Learn about Centmin Mod LEMP Stack today
Become a Member

CSF Where should cloudflare ip's added on Csf?

Discussion in 'Other Centmin Mod Installed software' started by pamamolf, Mar 24, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    • CentOS Version: CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.11.10
    • PHP Version Installed:7.0.15
    • MariaDB MySQL Version Installed: 10.1.21
    • When was last time updated Centmin Mod code base ? : today

    Hello :)

    Is this file the correct one to edit and add Cloudflare ip's so i can avoid blocking of them?

    Code:
    /etc/csf/csf.ignore
    Thanks

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Read CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS and Getting Started Guide step 5 leads to Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS :)

    It's also automatically taken care of in Centmin Mod 123.09beta01 if you setup tools/csfcf.sh cronjob https://community.centminmod.com/th...te-cloudflare-nginx-csf-firewall-setups.6241/

    i.e.
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto                     
    --------------------------------------------
     Add Cloudflare IP list to CSF
     from: https://www.cloudflare.com/ips-v4/
     from: https://www.cloudflare.com/ips-v6/
    --------------------------------------------
    
    --------------------------------------------
      Add to /etc/csf/csf.allow
    --------------------------------------------
    Adding 103.21.244.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.21.244.0/22] to set [chain_ALLOW]
    Adding 103.22.200.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.22.200.0/22] to set [chain_ALLOW]
    Adding 103.31.4.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.31.4.0/22] to set [chain_ALLOW]
    Adding 104.16.0.0/12 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [104.16.0.0/12] to set [chain_ALLOW]
    Adding 108.162.192.0/18 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [108.162.192.0/18] to set [chain_ALLOW]
    Adding 131.0.72.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [131.0.72.0/22] to set [chain_ALLOW]
    Adding 141.101.64.0/18 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [141.101.64.0/18] to set [chain_ALLOW]
    Adding 162.158.0.0/15 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [162.158.0.0/15] to set [chain_ALLOW]
    Adding 172.64.0.0/13 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [172.64.0.0/13] to set [chain_ALLOW]
    Adding 173.245.48.0/20 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [173.245.48.0/20] to set [chain_ALLOW]
    Adding 188.114.96.0/20 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [188.114.96.0/20] to set [chain_ALLOW]
    Adding 190.93.240.0/20 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [190.93.240.0/20] to set [chain_ALLOW]
    Adding 197.234.240.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [197.234.240.0/22] to set [chain_ALLOW]
    Adding 198.41.128.0/17 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [198.41.128.0/17] to set [chain_ALLOW]
    Adding 199.27.128.0/21 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [199.27.128.0/21] to set [chain_ALLOW]
    Adding 2400:cb00::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2400:cb00::/32] to set [chain_6_ALLOW]
    Adding 2405:8100::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2405:8100::/32] to set [chain_6_ALLOW]
    Adding 2405:b500::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2405:b500::/32] to set [chain_6_ALLOW]
    Adding 2606:4700::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2606:4700::/32] to set [chain_6_ALLOW]
    Adding 2803:f800::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2803:f800::/32] to set [chain_6_ALLOW]
    Adding 2c0f:f248::/32 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2c0f:f248::/32] to set [chain_6_ALLOW]
    Adding 2a06:98c0::/29 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2a06:98c0::/29] to set [chain_6_ALLOW]
    
    created /usr/local/nginx/conf/cloudflare.conf include file
    
     
    Last edited: Mar 24, 2017
  3. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I was thinking to avoid the automation of such action as in case Cloudflare change the page that they use for the ip's or something related and the script add some junk info at the csf and then all will be blocked ......?

    Don't know if that scenario is realistic or not with your script :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just updated 123.09beta01's tools/csfcf.sh to validate ipv4 and ipv6 validity before adding to CSF Firewall so that shouldn't be a problem anymore https://community.centminmod.com/th...date-ips-before-adding-to-csf-firewall.10896/
     
  5. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Can't locate the exact command to use as a cronjob on the above links :(

    Do you recommend me to use it once per day?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I know how to add it but i don't know which command to add as a cronjob :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    One last question :)

    If i use the connection/rate limit option they will be ignored automatically ?
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    connection rate limit in nginx ? yes will be ignored/useless if your server is behind cloudflare
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Ok great as i don't want them to get limited by Nginx or Csf as all connections are coming from there.....
     
  12. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Only if any changes detected?
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    right now everytime tools/csfcf.sh is ran as there is no change detection. CSF automatically ignores existing IPs that are whitelisted. So all the script is doing is cycling through all listed Cloudflare ips and inserting them via csf -a where existing ips are ignored and new ips are added.
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    It will be good if you can adjust the script (when you have time) to do a check if the Cloudflare ip's are there already and stop there so we will avoid an unneeded Nginx restart :)

    Thank you
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    done just updated 123.09beta01's tools/csfcf.sh :)
     
  16. ndha

    ndha Member

    82
    10
    8
    Sep 28, 2014
    Ratings:
    +29
    Local Time:
    9:17 AM
    Latest
    10
    Hi @eva2000 i think you should also make script for incapsula IP???
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,223
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    12:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Incapsula only provides their IP list via a blog/article post and not like Cloudflare with dedicated ipv4 and ipv6 txt files. Makes it harder to scrap and check the ip lists. See Step 5 of Getting Started Guide which links to Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS

    edit: actually seems they updated the page to allow API query for ip list now
    so yes possibly scriptable now !

