问题
This is a continuation of a previous question regarding creating a jail for a specific url.
It bans the Cloudflare IP and not that of the user. I've followed this guide to setup the Cloudflare filter, but am having issues.
Jail.local looks like this...
[apache-specific-url]
enabled = true
port = http,https
filter = apache-specific-url
action = cloudflare
iptables-allports
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
actions.d/cloudflare.conf
This is the cloudflare.conf that came with Fail2ban V0.11.1 which is what I'm using. It looks to be the latest and correct version. I've properly set cftoken & cfuser in the file.
actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \
-H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "" } }' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
actionunban = curl -s -o /dev/null -X DELETE -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$(curl -s -X GET -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \
'https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=&page=1&per_page=1' | tr -d '\n' | cut -d'"' -f6)
My API info & Curl is good
If I curl the following, the test IP is indeed banned on cloudflare and I get a success upon return.
curl -s -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
-H "X-Auth-Email: CloudFlare-username" \
-H "X-Auth-Key: CloudFlare-API-Key" \
-H "Content-Type: application/json" \
--data '{"mode":"block","configuration":{"target":"ip","value":"1.2.3.4"},"notes":"Fail2ban"}'
/var/log/fail2ban.log shows the following
2021-01-15 14:59:08,461 fail2ban.filter [3439]: INFO [apache-specific-url] Found 172.69.63.147 - 2021-01-15 14:59:07
2021-01-15 14:59:08,981 fail2ban.actions [3439]: NOTICE [apache-specific-url] Ban 172.69.63.147
I'm not sure what I'm missing here, but it doesn't look like I've setup the jail properly to get the actual IP from Cloudflare and ban it locally or on Cloudflare.
Any help greatly appreciated.
回答1:
After a great deal of trial and error, the problem with banning and unbanning was with the cloudflare action. Parsing the json seems to be tricky for folks. Oddly enough, I found several folks with the issue with different resolutions. However, the following is the "Mix" that works for me. I hope it helps someone in the future.
/etc/fail2ban/action.d/cloudflare.conf
actionban = curl -s -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
-H "X-Auth-Email: <cfuser>" \
-H "X-Auth-Key: <cftoken>" \
-H "Content-Type: application/json" \
--data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2ban"}'
actionunban = curl -s -X DELETE "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$( \
curl -s -X GET "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&match=all" \
-H "X-Auth-Email: <cfuser>" \
-H "X-Auth-Key: <cftoken>" \
-H "Content-Type: application/json" | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' | tr -d '"' | head -n 1 | sed -E -e 's/^\s+//' -e 's/\s+$//')" \
-H "X-Auth-Email: <cfuser>" \
-H "X-Auth-Key: <cftoken>" \
-H "Content-Type: application/json"
- actionban was gleemed from this blog
- actionunban, the tougher of the two, was gleemed from here
来源:https://stackoverflow.com/questions/65742860/fail2ban-jail-for-specific-url-doesnt-work-with-cloudflare