Want to subscribe to topics you're interested in?
Become a Member

New Cloudflare ip's ....

Discussion in 'Install & Upgrades or Pre-Install Questions' started by pamamolf, Aug 19, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,487
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    8:47 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:47 PM
    Nginx 1.13.x
    MariaDB 5.5
    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
    You just need to setup a cronjob to run if you haven't
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto

    and ensure your nginx.conf http{} context has the include file /usr/local/nginx/conf/cloudflare.conf and/or your individual nginx vhost's server contexts has the same include file which is uncommented without the front hash #
    Code (Text):
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    

    Then restart nginx server via command shortcut
    Code (Text):
    ngxrestart

    or
    Code (Text):
    service nginx restart
     
  3. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:47 PM
    Nginx 1.13.x
    MariaDB 5.5
    example
    Code (Text):
    tools/csfcf.sh auto
    --------------------------------------------
    Add Cloudflare IP list to CSF
    from: https://www.cloudflare.com/ips-v4
    from: https://www.cloudflare.com/ips-v6
    --------------------------------------------
    
    --------------------------------------------
      Add to /etc/csf/csf.allow
    --------------------------------------------
    Adding 103.21.244.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.21.244.0/22] to set [chain_ALLOW]
    Adding 103.22.200.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.22.200.0/22] to set [chain_ALLOW]
    Adding 103.31.4.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.31.4.0/22] to set [chain_ALLOW]
    Adding 104.16.0.0/12 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [104.16.0.0/12] to set [chain_ALLOW]
    Adding 108.162.192.0/18 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [108.162.192.0/18] to set [chain_ALLOW]
    Adding 131.0.72.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [131.0.72.0/22] to set [chain_ALLOW]
    Adding 141.101.64.0/18 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [141.101.64.0/18] to set [chain_ALLOW]
    Adding 162.158.0.0/15 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [162.158.0.0/15] to set [chain_ALLOW]
    Adding 172.64.0.0/13 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [172.64.0.0/13] to set [chain_ALLOW]
    Adding 173.245.48.0/20 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [173.245.48.0/20] to set [chain_ALLOW]
    Adding 188.114.96.0/20 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [188.114.96.0/20] to set [chain_ALLOW]
    Adding 190.93.240.0/20 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [190.93.240.0/20] to set [chain_ALLOW]
    Adding 197.234.240.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [197.234.240.0/22] to set [chain_ALLOW]
    Adding 198.41.128.0/17 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [198.41.128.0/17] to set [chain_ALLOW]
    Adding 199.27.128.0/21 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [199.27.128.0/21] to set [chain_ALLOW]
    Adding 2400:cb00::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2400:cb00::/32] to set [chain_6_ALLOW]
    Adding 2405:8100::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2405:8100::/32] to set [chain_6_ALLOW]
    Adding 2405:b500::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2405:b500::/32] to set [chain_6_ALLOW]
    Adding 2606:4700::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2606:4700::/32] to set [chain_6_ALLOW]
    Adding 2803:f800::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2803:f800::/32] to set [chain_6_ALLOW]
    Adding 2c0f:f248::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2c0f:f248::/32] to set [chain_6_ALLOW]
    Adding 2a06:98c0::/29 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2a06:98c0::/29] to set [chain_6_ALLOW]
    
    created /usr/local/nginx/conf/cloudflare.conf include file


    Code (Text):
    tools/csfcf.sh ipv4
    --------------------------------------------
    Downloading Cloudflare IP list
    from: https://www.cloudflare.com/ips-v4
    --------------------------------------------
    
    --------------------------------------------
    Format for Centminmod.com Nginx Installer
      1). add to nginx.conf
      2). add to /etc/csf/csf.allow
    --------------------------------------------
    --------------------------------------------
      1). add to nginx.conf
    --------------------------------------------
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 199.27.128.0/21;
    real_ip_header CF-Connecting-IP;
    
    --------------------------------------------
      2). add to /etc/csf/csf.allow
    --------------------------------------------
    csf -a 103.21.244.0/22 cloudflare
    csf -a 103.22.200.0/22 cloudflare
    csf -a 103.31.4.0/22 cloudflare
    csf -a 104.16.0.0/12 cloudflare
    csf -a 108.162.192.0/18 cloudflare
    csf -a 131.0.72.0/22 cloudflare
    csf -a 141.101.64.0/18 cloudflare
    csf -a 162.158.0.0/15 cloudflare
    csf -a 172.64.0.0/13 cloudflare
    csf -a 173.245.48.0/20 cloudflare
    csf -a 188.114.96.0/20 cloudflare
    csf -a 190.93.240.0/20 cloudflare
    csf -a 197.234.240.0/22 cloudflare
    csf -a 198.41.128.0/17 cloudflare
    csf -a 199.27.128.0/21 cloudflare
    --------------------------------------------


