Using WP Fail2Ban with CloudFlare

I am trying to set up fail2ban on my server and have it work with the WordPress fail2ban plugin, so that it bans people from logging into the WP site.

I have it set up and banning IPs, but it is banning the CloudFlare IP instead of the origin IP. I followed a tutorial for using the CloudFlare API, which was supposed to use the CloudFlare Firewall to ban the origin IP. But, this is not working. Instead of using the CloudFlare firewall, it is using the server iptable to ban the CloudFlare IP address.

My server is CentOS, Nginx.
Here is the tutorial I used - https://www.vcloudnine.de/using-wp-fail2ban-with-the-cloudflare-api-to-protect-your-website/

Here are my server logs, showing the CF IP being banned:

In jail.conf, I have:
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
action = cloudflare
maxretry = 3
bantime = 604800

In my Cloudflare Action, I have my API key and email address entered at the end. Otherwise, it is the normal default CloudFlare action.

How can I get this to use the CF firewall to ban the origin IP address?

This is totally an @eva2000 question. Here’s his tutorial:

3 Likes

First need to properly restore real visitor IPs on your origin server https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

should work provided you used the correct CF Global API Key for your CF account that the domain belongs to and set the API Token in /etc/fail2ban/action.d/cloudflare.conf in that article and edited /etc/fail2ban/jail.conf with each relevant fail2ban jail rule with action = cloudflare

Yeah that is specific setup for my Centmin Mod Nginx LEMP stack users so might differ for non-Centmin Mod LEMP stack users but it’s fairly similar though I need to update my Cloudflare action Firewall API to switch to using CF API Tokens rather than CF Global API Key eventually which requires changing from CF user level firewall API to CF account level firewall API endpoint.

1 Like

Thank you, I will try out what you suggested!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.