Welcome to Centmin Mod Community
Become a Member

Enable and Disable Cloudflare "I am under attack mode" automated

Discussion in 'Centmin Mod User Tutorials & Guides' started by pamamolf, Sep 21, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Hello :)

    I think this tutorial will be very helpful for Centminmod users that use Cloudflare.
    It is a way to automatically check for server load and enable or disable Cloudflare "I am under attack mode".

    Only curl will be needed to work:

    mkdir /etc/ddos
    nano /etc/ddos/ddos.sh

    add there:
    Code:
    #!/bin/bash
    trigger=6.00
    load=`cat /proc/loadavg | awk '{print $1}'`
    response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L > T){ print "greater"}}'`
    if [[ $response = "greater" ]]
    then
    /etc/ddos/attack.sh | mail -s "Cloudflare I am under attack mode enabled" youremail@gmail.com
    fi
    That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 6.00 it will do nothing but if the load is higher for example 7.00 it will run the script attack.sh that will enable the "I am under attack mode".


    nano /etc/ddos/attack.sh

    add there:
    Code:
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
         -H "X-Auth-Email: user@example.com" \
         -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
         -H "Content-Type: application/json" \
         --data '{"value":"under_attack"}'
    Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.


    nano /etc/ddos/unblock.sh

    add there:
    Code:
    #!/bin/bash
    trigger=4.00
    load=`cat /proc/loadavg | awk '{print $1}'`
    response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L < T){ print "lower"}}'`
    if [[ $response = "lower" ]]
    then
    /etc/ddos/noattack.sh | mail -s "Cloudflare I am under attack mode disabled" youremail@gmail.com
    fi
    That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 4.00 it will run the script noattack.sh that will disable the "I am under attack mode".

    nano /etc/ddos/noattack.sh

    add there:
    Code:
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
         -H "X-Auth-Email: user@example.com" \
         -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
         -H "Content-Type: application/json" \
         --data '{"value":"medium"}'
    Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.

    Code:
    chmod +x /etc/ddos/ddos.sh
    chmod +x /etc/ddos/attack.sh
    chmod +x /etc/ddos/unblock.sh
    chmod +x /etc/ddos/noattack.sh
    Add also some cronjobs like:
    Code:
    * * * * * sleep 30; /etc/ddos/ddos.sh
    0 * * * * /etc/ddos/unblock.sh

    Thank you
     
    Last edited: Sep 21, 2017
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Ok i update my topic and all working now !
     
    Last edited: Sep 21, 2017
  3. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Wondering if the check routine can be better.....

    And one very important check if George or anyone can implement to check first if "I am under attack mode" is enabled before it tries to send again the same rule that already exist?

    Wondering also if there is any Cloudflare API limitations for requests as the script may try to send the "I am under attack mode" every 30 sec .... Is that allowed on the Cloudflare API?



    Thank you
     
  4. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:30 PM
    Mainline
    10.2
  5. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Ops yes it is the same....

    What I notice is that sometimes you must run nprestart to work properly for the I am under attack mode and adding that on the script is easy.

    The problem is that we must have a check to not run it always after the 1 minute check...

    Any ideas on how we can do that?
     
  6. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:30 PM
    Mainline
    10.2
    No idea :D.
    I ditch cloudflare and use pure OVH.
    I only used Cloudflare as sub domain CDN now.
     
  7. eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    8:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    asked Cloudflare support ?
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Not yet but i will :)

    I post here as they are very slow at tickets :)
     
  9. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:30 PM
    Mainline
    10.2
    Specially on Pro and Free plan :D.
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    First time i got a response so fast as usually they need 2-3 days :)

    So just to let you know :

     
    Last edited: Sep 22, 2017
  11. Jon Snow

    Jon Snow Active Member

    855
    172
    43
    Jun 30, 2017
    Ratings:
    +261
    Local Time:
    7:30 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Aren't you at risk of getting ddos'd?
     
  12. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:30 PM
    Mainline
    10.2
    OVH + CSF + Nginx Limit Req/Conn are more than Cloudflare protection :).
     
  13. Jon Snow

    Jon Snow Active Member

    855
    172
    43
    Jun 30, 2017
    Ratings:
    +261
    Local Time:
    7:30 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Is there any guide you recommend for Nginx Limit Req/Conn? Willing to give it a try.

    @pamamolf What do you think about using this as an alternative to Cloudflare? Would you ever consider it?
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Cloudflare will help a lot for layer 7 (domain) attacks. OVH is good also and will protect the ip based attacks.

    But at the end there’s a few more options like fail2ban that you must try and see what is better for your case....
     
  15. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:30 PM
    Mainline
    10.2
    I just set Limit_conn on PHP.conf.

    Limit_req is tricky to implement.

    Only on Business plan and Above.
    Pro and Free plan don't have that protection.
     
  16. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    I use PRO and when i had a attack i enable the protection and was working fine .... but higher plans should be much better :)
     
  17. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:30 PM
    Mainline
    10.2
    You mean I'm Under Attack mode?
    It can be easily bypass by some ddos tool :D.
     
  18. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    Yes i know :)
     
  19. Thiplol

    Thiplol New Member

    2
    0
    1
    Apr 15, 2019
    Ratings:
    +0
    Local Time:
    12:30 PM
    Hi dude, since this post is relatively high on google and the world changes fast, has there been any updates since 2017 ? Any other things that we should enable or disable
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    4,101
    428
    83
    May 31, 2014
    Ratings:
    +837
    Local Time:
    1:30 PM
    Nginx-1.26.x
    MariaDB 10.6.x
    2019 - We must use specific Ddos protection providers as it seems software solutions may not be the best solution ...
    But that's my opinion....