    Code (Text):
    tools/csfcf.sh ipv6
    --------------------------------------------
    Downloading Cloudflare IP list
    from: https://www.cloudflare.com/ips-v6
    --------------------------------------------
    
    --------------------------------------------
    Format for Centminmod.com Nginx Installer
      1). add to nginx.conf
      2). add to /etc/csf/csf.allow
    --------------------------------------------
    --------------------------------------------
      1). add to nginx.conf
    --------------------------------------------
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;
    real_ip_header CF-Connecting-IP;
    
    --------------------------------------------
      2). add to /etc/csf/csf.allow
    --------------------------------------------
    csf -a 2400:cb00::/32 cloudflare
    csf -a 2405:8100::/32 cloudflare
    csf -a 2405:b500::/32 cloudflare
    csf -a 2606:4700::/32 cloudflare
    csf -a 2803:f800::/32 cloudflare
    csf -a 2c0f:f248::/32 cloudflare
    csf -a 2a06:98c0::/29 cloudflare
    --------------------------------------------
     
  4. pamamolf

    pamamolf Well-Known Member

    2,487
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    8:47 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Do i have to restart the firewall (csf -r) at the end?
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:47 PM
    Nginx 1.13.x
    MariaDB 5.5
    not with cronjob set to use auto flag

    options available
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh
    /usr/local/src/centminmod/tools/csfcf.sh {ipv4|ipv6|csf|nginx|auto}


    set cron to use auto
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto


    seems only a new few ip ranges so far

    upload_2016-8-19_8-43-33.png

    updated at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Like Like x 2
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,025
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:47 AM
    1.13.x
    MariaDB 10.1.x
    Setup the cron to run at 2pm

    Code:
    01 14 * * * /root/tools/csf_update.sh 2>/dev/null
     
    Last edited: Jan 31, 2017
  7. pamamolf

    pamamolf Well-Known Member

    2,487
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    8:47 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Isn't that 13:02 ?

    If i am not wrong w have first minutes and then hours....
     
    • Like Like x 1
  8. Jimmy

    Jimmy Premium Member Premium Member

    1,025
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:47 AM
    1.13.x
    MariaDB 10.1.x
    Opps. Made the change. 14:01

    I think it's a 24 hour clock. You're right: minute, hour, day, month, day of week
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,934
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    3:47 PM
    Nginx 1.13.x
    MariaDB 5.5
    should use script at
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto
    

    instead of /root/tools/csf_update.sh
     
    • Informative Informative x 1
  10. Jimmy

    Jimmy Premium Member Premium Member

    1,025
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:47 AM
    1.13.x
    MariaDB 10.1.x
    @eva2000 Thanks, didn't even realize it was root... so tired.
     
    • Like Like x 1
  11. pamamolf

    pamamolf Well-Known Member

    2,487
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    8:47 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok so the correct one should be?

    Code:
    10 02 * * * /usr/local/src/centminmod/tools/csfcf.sh auto 2>/dev/null
     
  12. Jimmy

    Jimmy Premium Member Premium Member

    1,025
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:47 AM
    1.13.x
    MariaDB 10.1.x
    That would be 2:10 AM not PM. PM is 14 (24 hour clock). Below is 2:01 PM.

    Code:
    01 14 * * * /usr/local/src/centminmod/tools/csfcf.sh auto 2>/dev/null
     
  13. pamamolf

    pamamolf Well-Known Member

    2,487
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    8:47 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes i need it at 2:10 AM :)

    I was asking most for the rest of the cron syntax .....
     
    • Like Like x 1
  14. Jimmy

    Jimmy Premium Member Premium Member

    1,025
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:47 AM
    1.13.x
    MariaDB 10.1.x
    Actually decided to do this via a custom script which will alert me that csfcf.sh has actually run.

    Code:
    Auto-update Bash Script
    # nano /root/tools/csfcf_update.sh
    
    #!/bin/bash
    cd /usr/local/src/centminmod/tools/
    ./csfcf.sh auto
    mail -s "CSFCF Update <server name>" email@somewhere.com <<< "CENTMIN MOD CSFCF update has run on <server name>."
    
    Modify the Permissions on the File
    # chmod +x /root/tools/csfcf_update.sh
    
    Setup Cron to Have it Update the List
    Access the Cron Interface
    # crontab -e
    
    Cron Job (will run everyday at 2AM)
    # 01 2 * * * /root/tools/csfcf_update.sh 2>/dev/null
     
    • Like Like x 1
    • Informative Informative x 1