Created
August 27, 2021 22:16
-
-
Save ethanclevenger91/3d8ac77bba9d3e113a36d2fdb54223f6 to your computer and use it in GitHub Desktop.
fail2ban action for a Cloudflare account (rather than user)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Author: Mike Rushton | |
| # | |
| # IMPORTANT | |
| # | |
| # Please set jail.local's permission to 640 because it contains your CF API key. | |
| # | |
| # This action depends on curl (and optionally jq). | |
| # Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE | |
| # | |
| # To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account | |
| # | |
| # CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2 | |
| [Definition] | |
| # Option: actionstart | |
| # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). | |
| # Values: CMD | |
| # | |
| actionstart = | |
| # Option: actionstop | |
| # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |
| # Values: CMD | |
| # | |
| actionstop = | |
| # Option: actioncheck | |
| # Notes.: command executed once before each actionban command | |
| # Values: CMD | |
| # | |
| actioncheck = | |
| # Option: actionban | |
| # Notes.: command executed when banning an IP. Take care that the | |
| # command is executed with Fail2Ban user rights. | |
| # Tags: <ip> IP address | |
| # <failures> number of failures | |
| # <time> unix timestamp of the ban time | |
| # Values: CMD | |
| # | |
| # API v1 | |
| #actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>' | |
| # API v4 | |
| actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \ | |
| -d '{"mode":"block","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"Fail2Ban <name>"}' \ | |
| <_cf_api_url> | |
| # Option: actionunban | |
| # Notes.: command executed when unbanning an IP. Take care that the | |
| # command is executed with Fail2Ban user rights. | |
| # Tags: <ip> IP address | |
| # <failures> number of failures | |
| # <time> unix timestamp of the ban time | |
| # Values: CMD | |
| # | |
| # API v1 | |
| #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>' | |
| # API v4 | |
| actionunban = id=$(curl -s -X GET <_cf_api_prms> \ | |
| "<_cf_api_url>?mode=block&configuration_target=<cftarget>&configuration_value=<ip>&page=1&per_page=1¬es=Fail2Ban%%20<name>" \ | |
| | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; }) | |
| if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi; | |
| curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id" | |
| _cf_api_url = https://api.cloudflare.com/client/v4/accounts/<cfaccount>/firewall/access_rules/rules | |
| _cf_api_prms = -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' -H 'Content-Type: application/json' | |
| [Init] | |
| # If you like to use this action with mailing whois lines, you could use the composite action | |
| # action_cf_mwl predefined in jail.conf, just define in your jail: | |
| # | |
| # action = %(action_cf_mwl)s | |
| # # Your CF account e-mail | |
| # cfemail = | |
| # # Your CF API Key | |
| # cfapikey = | |
| cftoken = | |
| cfuser = | |
| cfaccount = | |
| cftarget = ip | |
| [Init?family=inet6] | |
| cftarget = ip6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment