Welcome to Centmin Mod Community
Become a Member

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

Discussion in 'System Administration' started by eva2000, May 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    k will disable by default, and let users decide if they want it :)

     
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    The:
    Code:
    [nginx-req-limit-repeat]
    [nginx-conn-limit]
    [phpmyadmin-cmm]
    [wordpress-comment]
    [wordpress-pingback-repeat]
    [wordpress-fail2ban-plugin]
    don't have the option:

    Code:
    action   = cloudflare
    is that normal?
     
  3. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    As there was no ip bans at Cloudflare now :)

    I add my cloudflare email and the Global API Key and i am testing :)

    Also on your instructions you have:

    Code:
    https://www.cloudflare.com/a/account/my-account
    but the Global API key is not located there ....

    It is here:

    Code:
    https://www.cloudflare.com/a/profile
     
  5. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    ah it has changed urls !
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    It seems to work as i can see here:

    Code:
    nginx-req-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun Aug 20 09:29:09 UTC 2017
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     397
    |  `- File list:        /home/nginx/domains/mydomain.com/log/error.log
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1

    But there is no entry at Cloudflare :(

    I just edit the cloudflare conf file and i add my Cloudflare email at cfuser and my Global API key at cftoken and then i restart csf and fail2ban......

    I did also the latest fix edits that you just add for the missing lines.....

    Don't know if they change anything related and is not working .... maybe something in the API?
     
    Last edited: Aug 21, 2017
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Can you please verify that it works now?
     
  8. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    if you update fail2ban.sh first via git pull and re-run install should properly update everything first i.e.
    Code (Text):
    cd /root/tools/centminmod-fail2ban
    git stash
    git pull
    ./fail2ban.sh install
    

    then make edits to switch action = cloudflare in jail.local
     
  9. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    works for me just tested with updated fail2ban.sh with csf firewall default blocking as well as with cloudflare v4 api blocking

    cloudflare api based blocking showed my attacking IP blocked in cloudflare firewall 149.xxx.xxx.xxx IP labelled as Fail2ban

    upload_2017-8-21_22-19-29.png

    Cloudflare API configured fail2ban.sh setup and testing nginx-req-limit fail2ban jail via siege benchmark = 503 status requests

    Code (Text):
    siege -b -c2 -r5 "http://domain.com/wp-login.php"
    ** SIEGE 4.0.2
    ** Preparing 2 concurrent users for battle.
    The server is now under siege...
    HTTP/1.1 200     0.67 secs:    7085 bytes ==> GET  /wp-login.php
    HTTP/1.1 200     0.67 secs:    7085 bytes ==> GET  /wp-login.php
    HTTP/1.1 200     0.48 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.5
    HTTP/1.1 200     0.52 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.5
    HTTP/1.1 503     0.23 secs:    1665 bytes ==> GET  /wp-login.php
    HTTP/1.1 503     0.24 secs:    1665 bytes ==> GET  /wp-login.php
    HTTP/1.1 503     0.56 secs:    1665 bytes ==> GET  /wp-login.php
    HTTP/1.1 200     0.51 secs:    7084 bytes ==> GET  /wp-login.php
    HTTP/1.1 503     0.47 secs:    1665 bytes ==> GET  /wp-login.php
    HTTP/1.1 200     0.48 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.5
    HTTP/1.1 503     0.47 secs:    1665 bytes ==> GET  /wp-login.php
    HTTP/1.1 503     0.24 secs:    1665 bytes ==> GET  /wp-login.php
    HTTP/1.1 503     0.24 secs:    1665 bytes ==> GET  /wp-login.php
    
