Does cloudflare's fail2ban action still work?

For this action:

I filled in the api key and account and wrote where needed: action = cloudflare
iptables-allports
Like this:

[vaultwarden]
enabled = true
port = 80,443,8081,8001
filter = vaultwarden
chain = FORWARD
banaction = %(banaction_allports)s
logpath = /home/Wi-Fi/Bitwarden/log/vaultwarden.log
maxretry = 3
findtime = 300
bantime = 86400
action = cloudflare
    iptables-allports

But it doesn’t seem to be working. I can see fail2ban banning the ip correctly, but it seems like it’s not seen on cf for the action.

Yup it still works, even with the newest non-deprecated V4 Cloudflare API and the new Cloudflare Custom API Token’s (Preferred over the API Keys). I just set it up today. I used a mix of these 3 excellent resources and tutorials below for it.

I created the following file /etc/fail2ban/action.d/cloudflareCustom.conf that has the following actions

actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
            -d '{"mode":"block","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"Fail2Ban <name> <bantime>s"}' \
            <_cf_api_url>

actionunban = id=$(curl -s -X GET <_cf_api_prms> \
                   "<_cf_api_url>?mode=block&configuration_target=<cftarget>&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
                   | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
              curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"
              # optionally send a telegram notification about the ip unban on cloudflare
              #bash /data/action.d/telegram_notif.sh -u <ip>

_cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
_cf_api_prms = -H 'Authorization: Bearer <cftoken>' -H 'Content-Type: application/json'

[Init]

# cloudflare API token
cftoken = <Enter Your CloudFlare Custom API Token Here>

# cloudflare account email
cfuser = <Enter your CloudFlare Email Address Here>

cftarget = ip

[Init?family=inet6]
cftarget = ip6  

Then in /etc/fail2ban/jail.local I created a custom jail under the # Jails section as shown below to use it with the custom filter that I put in /etc/fail2ban/filter.d/customkeywords.conf

#
# JAILS
#

#Custom Jail to ban any ip that matches my filter in /etc/fail2ban/filter.d/customKeywords.conf
[customkeywords]

enabled = true
port     = http,https
filter   = customkeywords
logpath  = %(apache_access_log)s
maxretry = 0
bantime = 100000
action = cloudflareCustom
2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.