Use CloudFlare+Fail2ban to achieve entry-level CC defense

The working principle of Fail2ban is very simple: read the log, use regular expressions to match the IP address, and as long as the preset number of visits is reached within the specified time, the ban action will be executed. You can also set it to automatically unblock after a period of time. All in all, this is a relatively flexible software.

When we are not using CloudFlare, we usually submit the matched IP address to the local iptables. But after using CloudFlare, we can directly use the API to submit the IP address to the CloudFlare firewall.

The following is a brief introduction to the method:

The first step is to configure Nginx. When compiling Nginx, you must add the "-with-http_realip_module" module and introduce "set_real_ip_from, real_ip_header" in the http block or server block, so that the real visitor IP can be passed in. Otherwise, all recorded in the log are CloudFlare's own IP. Please see this article for specific methods: https://support.cloudflare.com/h… %80%85%E7%9A%84-IP-

The second step is to install fail2ban. See the method here: https://github.com/fail2ban/fail2ban. Do not use package managers such as apt/yum to install. The version in the package manager is too old and does not support ipv6.

The third step is to configure fail2ban.

Create a new "jail.local" file in the "/etc/fail2ban" folder and modify the file content as needed: [http-get-dos] enabled = true filter=http-get-dos action = cloudflare-api logpath = /home/wwwlogs/example.com.log #Nginx log location maxretry = 60 #Maximum number of attempts findtime = 60 #Set the time period (seconds) when the maxretry limit is exceeded and the number of times will be blocked. bantime = 120 #Illegal IP is blocked time (seconds), -1 means permanently blocked

Create a new "cloudflare-api.conf" file in the "/etc/fail2ban/action.d" folder and modify the last three lines of the file: [Definition] actionstart= actionstop= actioncheck= actionban = curl -s -X POST "https://api.cloudflare.com/client/v4/zones//firewall/access_rules/rules" \ -H "X-Auth-Email: " \ -H "X-Auth-Key: " \ -H "Content-Type: application/json" \ --data '{"mode":"block","configuration":{"target":"ip","value":""},"notes":"CC Attack"}' actionunban = curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones//firewall/access_rules/rules/$( \ curl -s -X GET "https://api.cloudflare.com/client/v4/zones//firewall/access_rules/rules?page=1&per_page=1&mode=block&configuration.target=ip&configuration.value=&match=all" \ -H "X-Auth-Email: " \ -H "X-Auth-Key: " \ -H "Content-Type: application/json" | awk -F "[:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/ ){print $(i+1);}}}' | tr -d '"' | sed -e 's/^[ \t]*//' | head -n 1)" \ -H "X-Auth-Email: " \ -H "X-Auth-Key: " \ -H "Content-Type: application/json" [Init] name=default #The above content does not need to be modified, only the following three lines need to be modified cfuser = CloudFlare registered email cftoken=API KEY cfzoneid = Zone ID of CloudFlare Overview page

Create a new "http-get-dos.conf" file in the "/etc/fail2ban/filter.d" folder: [Definition] failregex = -.*- .*HTTP/[123].* .* .*$ ignoreregex=

After all settings are completed, run "fail2ban-client reload" to reload the configuration file.

Let’s talk about several shortcomings of this system: The first is that CloudFlare's IP firewall has a delay. It takes about half a minute for a new IP to be added to take effect. Therefore, I recommend setting limit_req_zone in Nginx, which can provide temporary protection before the firewall takes effect. Second, the number of visits per unit time must be set reasonably. A large number of static files will usually be loaded when the website is opened for the first time. If the setting is unreasonable, normal visitors may be blocked. There is another method here, which is to modify the regular expression in the "http-get-dos.conf" file to only match dynamic files that cause high load. This requires you to use it yourself. Third, there are now many users sharing the same IP, which is why I say big sites should not use this method. Of course, it doesn’t matter if you have a small blog.

Reprinted from: https://www.hostloc.com/thread-540324-1-1.html

Recommended site search: cloud server vps, vps server, virtual host application, godaddy space, vps host, personal free space, registration-free space free network, Wanwang registered domain name, virtual host ranking,