    Transactions:                      6 hits
    Availability:                  46.15 %
    Elapsed time:                   2.89 secs
    Data transferred:               0.32 MB
    Response time:                  0.96 secs
    Transaction rate:               2.08 trans/sec
    Throughput:                     0.11 MB/sec
    Concurrency:                    2.00
    Successful transactions:           6
    Failed transactions:               7
    Longest transaction:            0.67
    Shortest transaction:           0.23
    

    fail2ban.sh status
    Code (Text):
    ./fail2ban.sh status
    ---------------------------------------
    nginx-auth parameters:
    maxretry: 3 findtime: 600 bantime: 3600
    allow rate: 288 hits/day
    filter last modified: Mon Aug 21 12:03:19 UTC 2017
    Status for the jail: nginx-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-auth-main parameters:
    maxretry: 3 findtime: 600 bantime: 3600
    allow rate: 288 hits/day
    filter last modified: Mon Aug 21 12:03:17 UTC 2017
    Status for the jail: nginx-auth-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-badrequests parameters:
    maxretry: 1 findtime: 600 bantime: 604800
    allow rate: 144 hits/day
    filter last modified: Mon Aug 21 12:03:25 UTC 2017
    Status for the jail: nginx-badrequests
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-botsearch parameters:
    maxretry: 2 findtime: 600 bantime: 600
    allow rate: 144 hits/day
    filter last modified: Mon Aug 21 12:03:26 UTC 2017
    Status for the jail: nginx-botsearch
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-common parameters:
    maxretry: 1 findtime: 43200 bantime: 604800
    allow rate: 2 hits/day
    filter last modified: Mon Aug 21 12:03:20 UTC 2017
    Status for the jail: nginx-common
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-conn-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Mon Aug 21 12:03:27 UTC 2017
    Status for the jail: nginx-conn-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log /home/nginx/domains/domain1.com/log/error.log /home/nginx/domains/acme.domain.com/log/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Mon Aug 21 12:03:31 UTC 2017
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     7
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log /home/nginx/domains/domain1.com/log/error.log /home/nginx/domains/acme.domain.com/log/error.log
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   149.xxx.xxx.xxx
    ---------------------------------------
    nginx-req-limit-main parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Mon Aug 21 12:03:29 UTC 2017
    Status for the jail: nginx-req-limit-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-repeat parameters:
    maxretry: 5 findtime: 21600 bantime: 259200
    allow rate: 16 hits/day
    filter last modified: Mon Aug 21 12:03:32 UTC 2017
    Status for the jail: nginx-req-limit-repeat
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     1
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-xmlrpc parameters:
    maxretry: 6 findtime: 60 bantime: 600
    allow rate: 7200 hits/day
    filter last modified: Mon Aug 21 12:03:34 UTC 2017
    Status for the jail: nginx-xmlrpc
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    shells parameters:
    maxretry: 1 findtime: 86400 bantime: 604800
    allow rate: 1 hits/day
    filter last modified: Mon Aug 21 12:03:49 UTC 2017
    Status for the jail: shells
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    vbulletin parameters:
    maxretry: 3 findtime: 60 bantime: 28800
    allow rate: 2880 hits/day
    filter last modified: Mon Aug 21 12:03:38 UTC 2017
    Status for the jail: vbulletin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-auth parameters:
    maxretry: 3 findtime: 60 bantime: 600
    allow rate: 2880 hits/day
    filter last modified: Mon Aug 21 12:03:39 UTC 2017
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-comment parameters:
    maxretry: 5 findtime: 60 bantime: 3600
    allow rate: 5760 hits/day
    filter last modified: Mon Aug 21 12:03:40 UTC 2017
    Status for the jail: wordpress-comment
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-fail2ban-plugin parameters:
    maxretry: 1 findtime: 7200 bantime: 259200
    allow rate: 12 hits/day
    filter last modified: Mon Aug 21 12:03:48 UTC 2017
    Status for the jail: wordpress-fail2ban-plugin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/secure /var/log/auth.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-pingback parameters:
    maxretry: 1 findtime: 1 bantime: 86400
    allow rate: 1 hits/day
    filter last modified: Mon Aug 21 12:03:41 UTC 2017
    Status for the jail: wordpress-pingback
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/domain.com/log/access.log /home/nginx/domains/acme.domain.com/log/access.log /home/nginx/domains/domain1.com/log/access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-pingback-repeat parameters:
    maxretry: 5 findtime: 21600 bantime: 259200
    allow rate: 16 hits/day
    filter last modified: Mon Aug 21 12:03:43 UTC 2017
    Status for the jail: wordpress-pingback-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    