    Code (Text):
    curl -s --data "resp_format=text" https://my.incapsula.com/api/integration/v1/ips    
    199.83.128.0/21
    198.143.32.0/19
    149.126.72.0/21
    103.28.248.0/22
    185.11.124.0/22
    192.230.64.0/18
    45.64.64.0/22
    107.154.0.0/16
    2a02:e980::/29
    

    Code (Text):
    curl -s --data "resp_format=text" https://my.incapsula.com/api/integration/v1/ips | while read i; do echo "csf -a ${i} incapsula"; done
    csf -a 199.83.128.0/21 incapsula
    csf -a 198.143.32.0/19 incapsula
    csf -a 149.126.72.0/21 incapsula
    csf -a 103.28.248.0/22 incapsula
    csf -a 185.11.124.0/22 incapsula
    csf -a 192.230.64.0/18 incapsula
    csf -a 45.64.64.0/22 incapsula
    csf -a 107.154.0.0/16 incapsula
    csf -a 2a02:e980::/29 incapsula
    


    testing tools/csfincapsula.sh script
    Code (Text):
     ./csfincapsula.sh
    ./csfincapsula.sh {ips|csf|nginx|auto}

    Code (Text):
    ./csfincapsula.sh ips
    --------------------------------------------
     Downloading Incapsula P list
     from: Incapsula API
    --------------------------------------------
    
    --------------------------------------------
     Format for Centminmod.com Nginx Installer
      1). add to nginx.conf
      2). add to /etc/csf/csf.allow
    --------------------------------------------
    --------------------------------------------
      1). add to nginx.conf
    --------------------------------------------
    set_real_ip_from 199.83.128.0/21;
    set_real_ip_from 198.143.32.0/19;
    set_real_ip_from 149.126.72.0/21;
    set_real_ip_from 103.28.248.0/22;
    set_real_ip_from 185.11.124.0/22;
    set_real_ip_from 192.230.64.0/18;
    set_real_ip_from 45.64.64.0/22;
    set_real_ip_from 107.154.0.0/16;
    set_real_ip_from 2a02:e980::/29;
    real_ip_header X-Forwarded-For;
    
    --------------------------------------------
      2). add to /etc/csf/csf.allow
    --------------------------------------------
    csf -a 199.83.128.0/21 incapsula
    csf -a 198.143.32.0/19 incapsula
    csf -a 149.126.72.0/21 incapsula
    csf -a 103.28.248.0/22 incapsula
    csf -a 185.11.124.0/22 incapsula
    csf -a 192.230.64.0/18 incapsula
    csf -a 45.64.64.0/22 incapsula
    csf -a 107.154.0.0/16 incapsula
    csf -a 2a02:e980::/29 incapsula
    --------------------------------------------

    Code (Text):
    ./csfincapsula.sh nginx
    
    created /usr/local/nginx/conf/incapsula.conf include file
    

    contents of /usr/local/nginx/conf/incapsula.conf include file
    Code (Text):
    cat /usr/local/nginx/conf/incapsula.conf
    
    include /usr/local/nginx/conf/incapsula_customips.conf;
    set_real_ip_from 199.83.128.0/21;
    set_real_ip_from 198.143.32.0/19;
    set_real_ip_from 149.126.72.0/21;
    set_real_ip_from 103.28.248.0/22;
    set_real_ip_from 185.11.124.0/22;
    set_real_ip_from 192.230.64.0/18;
    set_real_ip_from 45.64.64.0/22;
    set_real_ip_from 107.154.0.0/16;
    real_ip_header X-Forwarded-For;
    

    now the auto run which adds incapsula ips to CSF firewall whitelist and creates the include file /usr/local/nginx/conf/incapsula.conf automatically.
    Code (Text):
    ./csfincapsula.sh auto
    --------------------------------------------
     Add Incapsula P list to CSF
     from: Incapsula API
    --------------------------------------------
    
    --------------------------------------------
      Add to /etc/csf/csf.allow
    --------------------------------------------
    Adding 199.83.128.0/21 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [199.83.128.0/21] to set [chain_ALLOW]
    Adding 198.143.32.0/19 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [198.143.32.0/19] to set [chain_ALLOW]
    Adding 149.126.72.0/21 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [149.126.72.0/21] to set [chain_ALLOW]
    Adding 103.28.248.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [103.28.248.0/22] to set [chain_ALLOW]
    Adding 185.11.124.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [185.11.124.0/22] to set [chain_ALLOW]
    Adding 192.230.64.0/18 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [192.230.64.0/18] to set [chain_ALLOW]
    Adding 45.64.64.0/22 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [45.64.64.0/22] to set [chain_ALLOW]
    Adding 107.154.0.0/16 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [107.154.0.0/16] to set [chain_ALLOW]
    Adding 2a02:e980::/29 to csf.allow and iptables ACCEPT...
    csf: IPSET adding [2a02:e980::/29] to set [chain_6_ALLOW]
    
    created /usr/local/nginx/conf/incapsula.conf include file
    

    /etc/csf/csf.ignore ignore list
    Code (Text):
    cat /etc/csf/csf.ignore 
    ###############################################################################
    # Copyright 2006-2017, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # The following IP addresses will be ignored by all lfd checks
    # One IP address per line
    # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
    # Only list IP addresses, not domain names (they will be ignored)
    #
    
    127.0.0.1
    199.83.128.0/21
    198.143.32.0/19
    149.126.72.0/21
    103.28.248.0/22
    185.11.124.0/22
    192.230.64.0/18
    45.64.64.0/22
    107.154.0.0/16
    2a02:e980::/29
    
     
    Last edited: Mar 26, 2017
  18. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    10:17 PM
    Should these be setup if you're running a site which isn't using any of the services?
     
  19. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:17 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    If you don't use them there is no reason to add them on your csf...
     
  20. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    10:17 PM
    I figured as much. But wasn't 100% sure.