In a previous blog post (Fail2ban + Tarpit), I explained how to setup a Tarpit for Fail2ban to use it against the attacker that got banned multiple times. It works great especially in conjunction with WP Fail2ban, a fail2ban plugin for WordPress.

Later on, I moved this website to CloudFlare, by doing so I rendered one my security mechanism inefficient.

WP Fail2ban

This plugin simply log the failed login attempts to one of the system log like /var/log/user.log or even the normal syslog. You can also set a group of user that should be logged directly when there is an attempt on it like “admin”. It’s useful to find the bot attempting to login into your admin panel with a default username “admin”.

I set up 2 different jail, one for failed login attempts and one for login attempts from blocked source.

You can find all the information on how to setup this in the documentation of the plugin: Installation steps

Problems

By using CloudFlare, it means all the traffic to the website is first sent to CloudFlare then to my server. Which means, my server only get connections from CloudFlare. This poses 2 problems for fail2ban.

No more visitor IP

The first one being the lack of real IP of the visitor, since only CloudFlare is connecting to my server, this can be easily resolved and I’ll explain how. The second problem I faced is directly linked to the resolution of the first one. Even with the real IP of the visitor, fail2ban won’t be able to ban the “visitor” (understand

Real IP useless

Even with the real IP of the visitor, fail2ban won’t be able to ban the “visitor” (understand bot) trying to connect as admin to my WordPress since it’s coming from CloudFlare IP’s. And obviously banning it as I was doing before with TARPIT won’t have any effect.

Solutions

To resolve those problems, I first setup Nginx to gather the real IP of the visitor, CloudFlare does provide a header with this information.

Secondly, I created a script to interact with CloudFlare API to use their firewall to ban an IP.

Getting the real IP

Configuring Nginx for doing is is pretty easy. Add this file to your conf.d directory. It contains all the CloudFlare CIDR, IPv4 and IPv6.

# From https://www.cloudflare.com/ips 2017-01-30 set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; #IPv6 set_real_ip_from 2400:cb00::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; real_ip_header CF-Connecting-IP;

Now Nginx will send, to your different application, the right IP

CloudFlare Firewall

The script I created directly use the API v4 of CloudFlare to ban the IP directly for your website but adding a captcha. I prefer to put the captcha because a bot can’t pass it (thanks reCAPTACHA) and because if it’s a legitimate user, he’s not completely banned from accessing the website.

Then I created a new action for fail2ban to automatically add and remove IP ban in CloudFlare. The last part was to assign it to the wordpress-hard rule in jail.d. (Or any other jail you setup in your configuration).

Script

To use my script you need to have JQ installed. I’m using it to parse the response from CloudFlare API when wanting to remove a blocked IP.

sudo apt-get install jq

#!/bin/bash # Antoine Aflalo (https://www.aaflalo.me) # Create a IP ban on CloudFlare. # Remove a IP ban on CloudFlare. # # usage: cloudflare-firewall <cfuser> <cftoken> <cfzoneid> <note> # <cfuser> : You CloudFlare username # <cftoken> : CF API Token in your profile # <cfzoneid> : The ID assigned by CloudFlare to your website # <note> : An optional note to the firewall rule add() { local IP="${1}"; shift local NOTE="$@" curl -g -X POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules" \ -H "X-Auth-Email: $CF_USER" \ -H "X-Auth-Key: $CF_TOKEN" \ -H "Content-Type: application/json" \ --data @- << EOF {"mode":"challenge","configuration":{"target":"ip","value":"$IP"},"notes":"$NOTE"} EOF } remove() { local IP="${1}" local RULE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules?configuration_target=ip&configuration_value=${IP}" \ -H "X-Auth-Email: $CF_USER" \ -H "X-Auth-Key: $CF_TOKEN" \ -H "Content-Type: application/json" | jq ".result|.[]|.id") RULE_ID="${RULE_ID%\"}" RULE_ID="${RULE_ID#\"}" curl -X DELETE "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules/${RULE_ID}" \ -H "X-Auth-Email: $CF_USER" \ -H "X-Auth-Key: $CF_TOKEN" \ -H "Content-Type: application/json" \ --data '{"cascade":"basic"}' } CF_USER="$1"; shift CF_TOKEN="$1"; shift CF_ZONEID="$1"; shift HANDLER="$1"; shift if [[ "${HANDLER}" =~ ^(add|remove)$ ]]; then "$HANDLER" "$@" fi

Don’t forget to make the file executable (chmod +x). I placed it at /usr/local/sbin/cloudflare-firewall

Fail2ban Action

Put this file in your action.d directory. You also need to edit it to add your CloudFlare username, API Key and ZONE ID. You can find all of them in your CloudFlare profile. The ZoneID is the ID assigned to your domain by CloudFlare. You can override this default in each one of the jail you create by given parameter to the action.

