Do You Use Cloudflare? Blocking with API

Author profile picture

@RMcCurdyDOTcomRMcCurdyDOTcom

http://RMcCurdy.com

So I was trying to do some testing using my website and noticed my logs are filled with garbage scanners/crackers. The issue with this is if you use Cloudflare you can't simply block the IP's because all the request all come from Cloudflare (in theory). This is where the Cloudflare API comes in. Here is what the script does
  • looks for IP's that have downloaded my proxy list
  • looks for people that got a 301 ( scanners and crackers etc )
  • removes duplicates and adds them to /tmp/tmp
  • removes all the existing IP's from Cloudflare block by ID
  • adds the IP's from the list and to the notes field where possible the abuse email address using whois information
You need to have the Cloudflare Apache mod installed first
https://www.google.com/search?q=cloudflare+apache+mod+"mod_cloudflare.c" 
You may also need to play with the Apache conf to get the output to you liking. Here is mine
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Here is the bash script unfortunately you can't delete all rules you have to remove each ID as far as I could tell.
#!/bin/bash
echo look for people that downloaded the good.txt
tail -n 1000 /var/log/apache2/* |grep "\/\.scripts\/proxy\/good.txt"|awk '{print $1}' | egrep -via "(25.0.0|google)"| sort -u> /tmp/tmp
sleep 5
echo look for people that got 301
tail -n 1000 /var/log/apache2/* |grep "\/scripts\/proxy\/good.txt"|awk '{print $1}' | egrep -via "(25.0.0|google)"| sort -u >> /tmp/tmp
sleep 5
echo wipe the block list the max limit per page is past 50 so ... whatever ..
export varemail='freeload101@yahoo.com'
export varapikey='61b9XXXXXXXXXXXXXXXXXXXXXXXX'
# unblock 1000
for i in `curl -X GET "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?page=1&per_page=1000&mode=block"      -H "X-Auth-Email: $varemail"      -H "X-Auth-Key: $varapikey"      -H "Content-Type: application/json"| grep -B 7 "block" | grep id | sed 's/.*: \"//g' | sed 's/\",//g'`
do
echo DEBUG: $i
curl -s -X DELETE https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$i -H "X-Auth-Email: $varemail" -H "X-Auth-Key: $varapikey" -H "Content-Type: application/json" &
sleep 1
done
echo blocking /tmp/tmp `wc  -l /tmp/tmp` IPs
sleep 5
for i in `cat /tmp/tmp|sort|uniq`
do
#whois $i | grep decsr|head -n 1
export varwhois=`whois $i  | grep abuse-mailbox: | grep -oE "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"`
echo $varwhois
curl -s -X POST https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules -H "X-Auth-Email: $varemail" -H "X-Auth-Key: $varapikey" -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"'${i}'"},"notes":"'${varwhois}'"}'
sleep 1
done
Previously published at https://www.linkedin.com/pulse/cloudflareapache-blocking-robert-mccurdy/

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!