Skip to content
/ Canary-Cloudflare Public

Cloudflare workers to receive Thinkst Canary webhooks, generate syslog and IP blocklists, report to AbuseIPDB

License

GPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Xorlent/Canary-Cloudflare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits
CanaryWebhookConfig.png
CanaryWebhookConfig.png
 
 
ExampleRequest.json
ExampleRequest.json
 
 
Fetch-Canary-Syslog-Config.xml
Fetch-Canary-Syslog-Config.xml
 
 
Fetch-Canary-Syslog.ps1
Fetch-Canary-Syslog.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
canary-receiver.js
canary-receiver.js
 
 
canary-request-blocklist.js
canary-request-blocklist.js
 
 
canary-request-syslog.js
canary-request-syslog.js
 
 

Repository files navigation

Canary-Cloudflare

Cloudflare workers to:

1. Receive Thinkst Canary webhooks
2. Parse, create, and buffer syslog messages
3. Submit applicable events to abuseipdb (optional)
4. Publish a real-time IP blocklist

...and a Powershell script to:

1. Fetch syslog events from the buffer
2. Push these events to a syslog UDP collector or a local file

Requirements

  1. Thinkst Canary account with at least one Canary (https://canary.tools/)
    • It may also be possible with Opencanary, but this has not been tested.
  2. A Cloudflare account (https://www.cloudflare.com/)
    • Don't have one? This solution can be deployed to even a free account!
  3. (optional) An abuseipdb.com account to report events.

Cloudflare Setup

  1. Log in to your Cloudflare dashboard, choose your account, select "Workers & Pages" and click "KV."
  2. Click "Create a namespace," enter "Canary-Blocks" for the name, and click "Add."
  3. Click "Create a namespace," enter "Canary-Events" for the name, and click "Add."
  4. Now click on "Overview" below the "Workers & Pages" menu option.
  5. Click "Create application"
    • Click the "Create Worker" button
    • Enter "canary-receiver" for the name and click "Deploy"
    • IMPORTANT: Make note of the URL shown on the Congratulations page under, "Preview your worker."
    • Click "Configure Worker"
      • Click "Settings" above the summary section of the page
      • Click the "Variables" menu option
      • Under "KV Namespace Bindings" click "Add binding"
      • Enter "canaryblocks" for the variable name and select "Canary-Blocks" for the KV namespace
      • Click "Save and deploy"
      • Again, click "Add binding"
      • Enter "canaryevents" for the variable name and select "Canary-Events" for the KV namespace
      • Click "Save and deploy"
    • Click on the "Quick Edit" button at the top right area of the page
      • Copy and paste the full contents of the canary-receiver.js file into the editor window
      • Review the declared variables at the top of the script and adjust as desired/necessary for your environment.
        • MyCanary should be set to the name of a public-facing Canary you would like to use to create your IP blocklist.
        • Make note of the value you set for authString -- this is the auth value you configure for the Canary webhook custom header.
      • Click "Save and deploy."
  6. Click "Create application"
    • Click the "Create Worker" button
    • Enter "canary-request-blocklist" for the name and click "Deploy"
    • IMPORTANT: Make note of the URL shown on the Congratulations page under, "Preview your worker."
    • Click "Configure Worker"
      • Click "Settings" above the summary section of the page
      • Click the "Variables" menu option
      • Under "KV Namespace Bindings" click "Add binding"
      • Enter "canaryblocks" for the variable name and select "Canary-Blocks" for the KV namespace
      • Click "Save and deploy"
    • Click on the "Quick Edit" button at the top right area of the page
      • Copy and paste the full contents of the canary-request-blocklist.js file into the editor window
      • Edit the AllowedIPs string variable to include any IP addresses that should be permitted to retrieve the IP blocklist and click "Save and deploy."
  7. Click "Create application"
    • Click the "Create Worker" button
    • Enter "canary-request-syslog" for the name and click "Deploy"
    • IMPORTANT: Make note of the URL shown on the Congratulations page under, "Preview your worker."
    • Click "Configure Worker"
      • Click "Settings" above the summary section of the page
      • Click the "Variables" menu option
      • Under "KV Namespace Bindings" click "Add binding"
      • Enter "canaryevents" for the variable name and select "Canary-Events" for the KV namespace
      • Click "Save and deploy"
    • Click on the "Quick Edit" button at the top right area of the page
      • Copy and paste the full contents of the canary-request-syslog.js file into the editor window
      • Edit authString to be a unique string value. This will be used with the Fetch-Canary-Syslog.ps1 script

Canary Setup

  1. Log in to your Canary account
    • Click on the "Gear" and then "Global Settings" to go to the Global Settings page.
    • Click on Webhooks and paste the canary-block URL from Cloudflare Setup step 5 into the "Generic" option.
    • Select custom headers and add a header called, "auth" with a value of "canhasauthenticated" or the custom value you entered for authString in step 5 example screenshot and click "Add."
      • You can easily change this default authentication value by editing the JavaScript within the canary-receiver Worker.

Abuseipdb Setup (optional)

  1. Get your API key and enter this value for the "abuseIPDBKey" variable in the Canary-Receiver CloudFlare worker JavaScript.

Powershell Syslog Fetcher Setup

  1. Download Fetch-Canary-Syslog.ps1 and Fetch-Canary-Syslog-Config.xml
  2. Right-click each file, select Properties, check "Unblock" and click "Ok"
  3. Edit the xml file in Notepad according to your environment
  4. Save the files to an appropriate location for execution
  5. Create a scheduled task to execute Fetch-Canary-Syslog.ps1 as often as you would like:
    • Run whether user is logged in or not
    • Trigger: Daily, every 15 minutes
    • Program: powershell
    • Arguments: -file Full\Path\To\Fetch-Canary-Syslog.ps1
    • Start in: path to the Fetch-Canary-Syslog files

Using/Testing

  • You can now trigger a Canary event
    • Alternately, you can re-open the code editor for the canary-receiver Worker (setup step 5) and perform a POST request using the supplied ExampleRequest.json.
      • Be sure to include the authString "auth" header value as you set in setup step 5 (default: canhasauthenticated).
    • Open a file browser to the https://canary-request-blocklist.organization.workers.dev URL to view the live IP list.
      • Make sure the machine you're using is in the IP allowlist for the canary-request-blocklist worker.
  • If you need to delete or clean up any IP list database entries:
    • Log in to your Cloudflare dashboard
    • Choose your account
    • Select "Workers & Pages" and click "KV."
    • Click the "View" link for "Canary-Blocks" and/or "Canary-Events"

About

Cloudflare workers to receive Thinkst Canary webhooks, generate syslog and IP blocklists, report to AbuseIPDB

Topics

blocklist syslog abuseipdb cloudflare-workers cloudflare-kv thinkst thinkst-canary

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

Canary-Cloudflare v.1.0.4 Latest
Dec 21, 2023
+ 4 releases

Packages

No packages published

Languages