Last active
June 15, 2021 18:17
-
-
Save phlinhng/349961bb86c7634cf4a52a208b00b0c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # censys.io (https://support.censys.io/hc/en-us/articles/360038378552-Frequently-Asked-Questions) | |
| echo "74.120.14.0/24" >> /tmp/cen_ips | |
| echo "162.142.125.0/24" >> /tmp/cen_ips | |
| echo "167.248.133.0/24" >> /tmp/cen_ips | |
| echo "192.35.168.0/23" >> /tmp/cen_ips | |
| for cenip in `cat /tmp/cen_ips`; do ufw deny from $cenip to any comment 'censys scanners'; done | |
| exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Thanks https://github.com/Paul-Reed/cloudflare-ufw | |
| # Get Cloudflare IPv4 & IPv6 list | |
| curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf_ips | |
| curl -s https://www.cloudflare.com/ips-v6 >> /tmp/cf_ips | |
| # Get AWS Cloudfront IPv4 list (Cloudfront currently only supports ipv4 origin access) | |
| curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq ".prefixes | .[] | select(.service == \"CLOUDFRONT\") | .ip_prefix" -r >> /tmp/awscf_ips | |
| # Allow all traffic from Cloudflare IPs on port 443/tcp | |
| for cfip in `cat /tmp/cf_ips`; do ufw allow proto tcp from $cfip to any port 443 comment 'Cloudflare IP'; done | |
| # Allow all traffic from Cloudflare IPs on port 443/tcp | |
| for awscfip in `cat /tmp/awscf_ips`; do ufw allow proto tcp from $awscfip to any port 443 comment 'Cloudfront IPv4'; done | |
| # OTHER EXAMPLE RULES | |
| # Get Cloudflare IPv4 list only | |
| #curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf_ips | |
| # Get Cloudflare IPv6 list only | |
| #curl -s https://www.cloudflare.com/ips-v6 -o /tmp/cf_ips | |
| # Retrict to port 80/tcp | |
| #for cfip in `cat /tmp/cf_ips`; do ufw allow proto tcp from $cfip to any port 80/tcp comment 'Cloudflare IP'; done | |
| #for awscfip in `cat /tmp/awscf_ips`; do ufw allow proto tcp from $awscfip to any port 80/tcp comment 'Cloudfront IPv4'; done | |
| # Retrict to port 80/tcp & 443/tcp | |
| #for cfip in `cat /tmp/cf_ips`; do ufw allow proto tcp from $cfip to any port 80/tcp,443/tcp comment 'Cloudflare IP'; done | |
| #for awscfip in `cat /tmp/awscf_ips`; do ufw allow proto tcp from $awscfip to any port 80/tcp,443/tcp comment 'Cloudfront IPv4'; done | |
| # Allow any ports | |
| #for cfip in `cat /tmp/cf_ips`; do ufw allow proto tcp from $cfip to any comment 'Cloudflare IP'; done | |
| #for awscfip in `cat /tmp/awscf_ips`; do ufw allow proto tcp from $awscfip to comment 'Cloudfront IPv4'; done | |
| exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment