Learn about Centmin Mod LEMP Stack today
Become a Member

Enable and Disable Cloudflare "I am under attack mode" automated

Discussion in 'Centmin Mod User Tutorials & Guides' started by pamamolf, Sep 21, 2017 at 10:45 AM.

  1. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hello :)

    I think this tutorial will be very helpful for Centminmod users that use Cloudflare.
    It is a way to automatically check for server load and enable or disable Cloudflare "I am under attack mode".

    Only curl will be needed to work:

    mkdir /etc/ddos
    nano /etc/ddos/ddos.sh

    add there:
    Code:
    #!/bin/bash
    trigger=6.00
    load=`cat /proc/loadavg | awk '{print $1}'`
    response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L > T){ print "greater"}}'`
    if [[ $response = "greater" ]]
    then
    /etc/ddos/attack.sh | mail -s "Cloudflare I am under attack mode enabled" youremail@gmail.com
    fi
    That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 6.00 it will do nothing but if the load is higher for example 7.00 it will run the script attack.sh that will enable the "I am under attack mode".

    nano /etc/ddos/attack.sh

    add there:
    Code:
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
         -H "X-Auth-Email: user@example.com" \
         -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
         -H "Content-Type: application/json" \
         --data '{"value":"under_attack"}'
    Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.


    nano /etc/ddos/unblock.sh

    add there:
    Code:
    #!/bin/bash
    trigger=4.00
    load=`cat /proc/loadavg | awk '{print $1}'`
    response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L < T){ print "lower"}}'`
    if [[ $response = "lower" ]]
    then
    /etc/ddos/noattack.sh | mail -s "Cloudflare I am under attack mode disabled" youremail@gmail.com
    fi
    That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 4.00 it will run the script noattack.sh that will disable the "I am under attack mode".

    nano /etc/ddos/noattack.sh

    add there:
    Code:
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
         -H "X-Auth-Email: user@example.com" \
         -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
         -H "Content-Type: application/json" \
         --data '{"value":"medium"}'
    Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.

    Code:
    chmod +x /etc/ddos/ddos.sh
    chmod +x /etc/ddos/attack.sh
    chmod +x /etc/ddos/unblock.sh
    chmod +x /etc/ddos/noattack.sh
    Add also some cronjobs like:
    Code:
    * * * * * sleep 30; /etc/ddos/ddos.sh
    0 * * * * /etc/ddos/unblock.sh

    Thank you
     
    Last edited: Sep 21, 2017 at 11:52 AM
  2. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok i update my topic and all working now !
     
    Last edited: Sep 21, 2017 at 11:53 AM
  3. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering if the check routine can be better.....

    And one very important check if George or anyone can implement to check first if "I am under attack mode" is enabled before it tries to send again the same rule that already exist?

    Wondering also if there is any Cloudflare API limitations for requests as the script may try to send the "I am under attack mode" every 30 sec .... Is that allowed on the Cloudflare API?



    Thank you
     
  4. RoldanLT

    RoldanLT Well-Known Member

    3,875
    946
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,290
    Local Time:
    8:49 AM
    1.11
    10.2
  5. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ops yes it is the same....

    What I notice is that sometimes you must run nprestart to work properly for the I am under attack mode and adding that on the script is easy.

    The problem is that we must have a check to not run it always after the 1 minute check...

    Any ideas on how we can do that?
     
  6. RoldanLT

    RoldanLT Well-Known Member

    3,875
    946
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,290
    Local Time:
    8:49 AM
    1.11
    10.2
    No idea :D.
    I ditch cloudflare and use pure OVH.
    I only used Cloudflare as sub domain CDN now.
     
    • Funny Funny x 1
  7. eva2000

    eva2000 Administrator Staff Member

    29,719
    6,711
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,015
    Local Time:
    10:49 AM
    Nginx 1.13.x
    MariaDB 5.5
    asked Cloudflare support ?
     
  8. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Not yet but i will :)

    I post here as they are very slow at tickets :)
     
  9. RoldanLT

    RoldanLT Well-Known Member

    3,875
    946
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,290
    Local Time:
    8:49 AM
    1.11
    10.2
    Specially on Pro and Free plan :D.
     
    • Agree Agree x 1
  10. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    First time i got a response so fast as usually they need 2-3 days :)

    So just to let you know :

     
    Last edited: Sep 22, 2017 at 9:55 AM
    • Informative Informative x 1
  11. Jon Snow

    Jon Snow Member

    121
    20
    18
    Jun 30, 2017
    Ratings:
    +24
    Local Time:
    9:49 PM
    Nginx 1.13.4
    MariaDB 10.1.26
    Aren't you at risk of getting ddos'd?
     
  12. RoldanLT

    RoldanLT Well-Known Member

    3,875
    946
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,290
    Local Time:
    8:49 AM
    1.11
    10.2
    OVH + CSF + Nginx Limit Req/Conn are more than Cloudflare protection :).
     
    • Informative Informative x 2
  13. Jon Snow

    Jon Snow Member

    121
    20
    18
    Jun 30, 2017
    Ratings:
    +24
    Local Time:
    9:49 PM
    Nginx 1.13.4
    MariaDB 10.1.26
    Is there any guide you recommend for Nginx Limit Req/Conn? Willing to give it a try.

    @pamamolf What do you think about using this as an alternative to Cloudflare? Would you ever consider it?
     
  14. pamamolf

    pamamolf Well-Known Member

    2,670
    240
    63
    May 31, 2014
    Ratings:
    +425
    Local Time:
    3:49 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Cloudflare will help a lot for layer 7 (domain) attacks. OVH is good also and will protect the ip based attacks.

    But at the end there’s a few more options like fail2ban that you must try and see what is better for your case....