-
-
Save bompus/d17a11283f23596ce18b74d5106f9a20 to your computer and use it in GitHub Desktop.
OSSEC active response to block an IP at the Cloudflare reverse proxy level who triggers errors in short time frame in nginx logs. Required:
Ossec config: sample to block IPs with multiple 500 errors or 400 errors within a minute or two timeframe.
/var/ossec/etc/ossec.conf <command> <name>cloudflare-ban</name> <executable>cloudflare-ban.sh</execu…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Adds an IP to Cloudflare IP block list | |
| # Path: /var/ossec/active-response/bin/cloudflare-ban.sh | |
| # | |
| ACTION=$1 | |
| USER=$2 | |
| IP=$3 | |
| PWD=`pwd` | |
| TKN='CF API KEY' | |
| CFEMAIL='[email protected]' | |
| # Logging the call | |
| echo "`date` $0 $1 $2 $3 $4 $5" >> /var/ossec/logs/active-responses.log | |
| # IP Address must be provided | |
| if [ "x${IP}" = "x" ]; then | |
| echo "$0: Missing argument <action> <user> (ip)" | |
| exit 1; | |
| fi | |
| # Adding the ip to null route | |
| if [ "x${ACTION}" = "xadd" ]; then | |
| curl https://www.cloudflare.com/api_json.html \ | |
| -d 'a=ban' \ | |
| -d 'key='${IP} \ | |
| -d 'tkn='${TKN} \ | |
| -d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE BANNED - ${IP}" root | |
| exit 0; | |
| # Deleting from null route | |
| # be carefull not to remove your default route | |
| elif [ "x${ACTION}" = "xdelete" ]; then | |
| curl https://www.cloudflare.com/api_json.html \ | |
| -d 'a=nul' \ | |
| -d 'key='${IP} \ | |
| -d 'tkn='${TKN} \ | |
| -d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE UNBANNED - ${IP}" root | |
| exit 0; | |
| # Invalid action | |
| else | |
| echo "$0: invalid action: ${ACTION}" | |
| fi | |
| exit 1; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment