ID}" \
-H "X-Auth-Email: $CF_USER" \
-H "X-Auth-Key: $CF_TOKEN" \
-H "Content-Type: application/json" \
--data '{"cascade":"basic"}'
}
CF_USER="$1"; shift
CF_TOKEN="$1"; shift
CF_ZONEID="$1"; shift
HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(add|remove)$ ]]; then
"$HANDLER" "$@"
fi
# From https://www.cloudflare.com/ips 2017-01-30
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
#IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment