Last update at :2024-02-12,Edit by888u
Many friends are using Cloudflare. If your website server is set up abroad, then Cloudflare is a very good acceleration tool. First, it can accelerate your website, and second, it can provide protection for your website. If your website Cloudflare is enabled on the site. If CC attackers are running crazy scans, Cloudflare needs to be set up to accurately determine the attacker's IP. Then you can use a script to analyze the website Japan and analyze the attack IP from the logs. , and then use the Cloudflare API to automatically add the attacker's IP to the Cloudflare firewall. Of course, when encountering a large-scale attack, you can set up a scheduled task. When the system load is detected to be very high, Cloudflare's 5-second shield is automatically called. For protection, let me share with you the configuration tutorial.
Automatically block IP
First of all, we need to be able to find the attacker's IP, and use a script to analyze the frequency of access to a certain IP in the log in one minute, if it exceeds a certain frequency (generally, normal access should not exceed 60 times in one minute, you can be set to a smaller value), that is, it is considered a malicious IP. The script is as follows:
#/bin/bash #Log file, you need to change it to your own path logfile=/data/wwwlogs/ last_minutes=1 #Start time 1 minute ago (this can be modified, if you want the number of attacks within a few minutes, you can customize it here) start_time= date +"%Y-%m-%d %H:%M:%S" -d '-1 minutes' echo $start_time #endtimenow stop_time=`date +"%Y-%m-%d %H:%M:%S"` echo $stop_time cur_date="`date +%Y-%m-%d`" echo $cur_date #Filter out the logs between units and count the highest IP number. Please replace it with your log path. tac $logfile/sky.ucblog.net_nginx.log | awk -v st="$start_time" -v et="$stop_time" '{t=substr($2,RSART+14,21);if(t>=st && t $logfile/log_ip_top10 ip_top=`cat $logfile/log_ip_top10 | head -1 | awk '{print $1}'` ip=`cat $logfile/log_ip_top10 | awk '{if($1>2)print $2}'` # IPs with more than 2 visits to a single IP within unit time [1 minute] are recorded in black.txt. Here wzfou.com sets 2 for testing. You need to change it to other numbers. for line in $ip do echo $line >> $logfile/black.txt echo $line # You can also execute CF API here to submit data to the CF firewall. doneAdd to firewall in batches
#!/bin/bash # Author: XOO # Date : 2019 # Fill in the Cloudflare Email address CFEMAIL="admin@kxceping.com" # Fill in the Cloudflare API key CFAPIKEY="xxxxxxxxxxxxxxxx" # Fill in the ID corresponding to the Cloudflare Zones ID domain name ZONESID="xxxxxxxxxxxxxxxxxxxx" # /data/wwwlogs/black.txt stores the IP list of malicious attacks # IP one per line. IPADDR=$(Put the above two scripts together as follows:#/bin/bash #Log file, you need to change it to your own path logfile=/data/wwwlogs/ last_minutes=1 #Start time 1 minute ago (this can be modified, if you want the number of attacks within a few minutes, you can customize it here) start_time= date +"%Y-%m-%d %H:%M:%S" -d '-1 minutes' echo $start_time #endtimenow stop_time=`date +"%Y-%m-%d %H:%M:%S"` echo $stop_time cur_date="`date +%Y-%m-%d`" echo $cur_date #Filter out the logs between units and count the highest IP number. Please replace it with your log path. tac $logfile/sky.ucblog.net_nginx.log | awk -v st="$start_time" -v et="$stop_time" '{t=substr($2,RSART+14,21);if(t>=st && t $logfile/log_ip_top10 ip_top=`cat $logfile/log_ip_top10 | head -1 | awk '{print $1}'` ip=`cat $logfile/log_ip_top10 | awk '{if($1>2)print $2}'` # IPs with more than 2 visits to a single IP within unit time [1 minute] are recorded in black.log. In order to test setting 2 here, you need to change it to other numbers. for line in $ip do echo $line >> $logfile/black.txt echo $line # You can also execute CF API here to submit data to the CF firewall. done # Fill in the Cloudflare Email address CFEMAIL="admin@kxceping.com" # Fill in the Cloudflare API key CFAPIKEY="xxxxxxxxxxxxxxxxxxxxxxxx" # Fill in the ID corresponding to the Cloudflare Zones ID domain name ZONESID="xxxxxxxxxxxxxxxxxxxxxxxxxxx" # /data/wwwlogs/black.txt stores the IP list of malicious attacks # IP one per line. IPADDR=$(Save this file as an SH file and transfer it directly to your server for execution, such as: chmod +x /root/CF.sh ./CF.sh
Finally, just use scheduled tasks for execution. The pagoda can be set directly in the panel. If you use Crontab, you can use the following command
* * * * * /bin/bash /root/CF.sh > /tmp/ou1t.log 2>&1Automatic 5-second shield
Code address: https://github.com/Machou/Cloudflare-Block
When your server is under attack, the system load will explode. Use a script to automatically detect the system load. When the pressure exceeds a certain value, you can switch to "I'm Under Attack!" mode. The steps are as follows:
#download cd /root && git clone https://github.com/Machou/Cloudflare-Block.git DDoS #Open Cloudflare.sh and modify the configuration API_KEY You're Global API Key (https://dash.cloudflare.com/profile) MAIL_ACCOUNT Email of your Cloudflare account DOMAIN Zone ID (https://dash.cloudflare.com/_zone-id_/domain.com) #Set scheduled tasks crontab -e */1 * * * * /root/DDoS/Cloudflare.sh 0 # check every 1 minute if protection is not enabled */20 * * * * /root/DDoS/Cloudflare.sh 1 # check every 20 minutes if protection is enabledThe script defaults to detecting system load at 10 and enabling “I’m Under Attack!” mode. You can adjust it as needed. As shown below:
The complete code is as follows:
#!/bin/bash # $1 = 1min, $2 = 5min, $3 = 15min loadavg=$(cat /proc/loadavg|awk '{printf "%f", $1}') # load is 10, you can modify this if you want load more than 10 maxload=10 # Configuration API Cloudflare # You're Global API Key (https://dash.cloudflare.com/profile) api_key= # Email of your account Cloudflare email= # Zone ID (https://dash.cloudflare.com/_zone-id_/domain.com) zone_id= # create file attacking if doesn't exist if [ ! -e $attacking ]; then echo 0 > $attacking fi attacking=./attacking hasattack=$(cat $attacking) if [ $(echo "$loadavg > $maxload"|bc) -eq 1 ]; then if [[ $hasattack = 0 && $1 = 0 ]]; then #Active protection echo 1 > $attacking curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/$zone_id/settings/security_level" \ -H "X-Auth-Email: $email" \ -H "X-Auth-Key: $api_key" \ -H "Content-Type: application/json" \ --data '{"value":"under_attack"}' fi else if [[ $hasattack = 1 && $1 = 1 ]]; then #DisableProtection echo 0 > $attacking curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/$zone_id/settings/security_level" \ -H "X-Auth-Email: $email" \ -H "X-Auth-Key: $api_key" \ -H "Content-Type: application/json" \ --data '{"value":"high"}' fi fi exit 0Cloudflare is a very good tool, and many functions can be set flexibly. For a small webmaster, these protections are enough, and more functions need to be developed.
Recommended site searches: high-defense server rental, registration center, Hong Kong IP agent, network registration, Korean independent server, Shandong registered telecom server rental, distribution host US host, space rental,
发表评论