Skip to content

Instantly share code, notes, and snippets.

@DecentM
Forked from bdtech/cloudflare-ban.sh
Created January 25, 2016 12:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save DecentM/a43db1b017071baee92e to your computer and use it in GitHub Desktop.
Save DecentM/a43db1b017071baee92e to your computer and use it in GitHub Desktop.
OSSEC active response to block an IP at the Cloudflare reverse proxy level who triggers errors in short time frame in nginx logs. Required: Ossec config: sample to block IPs with multiple 500 errors or 400 errors within a minute or two timeframe. /var/ossec/etc/ossec.conf <command> <name>cloudflare-ban</name> <executable>cloudflare-ban.sh</execu…
#!/bin/sh
# Adds an IP to Cloudflare IP block list
# Path: /var/ossec/active-response/bin/cloudflare-ban.sh
#
ACTION=$1
USER=$2
IP=$3
PWD=`pwd`
TKN='CF API KEY'
CFEMAIL='useremail@email.com'
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> /var/ossec/logs/active-responses.log
# IP Address must be provided
if [ "x${IP}" = "x" ]; then
echo "$0: Missing argument <action> <user> (ip)"
exit 1;
fi
# Adding the ip to null route
if [ "x${ACTION}" = "xadd" ]; then
curl https://www.cloudflare.com/api_json.html \
-d 'a=ban' \
-d 'key='${IP} \
-d 'tkn='${TKN} \
-d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE BANNED - ${IP}" root
exit 0;
# Deleting from null route
# be carefull not to remove your default route
elif [ "x${ACTION}" = "xdelete" ]; then
curl https://www.cloudflare.com/api_json.html \
-d 'a=nul' \
-d 'key='${IP} \
-d 'tkn='${TKN} \
-d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE UNBANNED - ${IP}" root
exit 0;
# Invalid action
else
echo "$0: invalid action: ${ACTION}"
fi
exit 1;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment