Troubleshooting Cloudflare action #3162
-
Hi ! I'm setting up a filter and jail to block a specific malicious request we're seeing lots of lately. I'm using v0.11.2. For testing purposes, I'm using cheeseburger as the failregex. Here's my filter:
Here's my jail as seen in jail.local:
I've also tried setting the action simply to cloudflare without the parameters (action = cloudflare) I'm using the latest version of cloudflare.conf (from https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf) with my cftoken and cfuser filled in near the end of the file within the [Init] function. The jail and filter successfully detect attempts to hit the /cheeseburger/ URL and I see the IPs in my ban list, but the bans apparently aren't being passed to Cloudflare. I confirmed that the API key I'm using is valid and active:
I noted the error codes references in the comments for cloudflare.conf, but I'm not seeing any of these error codes come up in /var/log/fail2ban.log. Does anyone have any troubleshooting tips that might help me see the Cloudflare API error codes and get these bans successfully passed to Cloudflare ? Thanks for your help and have a great afternoon ! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
You did not describe what is the issue exactly, for instance which errors do you see in fail2ban.log if the ban fails. Due to #2318:
so both can be the reason why the ban fails. |
Beta Was this translation helpful? Give feedback.
-
Hi Sebres ! That's the thing; I don't get any relevant errors in the fail2ban or any indication that the ban has failed. When I visit a URL that matches the pattern (literally mysite.com/cheeseburger at the moment while I'm testing) more than 3 times the ban is triggered and I see my test machine's IP in the banned IP list. However, the test machine isn't blocked and I don't see the banned IPs at Cloudflare in the firewall as I should if it was working. Here are log lines showing a ban (i've replaced the test machine IP with XXX.XXX.XXX.XXX here):
I reviewed fail2ban.log just now and confirmed that the only errors I found were a single instance of a timezone hiccup. I obfuscated the IP and URL shown:
My test pattern is, by design, one that only I am visiting, so rate limiting doesn't seem likely. Looking at fail2ban.log I don't see any activity that would exceed the thresholds mentioned, and the site in question is on Cloudflare's pro plan. Any idea why no error messages are being logged in relationship to the cloudflare API ? Do my jail's [filter] and [action] look right ? Thanks again for your help, |
Beta Was this translation helpful? Give feedback.
-
Hi Sebres, Thanks! I ran the action from the shell(X-Auth-Key and email obfuscated below, but I used the actual email and API token there when testing):
I did restart fail2ban entirely after setting the jail up and after making changes to it or the filter. When I enabled HEAVYDEBUG and tested the ban I didn't get any smoking guns back and the ban again appeared to work, but again the banned IPs weren't present in Cloudflare at firewall > tools:
I'm guessing maybe the syntax being sent to cloudflare needs to be changed and I'll let you know what I find out once I hear back from Cloudflare. Have a great evening, |
Beta Was this translation helpful? Give feedback.
-
Hi Sebres, sorry for the delay. I eventually ended up using the Firewall Access Rules API for a zone: https://api.cloudflare.com/#firewall-access-rule-for-a-zone-create-access-rule I created a token scoped to the zone I was working with in Cloudflare and with zone:firewall services:edit privileges, then used the API token generated in actionban like this: actionban = curl -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules" -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<IP>"},"notes":"Fail2Ban carding"}' The action is working great now. Thanks for your help with this and have a Merry Christmas ! |
Beta Was this translation helpful? Give feedback.
Hi Sebres, sorry for the delay.
I eventually ended up using the Firewall Access Rules API for a zone: https://api.cloudflare.com/#firewall-access-rule-for-a-zone-create-access-rule
I created a token scoped to the zone I was working with in Cloudflare and with zone:firewall services:edit privileges, then used the API token generated in actionban like this:
The action is working great now.
Thanks for your help with t…