# # Author: Antoine Aflalo # Source: https://gist.github.com/Belphemur/986ced5abe0aea303707c6df62f2c9c4/ # Referenced from: https://www.aaflalo.me/2017/03/fail2ban-and-cloudflare/ # # To get your Cloudflare API key: https://www.cloudflare.com/my-account # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = /usr/local/sbin/cloudflare-firewall <cfuser> <cftoken> <cfzone> add <ip> "<name> after <failures> failures at <time>" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /usr/local/sbin/cloudflare-firewall <cfuser> <cftoken> <cfzone> remove <ip> [Init] # Default Cloudflare API token cftoken = API_KEY # Default Cloudflare username cfuser = USER_NAME # Default Zone cfzone = ZONE_ID #Name of ban name = fail2ban

Fail2ban Jail for WP Fail2Ban

And the last part is to set your jail to use the new action like this:

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/auth.log
port = http,https
maxretry = 1
action =cloudflare-firewall[name=wordpress-dangerous]
bantime=86400

Here you go, you’re again protected against those bots.

1 Comment

Add yours

Gwyneth Llewelyn
13th January 2021 at 12:13


Thanks for your article! I know it’s a few years old, but it served as ‘inspiration’ for my own configuration. Indeed, I was having trouble dealing with a single bash command-line on action.d, and pushed everything out into separate external scripts, just as you did.

Eventually, I saw the latest version of how the fail2ban core developers implemented this functionality directly in action.d/cloudflare.conf. They cheated! 🙂 They used several lines instead of just one! Apparently, fail2ban has no trouble dealing with multiple lines, so, ultimately, I moved all the code back into that and removed my external scripts…

The advantage of having those scripts, of course, is that you can manually ban/unban IPs on Cloudflare without going through fail2ban-client, which is sometimes useful, especially when debugging 🙂

BTW, Cloudflare’s IP addresses may change over time (not much, but it happens). The safest way to be up-to-date is to have a cron job updating the file included by nginx. Cloudflare eagerly publishes their ‘current’ list of IP addresses in an easy-to-retrieve format, and I’m sure there are many scripts to do exactly that; I use https://github.com/pothi/wordpress-nginx/blob/master/scripts/update-cloudflare-ip-list.sh (that repository has a lot of great tips to run WordPress on top of nginx).

1 Pingback

Best practices to secure your WordPress CMS - Antoine Aflalo

My journey in the computer world

Fail2ban and CloudFlare

WP Fail2ban

Problems

No more visitor IP

Real IP useless

Solutions

Getting the real IP

CloudFlare Firewall

Script

Fail2ban Action

Fail2ban Jail for WP Fail2Ban

Antoine Aflalo

1 Comment

Add yours

1 Pingback

Leave a Reply Cancel reply

Table of ContentToggle Table of ContentToggle

Antoine Aflalo

My journey in the computer world

Fail2ban and CloudFlare

WP Fail2ban

Problems

No more visitor IP

Real IP useless

Solutions

Getting the real IP

CloudFlare Firewall

Script

Fail2ban Action

Fail2ban Jail for WP Fail2Ban

Antoine Aflalo

1 Comment

Add yours

1 Pingback

Leave a Reply Cancel reply

#ezw_tco-2 .ez-toc-title{ font-size: 120%; ; ; } #ezw_tco-2 .ez-toc-widget-container ul.ez-toc-list li a{ ; ; ; } #ezw_tco-2 .ez-toc-widget-container ul.ez-toc-list li.active{ background-color: #ededed; } Table of ContentToggle Table of ContentToggle

Antoine Aflalo

Table of ContentToggle Table of ContentToggle