In this article, we will learn about Cloudflare Fail2Ban and its configuration tests. As a part of Server Management service, Bobcares will help you with all Cloudflare queries.

Fail2Ban is an open-source intrusion detection software, installed and activated by default on GridPane that serves parses system log files. IP addresses are automatically banned when show signs of malicious activity for a set period temporarily or permanently.

Filters defines the rules by which Fail2Ban has the capability to scan local log files for bad behavior. By default, Fail2Ban comes with a library of filters for many popular software applications including Nginx, SSHD, WordPress, and many more.

Cloudflare Fail2Ban Action Configuration

This also works for any other Fail2Ban configuration. First, start with the Fail2Ban action configuration in the action.d folder, you can already find a cloudflare.conf however this version is outdated. So, we will take the Github and get the updated version:

https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf

After cloning the Cloudflare action you only must configure two parameters: First “cftoken”, which is your global API token, and second “cfuser”, which is your Cloudflare accounts mail address.

[Init]

# If you like to use this action with mailing whois lines, you could use the composite action
# action_cf_mwl predefined in jail.conf, just define in your jail:
#
# action = %(action_cf_mwl)s
# # Your CF account e-mail
# cfemail  = 
# # Your CF API Key
# cfapikey = 

cftoken = YOURGLOBALAPIKEY

cfuser = YOURCLOUDFLAREMAIL

cftarget = ip

You have to use your global API key. Because this may change in future versions. After editing save the configuration file so that we can continue with the jail configuration.

Fail2Ban Jail Configuration

In your  jail configuration add the below action:

action = cloudflare
    iptables-allports

The jail action similar looks like this:

[seafile]

enabled  = true
port     = https
filter   = seafile-auth
logpath  = /opt/seafile/logs/seahub.log
maxretry = 3
action = cloudflare
    iptables-allports

Test your Fail2Ban Configuration

After you have triggered the Fail2Ban action you next need to find a new entry in your Cloudflare IP-Access-Rules list (Firewall -> Tools), a new entry with your IP address and your jail name in the description. The API call configured in the cloudflare.conf will block the IP address for your whole Cloudflare account. This means the IP address will get blocked on all proxy-enabled domains in the Cloudflare account.

You can still use unban IP to remove your IP address from your configured jail:

fail2ban-client get YOURJAILNAME actionunban YOURIPADDRESS

[Looking for a solution to another query? We are just a click away.]

Conclusion

Using Fail2Ban with Cloudflare proxy enabled is a very much easy and completely free process. Improves the security of your server and services.