    Code (Text):
    ---------------------------------------
    All Time: Top 10 Banned IP Addresses:
         18 104.xxx.xxx.xxx [wordpress-pingback]
          4 149.xxx.xxx.xxx [nginx-req-limit]
          3 149.xxx.xxx.xxx [wordpress-auth]
          2 91.xxx.xxx.xxx [nginx-common]
          2 45.xxx.xxx.xxx [wordpress-pingback]
          2 149.xxx.xxx.xxx [nginx-get-f5]
          2 149.xxx.xxx.xxx [nginx-badrequests]
    ---------------------------------------
    All Time: Top 10 Restored Banned IP Addresses:
         50 104.xxx.xxx.xxx [wordpress-pingback]
          6 45.xxx.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    Yesterday: Top 10 Banned IP Addresses:
    ---------------------------------------
    Yesterday: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    Today: Top 10 Banned IP Addresses:
          2 149.xxx.xxx.xxx [nginx-req-limit]
          1 149.xxx.xxx.xxx [wordpress-auth]
    ---------------------------------------
    Today: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    1 hr ago: Top 10 Banned IP Addresses:
    ---------------------------------------
    1 hr ago: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    

    and specific status output for nginx-req-limit jail
    Code (Text):
    ---------------------------------------
    nginx-req-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Mon Aug 21 12:03:31 UTC 2017
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     7
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log /home/nginx/domains/domain1.com/log/error.log /home/nginx/domains/acme.domain.com/log/error.log
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   149.xxx.xxx.xxx
    ---------------------------------------
    
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Thanks :)

    git pull gives me an error so i will try later:

    Code:
    fatal: unable to access 'https://github.com/centminmod/centminmod-fail2ban/': Failed to connect to github.com port 443: Connection timed out
    Code:
    https://raw.githubusercontent.com/centminmod/centminmod-fail2ban/master/action.d/csfdeny.conf:
    2017-08-21 14:20:26 ERROR 503: Backend is unhealthy.
    Also my browser can't open it .... i open it once after many seconds so i will try later :)

    Github status:

    Code:
    17:16 GTB Standard Time
    We continue to investigate connectivity problems affecting GitHub.com. 
     
    Last edited: Aug 22, 2017
  11. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok i did with no errors:

    Code:
    cd /root/tools/centminmod-fail2ban
    git stash
    git pull
    ./fail2ban.sh install
    Then i change at /etc/fail2ban/jail.local all the csf deny with cloudflare:

    Code:
    #action = csfdeny[name=nginx-auth-main]
    action   = cloudflare
    Then i edit /root/tools/centminmod-fail2ban/action.d/cloudflare.conf and i add at the bottom my Cloudflare email and my Global API key.

    Is Global API key the correct key to use or may i need the CA origin API key?

    Then i restart fail2ban and try from another server:

    Code:
    siege -b -c3 -r200 http://testdomain.com/index.php
    And checking using:

    Code:
    fail2ban-client status nginx-req-limit
    I can see the server ib as banned at the bottom:

    Code:
    Banned IP list: remoteserveriphere
    Then i check at Cloudflare and is not there :(

    Access Rules: 0

    There is no log and no way to troubleshoot this :(
     
    Last edited: Aug 22, 2017
  12. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    For some simple troubleshooting steps for fail2ban jail testing, you can do a few things

    1. Enable debug logging instead of default info log level
    Code (Text):
    fail2ban-client get loglevel
    fail2ban-client set loglevel debug
    


