Skip to content

Instantly share code, notes, and snippets.

@bdtech
Created June 17, 2013 14:19
Show Gist options
  • Save bdtech/5797234 to your computer and use it in GitHub Desktop.
Save bdtech/5797234 to your computer and use it in GitHub Desktop.
OSSEC active response to block an IP at the Cloudflare reverse proxy level who triggers errors in short time frame in nginx logs. Required: Ossec config: sample to block IPs with multiple 500 errors or 400 errors within a minute or two timeframe. /var/ossec/etc/ossec.conf <command> <name>cloudflare-ban</name> <executable>cloudflare-ban.sh</execu…
#!/bin/sh
# Adds an IP to Cloudflare IP block list
# Path: /var/ossec/active-response/bin/cloudflare-ban.sh
#
ACTION=$1
USER=$2
IP=$3
PWD=`pwd`
TKN='CF API KEY'
CFEMAIL='[email protected]'
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> /var/ossec/logs/active-responses.log
# IP Address must be provided
if [ "x${IP}" = "x" ]; then
echo "$0: Missing argument <action> <user> (ip)"
exit 1;
fi
# Adding the ip to null route
if [ "x${ACTION}" = "xadd" ]; then
curl https://www.cloudflare.com/api_json.html \
-d 'a=ban' \
-d 'key='${IP} \
-d 'tkn='${TKN} \
-d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE BANNED - ${IP}" root
exit 0;
# Deleting from null route
# be carefull not to remove your default route
elif [ "x${ACTION}" = "xdelete" ]; then
curl https://www.cloudflare.com/api_json.html \
-d 'a=nul' \
-d 'key='${IP} \
-d 'tkn='${TKN} \
-d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE UNBANNED - ${IP}" root
exit 0;
# Invalid action
else
echo "$0: invalid action: ${ACTION}"
fi
exit 1;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment