Do You Use Cloudflare? Blocking with API by@RMcCurdyDOTcom

Do You Use Cloudflare? Blocking with API

RMcCurdyDOTcom HackerNoon profile picture


So I was trying to do some testing using my website and noticed my logs are filled with garbage scanners/crackers. The issue with this is if you use Cloudflare you can't simply block the IP's because all the request all come from Cloudflare (in theory). This is where the Cloudflare API comes in. Here is what the script does

  • looks for IP's that have downloaded my proxy list
  • looks for people that got a 301 ( scanners and crackers etc )
  • removes duplicates and adds them to /tmp/tmp
  • removes all the existing IP's from Cloudflare block by ID
  • adds the IP's from the list and to the notes field where possible the abuse email address using whois information

You need to have the Cloudflare Apache mod installed first"mod_cloudflare.c" 

You may also need to play with the Apache conf to get the output to you liking. Here is mine

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

Here is the bash script unfortunately you can't delete all rules you have to remove each ID as far as I could tell.

echo look for people that downloaded the good.txt
tail -n 1000 /var/log/apache2/* |grep "\/\.scripts\/proxy\/good.txt"|awk '{print $1}' | egrep -via "(25.0.0|google)"| sort -u> /tmp/tmp
sleep 5
echo look for people that got 301
tail -n 1000 /var/log/apache2/* |grep "\/scripts\/proxy\/good.txt"|awk '{print $1}' | egrep -via "(25.0.0|google)"| sort -u >> /tmp/tmp
sleep 5
echo wipe the block list the max limit per page is past 50 so ... whatever ..
export varemail='[email protected]'
# unblock 1000
for i in `curl -X GET ""      -H "X-Auth-Email: $varemail"      -H "X-Auth-Key: $varapikey"      -H "Content-Type: application/json"| grep -B 7 "block" | grep id | sed 's/.*: \"//g' | sed 's/\",//g'`
echo DEBUG: $i
curl -s -X DELETE$i -H "X-Auth-Email: $varemail" -H "X-Auth-Key: $varapikey" -H "Content-Type: application/json" &
sleep 1
echo blocking /tmp/tmp `wc  -l /tmp/tmp` IPs
sleep 5
for i in `cat /tmp/tmp|sort|uniq`
#whois $i | grep decsr|head -n 1
export varwhois=`whois $i  | grep abuse-mailbox: | grep -oE "\b[A-Za-z0-9._%+-][email protected][A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"`
echo $varwhois
curl -s -X POST -H "X-Auth-Email: $varemail" -H "X-Auth-Key: $varapikey" -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"'${i}'"},"notes":"'${varwhois}'"}'
sleep 1

Previously published at