README.md

usage

ban.py

`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=web | python2 ./ban.py`

ratecounter.py

`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=web | python2 ratecounter.py web`
`kubectl logs --all-containers=true --tail=20 -f -l workload.user.cattle.io/workloadselector=tracker | python2 ratecounter.py tracker`

sample

02:14:09 web Avg,All: 0.0,1.9/s, T5: 36.157.x.x: 0.1/s, 220.184.x.x: 0.0/s, 124.78.x.x: 0.0/s, 117.30.x.x: 0.0/s, 113.118.x.x: 0.0/s 02:15:28 tracker Avg,All: 0.1,147.5/s, T5: 27.184.x.x: 1.7/s, 180.111.x.x: 1.7/s, 49.80.x.x: 1.6/s, 220.17.x.x: 1.3/s, 112.32.x.x: 1.2/s

ban ('164.68.107.152', '302', '/torrents.php') 16

fail2ban.py

#!/usr/bin/env python2
import sys

from collections import Counter
import requests


counter = Counter()

import requests

headers = {
    'X-Auth-Email': '',
    'X-Auth-Key': '',
    'Content-Type': 'application/json',
}

data_tmp = '{"mode":"block","configuration":{"target":"ip","value":"%s"},"notes":"Banned by Fail2Ban:%s"}'

# response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)

banned = set()

for line in sys.stdin:
  s = line.split()
  if len(s) <= 8:
  	continue
  ip, code, url = s[0], s[8], s[6]
  if ip in banned:
  	continue
  # print s
  if s[8] != "200":
    counter[(ip,code,url)] += 1
    if counter[(ip,code,url)] > 15:
      print "ban", (ip,code,url), counter[(ip,code,url)]
      data = data_tmp % (ip, "%s-%sx%s" % (url,code, counter[(ip,code,url)]))
      response = requests.post('https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules', headers=headers, data=data)
      print response.json()
      # break
      del counter[(ip,code,url)]
      banned.add(ip)

ratecounter.py

#!/usr/bin/env python2
import sys
import time
from collections import deque, Counter
import logging

logging.basicConfig(level=logging.DEBUG, datefmt="%H:%M:%S", format='%(asctime)s %(name)s%(message)s')
logger = logging.getLogger((sys.argv[1] + " ") if len(sys.argv) > 1 else "")

c = Counter()
q = deque() #("ip", timestamp)
dur = 60
ban = set()
interval = 3

last_report = 0
for line in sys.stdin:
	now = time.time()
	ip = line.split()[0]
	# popleft if too old
	while q:
		lastip, ts = q[0]
		if now - ts > dur:
			q.popleft()
			c.subtract((lastip,))
			if c[lastip] <= 0:
				del c[lastip]
			continue
		break
	# append and add to counter
	q.append((ip, now))
	c.update((ip,))
	if now - last_report > interval:
		rates = []
		if now > q[0][1]:
			for ip, count in c.most_common(5):
				rates.append("%s: %0.1f/s" % (ip, count/(now-q[0][1])))
			all_ = len(q) / (now-q[0][1])
			avg = all_ / len(c)
			logger.debug("Avg,All: %0.1f,%0.1f/s, T5: %s", avg, all_, ", ".join(rates))
		last_report = now

unban.py

import CloudFlare

def main():
    cf = CloudFlare.CloudFlare(email=", token="")
    zone_info = cf.zones.get(params={'name': 'xxx.com'})
    # print zone_info
    rules = (cf.user.firewall.access_rules.rules.get(params = {'per_page':1000}))
    print "rules:", len(rules)
    for rule in rules[410:]:
    	print "deleting", rule
    	print "delete", cf.user.firewall.access_rules.rules.delete(rule["id"])


if __name__ == '__main__':
    main()