    2. Then do test attacks against your fail2ban server for the jail config you want to test

    3. Then search the /var/log/fail2ban.log log and grep filter on the IP address of attacking server for clues escaping dots . with backslashes
    Code (Text):
    grep '149\.xxx\.xxx\.xxx' /var/log/fail2ban.log
    

    example output
    Code (Text):
    2017-08-21 15:02:10,728 fail2ban.filter         [2351]: INFO    [nginx-req-limit] Found 149.xxx.xxx.xxx - 2017-08-21 15:02:10
    2017-08-21 15:02:10,728 fail2ban.failmanager    [2351]: DEBUG   Total # of detected failures: 5. Current failures from 1 IPs (IP:count): 149.xxx.xxx.xxx:5
    2017-08-21 15:02:11,264 fail2ban.actions        [2351]: NOTICE  [nginx-req-limit] Ban 149.xxx.xxx.xxx
    2017-08-21 15:02:11,264 fail2ban.action         [2351]: DEBUG   csf -d 149.xxx.xxx.xxx Added by Fail2Ban for nginx-req-limit
    2017-08-21 15:02:11,269 fail2ban.filter         [2351]: DEBUG   Processing line with time:1503327731.0 and ip:149.xxx.xxx.xxx
    2017-08-21 15:02:11,269 fail2ban.filter         [2351]: INFO    [nginx-req-limit-repeat] Found 149.xxx.xxx.xxx - 2017-08-21 15:02:11
    2017-08-21 15:02:11,272 fail2ban.failmanager    [2351]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 149.xxx.xxx.xxx:1
    2017-08-21 15:02:12,249 fail2ban.utils          [2351]: DEBUG   25fee10 -- stdout: 'deny failed: 149.xxx.xxx.xxx is in the allow file /etc/csf/csf.allow'
    

    4. Then set log level back to info
    Code (Text):
    fail2ban-client get loglevel
    fail2ban-client set loglevel info
    
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    All look good !

    But for a reason the ban is not going to Cloudflare.....

    I change my API key and test again but nothing :(

    I try from another vps to attack on the test server and i got a ban as i can see using:

    Code:
    fail2ban-client status nginx-req-limit
    but it just not pushing the ban to Cloudflare :(
     
    Last edited: Aug 22, 2017
  14. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    maybe contact cloudflare to see if there's any issues with cloudflare v4 api for your keys ?
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    maybe a space is the issue or something related?

    I use:

    Code:
    cfuser = myemail@hotmail.com
    cftoken = my37digitapikeyhere
    Ok i will contact them :)
     
  16. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    that's what i do too... maybe try doing manual curl command to cloudflare v4 api using the curl command listed in actionban at centminmod-fail2ban/cloudflare.conf at master · centminmod/centminmod-fail2ban · GitHub

    in ssh bash would be no spaces for assign bash variables
    Code (Text):
    cfuser=put-your-cloudflare-email-here
    cftoken=put-your-API-key-here
    ip=ipaddr
    curl -s -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
    -H "X-Auth-Email: $cfuser" \
    -H "X-Auth-Key: $cftoken" \
    -H "Content-Type: application/json" \
    --data '{"mode":"block","configuration":{"target":"ip","value":"$ip"},"notes":"Fail2Ban"}'
    
     
  17. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    [18:46][root@server.testdomain.com ~]# cfuser=mycloudflareemail
    [18:46][root@server.testdomain.com ~]# cftoken=myapikey
    [18:46][root@server.testdomain.com ~]# ip=ipthatiwanttobanhere
    [18:47][root@server.testdomain.com ~]# curl -s -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
    > -H "X-Auth-Email: $cfuser" \
    > -H "X-Auth-Key: $cftoken" \
    > -H "Content-Type: application/json" \
    > --data '{"mode":"block","configuration":{"target":"ip","value":"$ip"},"notes":"Fail2Ban"}'
    {"success":false,"errors":[{"code":1001,"message":"Invalid request. Configuration value was not a valid IP address"}],"messages":[],"result":null}
    Configuration value was not a valid IP address
     
  18. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    try changing in commnad $ip to actual ip address
     
  19. pamamolf

    pamamolf Premium Member Premium Member

    3,950
    402
    83
    May 31, 2014
    Ratings:
    +782
    Local Time:
    4:14 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yup it works :)

    Now where can be the problem with fail2ban?
     
  20. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    12:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x