Last active
June 28, 2023 23:19
-
-
Save pramoso/124470e26fbc821073b3eda11f9a093e to your computer and use it in GitHub Desktop.
Fail2ban Cloudflare Firewall API token V4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Author: Logic-32 | |
| # | |
| # IMPORTANT | |
| # | |
| # Please set jail.local's permission to 640 because it contains your CF API token. | |
| # | |
| # This action depends on curl. | |
| # | |
| # To get your Cloudflare API token: https://developers.cloudflare.com/api/tokens/create/ | |
| # | |
| # Cloudflare Firewall API: https://developers.cloudflare.com/firewall/api/cf-firewall-rules/endpoints/ | |
| [Definition] | |
| # Option: actionstart | |
| # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). | |
| # Values: CMD | |
| # | |
| actionstart = | |
| # Option: actionstop | |
| # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |
| # Values: CMD | |
| # | |
| actionstop = | |
| # Option: actioncheck | |
| # Notes.: command executed once before each actionban command | |
| # Values: CMD | |
| # | |
| actioncheck = | |
| # Option: actionban | |
| # Notes.: command executed when banning an IP. Take care that the | |
| # command is executed with Fail2Ban user rights. | |
| # Tags: <ip> IP address | |
| # <failures> number of failures | |
| # <time> unix timestamp of the ban time | |
| # Values: CMD | |
| actionban = curl -s -X POST "<_cf_api_url>" \ | |
| <_cf_api_prms> \ | |
| --data '{"mode":"<cfmode>","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"<notes>"}' | |
| # Option: actionunban | |
| # Notes.: command executed when unbanning an IP. Take care that the | |
| # command is executed with Fail2Ban user rights. | |
| # Tags: <ip> IP address | |
| # <failures> number of failures | |
| # <time> unix timestamp of the ban time | |
| # Values: CMD | |
| # | |
| actionunban = id=$(curl -s -X GET "<_cf_api_url>" \ | |
| --data-urlencode "mode=<cfmode>" --data-urlencode "notes=<notes>" --data-urlencode "configuration.target=<cftarget>" --data-urlencode "configuration.value=<ip>" \ | |
| <_cf_api_prms> \ | |
| | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \ | |
| | tr -d ' "' \ | |
| | head -n 1) | |
| if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \ | |
| curl -s -X DELETE "<_cf_api_url>/$id" \ | |
| <_cf_api_prms> \ | |
| --data '{"cascade": "none"}' | |
| # We dont ban ip by specific cloudfare zone, instead we ban ip on all sites | |
| # _cf_api_url = https://api.cloudflare.com/client/v4/zones/<cfzone>/firewall/access_rules/rules | |
| _cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules | |
| _cf_api_prms = -H "Authorization: Bearer <cftoken>" -H "Content-Type: application/json" | |
| [Init] | |
| # Declare your Cloudflare Authorization Bearer Token in the [DEFAULT] section of your jail.local file. | |
| # The Cloudflare <ZONE_ID> of hte domain you want to manage. | |
| # | |
| # cfzone = | |
| # Your personal Cloudflare token. Ideally restricted to just have "Zone.Firewall Services" permissions. | |
| # | |
| # cftoken = | |
| # Target of the firewall rule. Default is "ip" (v4). | |
| # | |
| cftarget = ip | |
| # The firewall mode Cloudflare should use. Default is "block" (deny access). | |
| # Consider also "js_challenge" or other "allowed_modes" if you want. | |
| # | |
| cfmode = block | |
| # The message to include in the firewall IP banning rule. | |
| # | |
| notes = Fail2Ban <name> | |
| [Init?family=inet6] | |
| cftarget = ip6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment