Join the community today
Become a Member

Enable and Disable Cloudflare "I am under attack mode" automated

Discussion in 'Centmin Mod User Tutorials & Guides' started by pamamolf, Sep 21, 2017.

  1. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hello :)

    I think this tutorial will be very helpful for Centminmod users that use Cloudflare.
    It is a way to automatically check for server load and enable or disable Cloudflare "I am under attack mode".

    Only curl will be needed to work:

    mkdir /etc/ddos
    nano /etc/ddos/ddos.sh

    add there:
    Code:
    #!/bin/bash
    trigger=6.00
    load=`cat /proc/loadavg | awk '{print $1}'`
    response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L > T){ print "greater"}}'`
    if [[ $response = "greater" ]]
    then
    /etc/ddos/attack.sh | mail -s "Cloudflare I am under attack mode enabled" youremail@gmail.com
    fi
    That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 6.00 it will do nothing but if the load is higher for example 7.00 it will run the script attack.sh that will enable the "I am under attack mode".

    nano /etc/ddos/attack.sh

    add there:
    Code:
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
         -H "X-Auth-Email: user@example.com" \
         -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
         -H "Content-Type: application/json" \
         --data '{"value":"under_attack"}'
    Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.


    nano /etc/ddos/unblock.sh

    add there:
    Code:
    #!/bin/bash
    trigger=4.00
    load=`cat /proc/loadavg | awk '{print $1}'`
    response=`echo | awk -v T=$trigger -v L=$load 'BEGIN{if ( L < T){ print "lower"}}'`
    if [[ $response = "lower" ]]
    then
    /etc/ddos/noattack.sh | mail -s "Cloudflare I am under attack mode disabled" youremail@gmail.com
    fi
    That will check the server load and put it at the ddos.ini file and then if the server load is between 0.00 and 4.00 it will run the script noattack.sh that will disable the "I am under attack mode".

    nano /etc/ddos/noattack.sh

    add there:
    Code:
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/settings/security_level" \
         -H "X-Auth-Email: user@example.com" \
         -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
         -H "Content-Type: application/json" \
         --data '{"value":"medium"}'
    Replace your cloudflare email and your API global api key (they are located at -> My account option to right) and the zones key (you will find it at the main page of the domain at Cloudflare.

    Code:
    chmod +x /etc/ddos/ddos.sh
    chmod +x /etc/ddos/attack.sh
    chmod +x /etc/ddos/unblock.sh
    chmod +x /etc/ddos/noattack.sh
    Add also some cronjobs like:
    Code:
    * * * * * sleep 30; /etc/ddos/ddos.sh
    0 * * * * /etc/ddos/unblock.sh

    Thank you
     
    Last edited: Sep 21, 2017
  2. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok i update my topic and all working now !
     
    Last edited: Sep 21, 2017
  3. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering if the check routine can be better.....

    And one very important check if George or anyone can implement to check first if "I am under attack mode" is enabled before it tries to send again the same rule that already exist?

    Wondering also if there is any Cloudflare API limitations for requests as the script may try to send the "I am under attack mode" every 30 sec .... Is that allowed on the Cloudflare API?



    Thank you
     
  4. RoldanLT

    RoldanLT Well-Known Member

    3,940
    962
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,315
    Local Time:
    6:06 AM
    1.11
    10.2
  5. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ops yes it is the same....

    What I notice is that sometimes you must run nprestart to work properly for the I am under attack mode and adding that on the script is easy.

    The problem is that we must have a check to not run it always after the 1 minute check...

    Any ideas on how we can do that?
     
  6. RoldanLT

    RoldanLT Well-Known Member

    3,940
    962
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,315
    Local Time:
    6:06 AM
    1.11
    10.2
    No idea :D.
    I ditch cloudflare and use pure OVH.
    I only used Cloudflare as sub domain CDN now.
     
    • Funny Funny x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,631
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    8:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    asked Cloudflare support ?
     
  8. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Not yet but i will :)

    I post here as they are very slow at tickets :)
     
  9. RoldanLT

    RoldanLT Well-Known Member

    3,940
    962
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,315
    Local Time:
    6:06 AM
    1.11
    10.2
    Specially on Pro and Free plan :D.
     
    • Agree Agree x 1
  10. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    First time i got a response so fast as usually they need 2-3 days :)

    So just to let you know :

     
    Last edited: Sep 22, 2017
    • Informative Informative x 1
  11. Jon Snow

    Jon Snow Active Member

    191
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    6:06 PM
    Nginx 1.13.4
    MariaDB 10.1.26
    Aren't you at risk of getting ddos'd?
     
  12. RoldanLT

    RoldanLT Well-Known Member

    3,940
    962
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,315
    Local Time:
    6:06 AM
    1.11
    10.2
    OVH + CSF + Nginx Limit Req/Conn are more than Cloudflare protection :).
     
    • Informative Informative x 2
  13. Jon Snow

    Jon Snow Active Member

    191
    27
    28
    Jun 30, 2017
    Ratings:
    +32
    Local Time:
    6:06 PM
    Nginx 1.13.4
    MariaDB 10.1.26
    Is there any guide you recommend for Nginx Limit Req/Conn? Willing to give it a try.

    @pamamolf What do you think about using this as an alternative to Cloudflare? Would you ever consider it?
     
  14. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Cloudflare will help a lot for layer 7 (domain) attacks. OVH is good also and will protect the ip based attacks.

    But at the end there’s a few more options like fail2ban that you must try and see what is better for your case....
     
  15. RoldanLT

    RoldanLT Well-Known Member

    3,940
    962
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,315
    Local Time:
    6:06 AM
    1.11
    10.2
    I just set Limit_conn on PHP.conf.

    Limit_req is tricky to implement.

    Only on Business plan and Above.
    Pro and Free plan don't have that protection.
     
  16. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I use PRO and when i had a attack i enable the protection and was working fine .... but higher plans should be much better :)
     
  17. RoldanLT

    RoldanLT Well-Known Member

    3,940
    962
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,315
    Local Time:
    6:06 AM
    1.11
    10.2
    You mean I'm Under Attack mode?
    It can be easily bypass by some ddos tool :D.
     
  18. pamamolf

    pamamolf Well-Known Member

    2,778
    245
    63
    May 31, 2014
    Ratings:
    +437
    Local Time:
    12:06 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes i know :)