Enable and Disable Cloudflare "I am under attack mode" automated

Hello

I think this tutorial will be very helpful for Centminmod users that use Cloudflare.
It is a way to automatically check for server load and enable or disable Cloudflare "I am under attack mode".

Only curl will be needed to work:

mkdir /etc/ddos
nano /etc/ddos/ddos.sh

add there:

Code:

#!/bin/bash
trigger=6.00
load=`cat /proc/loadavg | awk '{print $1}'`
response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L > T){ print "greater"}}'`
if [[ $response = "greater" ]]
then
/etc/ddos/attack.sh | mail -s "Cloudflare I am under attack mode enabled" youremail@gmail.com
fi

That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 6.00 it will do nothing but if the load is higher for example 7.00 it will run the script attack.sh that will enable the "I am under attack mode".

nano /etc/ddos/attack.sh

add there:

Code:

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
     -H "X-Auth-Email: user@example.com" \
     -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
     -H "Content-Type: application/json" \
     --data '{"value":"under_attack"}'

Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.

---

nano /etc/ddos/unblock.sh

add there:

Code:

#!/bin/bash
trigger=4.00
load=`cat /proc/loadavg | awk '{print $1}'`
response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L < T){ print "lower"}}'`
if [[ $response = "lower" ]]
then
/etc/ddos/noattack.sh | mail -s "Cloudflare I am under attack mode disabled" youremail@gmail.com
fi

That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 4.00 it will run the script noattack.sh that will disable the "I am under attack mode".

nano /etc/ddos/noattack.sh

add there:

Code:

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
     -H "X-Auth-Email: user@example.com" \
     -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
     -H "Content-Type: application/json" \
     --data '{"value":"medium"}'

Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.

Code:

chmod +x /etc/ddos/ddos.sh
chmod +x /etc/ddos/attack.sh
chmod +x /etc/ddos/unblock.sh
chmod +x /etc/ddos/noattack.sh

Add also some cronjobs like:

Code:

* * * * * sleep 30; /etc/ddos/ddos.sh
0 * * * * /etc/ddos/unblock.sh

Thank you

 

Ok i update my topic and all working now !

 

Wondering if the check routine can be better.....

And one very important check if George or anyone can implement to check first if "I am under attack mode" is enabled before it tries to send again the same rule that already exist?

Wondering also if there is any Cloudflare API limitations for requests as the script may try to send the "I am under attack mode" every 30 sec .... Is that allowed on the Cloudflare API?



Thank you

 

Ops yes it is the same....

What I notice is that sometimes you must run nprestart to work properly for the I am under attack mode and adding that on the script is easy.

The problem is that we must have a check to not run it always after the 1 minute check...

Any ideas on how we can do that?

 

Not yet but i will

I post here as they are very slow at tickets

 

First time i got a response so fast as usually they need 2-3 days

So just to let you know :

 

Cloudflare will help a lot for layer 7 (domain) attacks. OVH is good also and will protect the ip based attacks.

But at the end there’s a few more options like fail2ban that you must try and see what is better for your case....

 

I use PRO and when i had a attack i enable the protection and was working fine .... but higher plans should be much better

 

Yes i know

 

2019 - We must use specific Ddos protection providers as it seems software solutions may not be the best solution ...
But that's my opinion....