CloudFlare Support

On CF you shouldn’t use fail2ban because fail2ban would block CF servers not clients.

I wrote a piece of code for CF API to block IP addresses.
Are you interested in?

Hi,

Fix and fixed – mod_cloudflare makes Apache2 log the real visitor IP. Then we’ve mad a fail2ban action that bans the IP using the CF API since iptables is no longer effective.

Thanks

If you reach thousands of IPs:
https://gist.github.com/szepeviktor/d717a921a9c0d87ef622

Cheers. Currently we’re doing about 16,000 unique IPs per week but that’s manageable.

We also have another WP plugin that stops PHP executing for any IPs after 3 failed login attempts – as sometime CF can take a few minutes to update.

The combination of CF blocking fail2ban IPs and PHP not responding seems to work well ??

Thanks for the link!

Would you mind to share that action?
https://github.com/fail2ban/fail2ban

This is my general WP fail2ban plugin
https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/wordpress-fail2ban/mu-plugin/errorlog-404.php

And this is very strict login checker
https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/mu-wordpress-block-bad-requests/wp-login-bad-request.inc.php

Hi,

When I get the CF API working reliably I will, I don’t want to share shoddy code. Haha.

The main bit that’s working well is an action that logs IPS to a file, then a WP filter that prevents PHP execution:

actionban = echo <ip> | awk -F\. '{print ($4)+($3*256)+($2*256*256)+($1*256*256*256) d}' "d=,$(date)" >> /etc/agilis-banned-ips

(storing in int format for speed)

function agilis_login_filter_ips() {
        $handle = fopen("/etc/agilis-banned-ips", "r");

        if($handle) {
                while(($line = fgets($handle)) !== false) {
                        $linearray = explode(',', $line);
                        if(count($linearray) > 0 && ip2long(agilis_get_ip()) == $linearray[0]) {
                                echo '<h2>Banned</h2>';
                                echo '<p><strong>IP:</strong> ' . long2ip($linearray[0]) . '</p>';
                                if(count($linearray) > 1) { echo '<p><strong>Since:</strong> ' . $linearray[1] . '</p>'; }
                                echo '<br/><em>Agilis Login Filter</em>';
                                if(function_exists('http_response_code')) {
                                        http_response_code(503);
                                } else {
                                        header((isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.0') . ' 503 Service Unavailable');
                                        $GLOBALS['http_response_code'] = 503;
                                }
                                exit;
                        }
                }
        } else {
                echo 'Error reading file';
        }

        fclose($handle);
}
add_action('login_form_login', 'agilis_login_filter_ips');

Oh and nice code, I might pinch some of that.

I’ll probably create a Google Code project for this plugin when it grows.

Hi Guys I use cloudflare and I have installed the cloudflare apache module, but Im not saavy on iptable and failban. Could you provide some simple instructions to make this work with cloudflare?

Hey Damian,

Yeah we would be happy to help you out – want to PM me some more details and I’ll send you some instructions specific to your situation?

eg: operating system and version, use case, server type, etc.

Cheers

Sure Im running on debian 7.8 + nginx + php-fpm. If you want, give me an email or write me to info at timersys.com

Thanks for your help!

Hey Damian,

Ah okay the Apache module won’t be a huge help to you there – nginx uses it’s own modules.

I’m not too up to scratch on nginx, but https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx- show’s that you can use the RealIP module and then give it the CF IP range and header attribute ??

I hope that helps!

Sorry when I said I have apache module installed I meant that I already got nginx configured to show real ip. What I don’t know is how to move from there

I usually have two types of attackes xml-rcp and post request to wp-login.php

Dear Damian!

We are in the same shoes.

I log WP attacks into the webserver’s (Apache or Nginx) error log.
BTW I am a fail2ban contributor.

Please see my VERY STRICT home made solution for your (our) problem
https://github.com/szepeviktor/wordpress-plugin-construction/tree/master/wordpress-fail2ban
The corresponding fail2ban settings
https://github.com/szepeviktor/debian-server-tools/tree/master/security/fail2ban-conf

“block-bad-requests” is the PHP part that should run from wp-config, the mu plugin is the WP part that prepares for the worst attacks. So these two are not like a normal WP plugin as I think a normal plugin is executed way too late. Please see the subdirs and the comments in the source code.

Please DO NOT use fail2ban in a CF setup!
If you are able to develop a plugin (actually copy&paste) then your solution is ready. You need to replace the trigger() function with
https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/wordpress-fail2ban/ban-methods/f2b-tarpit-CF-apache-WP-LLA-itsec-LSEC.php#L75-L98
Your contacting IP is always a CF IP so you shouldn’t (fail2)ban those. Actually I white-list contacting CF IP-s in my fail2ban config.
These few lines above communicate with the CF API, it calls functions from the “CloudFlare” plugin so you need that plugin installed also.
https://www.ads-software.com/plugins/cloudflare/

After a few months you’ll have zillions of IP-s blocked:
https://gist.github.com/szepeviktor/d717a921a9c0d87ef622

All the best wishes to you!

After thinking about it a bit more.
https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf
I am surprised that I didn’t know about it.