/
protection.sh
132 lines (110 loc) · 3.2 KB
/
protection.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
###
# Automating your CloudFlare DDoS Protection by https://bobbyiliev.com
###
##
# CloudFlare API Config
##
CF_ZONE_ID=YOUR_CF_ZONE_ID
CF_EMAIL_ADDRESS=YOUR_CF_EMAIL_ADDRESS
CF_API_KEY=YOUR_CF_API_KEY
##
# Set to 1 in order to enable email notifications
##
notifications=1
##
# Prepare CloudFlare directory
if ! [ -d ~/.cloudflare ] ; then
mkdir ~/.cloudflare
fi
##
##
# Check current status:
##
current_status=$(mktemp /tmp/temp-status.XXXXXX)
status=$(mktemp /tmp/temp-status.XXXXXX)
function status() {
curl -X GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/settings/security_level" \
-H "X-Auth-Email: ${CF_EMAIL_ADDRESS}" \
-H "X-Auth-Key: ${CF_API_KEY}" \
-H "Content-Type: application/json" 2>/dev/null > ${current_status}
cat ${current_status} | awk -F":" '{ print $4 }' | awk -F',' '{ print $1 }' | tr -d '"' > ${status}
currentStatus=$(cat ${status})
}
##
# Monitoring your CPU load:
##
load=$(uptime | awk -F'average:' '{ print $2 }' | awk '{print $1}' | sed 's/,/ /')
ddos=${load%.*}
##
# Monitor the status and enable the DDoS protection if required:
##
function allowed_cpu_load(){
normalCPUload=$(grep -c ^processor /proc/cpuinfo);
average=$(($normalCPUload/2))
if [[ $average -eq 0 ]]; then
average=1;
fi
maxCPUload=$(( $normalCPUload+$average ));
}
function disable(){
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/settings/security_level" \
-H "X-Auth-Email: ${CF_EMAIL_ADDRESS}" \
-H "X-Auth-Key: ${CF_API_KEY}" \
-H "Content-Type: application/json" \
--data '{"value":"medium"}'
}
function under_attack(){
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/settings/security_level" \
-H "X-Auth-Email: ${CF_EMAIL_ADDRESS}" \
-H "X-Auth-Key: ${CF_API_KEY}" \
-H "Content-Type: application/json" \
--data '{"value":"under_attack"}'
}
##
# Check the current status
##
function ddos_check(){
if [[ $ddos -gt $maxCPUload ]]
then
if [[ $currentStatus == "medium" ]]
then
# Enable the CloudFlare DDOS protection
under_attack
echo "$(date) - Enabled DDoS" >> ~/.cloudflare/ddos.log
if [[ $notifications == 1 ]] ; then
echo "$(date) - Enabled DDoS" | mail -s "Enabled DDoS" ${CF_EMAIL_ADDRESS}
fi
else
exit 0
fi
elif [[ $ddos -lt $normalCPUload ]]
then
# If the CPU load is less than the normal CPU load for your server,
# then the DDoS protection would be disabled if the current status is under attack
if [[ $currentStatus == "under_attack" ]]
then
# Disable the CloudFlare DDOS protection
disable
echo "$(date) - Disabled DDoS" >> ~/.cloudflare/ddos.log
if [[ $notifications == 1 ]] ; then
echo "$(date) - Disabled DDoS" | mail -s "Enabled DDoS" bobby@bobbyiliev.com
fi
else
exit 0
fi
else
#echo "Everything is under control"
exit 0
fi
}
##
# Call all functions
##
function main(){
allowed_cpu_load
status
ddos_check
rm -f ${status} ${current_status}
}
main