Block 1000's of IP's in Cloudflare

[Bullten]

Hello,

I have written a small program to block bad ips in cloudflare. Suppose you have 1000's of ips and you want to block it you can use below program.

#!/bin/sh

# Block IP in Cloudflare from file list


GLOBAL_API_KEY="xxxxxxxx"   # Global api key can be obtained from here https://dash.cloudflare.com/profile/api-tokens
ACCOUNTS_EMAIL="[email protected]"  # Email address of your cloudflare account
IPLIST="./ips.txt"   # Create ips.txt in same folder of software
MODES="challenge" # challenge, block, js_challenge, managed_challenge
NOTES="ddos`date +"%Y%m%d"`"

while read host; do
    HOSTIP=($host)

    curl -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" -H "X-Auth-Key:${GLOBAL_API_KEY}" -H "X-Auth-Email:${ACCOUNTS_EMAIL}" -H "Content-Type:application/json" --data "{\"mode\":\"${MODES}\",\"configuration\":{\"target\":\"ip\",\"value\":\"${HOSTIP[0]}\"},\"notes\":\"${NOTES}\"}"
done < $IPLIST

 

[AlexH]

This is very good amd helps a lot of people.
Thank you very much.

Something that will help even more is to block live ip that try to attack your website.
A script that analyse the traffic and see what ip don't respect the rules, save the ip in a file and the script above block that traffic from cloudflare.

 

[showb1z]

I would have ASNs to block! how does it work? how the .txt list should look

 

[Vasile+]

I would have ASNs to block! how does it work? how the .txt list should look

the records in the list should be line by line.
also, to block ASNs you just need to replace `"target\":\"ip\"` with `"target\":\"ip.geoip.asnum\"` and so on ( see Fields reference · Cloudflare Ruleset Engine docs ).
also, if you wanna block hostings by ASN, this may help you: GitHub - brianhama/bad-asn-list: An open source list of ASNs known to belong to cloud, managed hosting, and colo facilities. (sauce: https://community.cloudflare.com/t/how-to-block-a-large-list-of-asns/187963)

I don't recommend blocking ASNs without verifying them very well, you may end up blocking internet providers

 

[Alex+]

I don't recommend blocking ASNs without verifying them very well, you may end up blocking internet providers

depends, but some can easily be vetted. you can ban pretty much all public-facing server providers without any issues

 

[Bullten]

blocking asn is not recommended. Instead you can block bad ips. Ratelimiting nginx and then grabbing bad ips and just block through the code I provided.

 

[Vasile+]

blocking asn is not recommended. Instead you can block bad ips. Ratelimiting nginx and then grabbing bad ips and just block through the code I provided.

you can rate limit through cloudflare too.

 

[Vasile+]

depends, but some can easily be vetted. you can ban pretty much all public-facing server providers without any issues

yeah but blocking ovh for example you will end up blocking ahrefs too, because it use ovh vps for scrapping. idk, maybe you need ahrefs or some other service.
anyway, you can block ovh and exclude known/good bots. cloudflare have some good settings, just check everything very well

 

[showb1z]

Hello,

I have written a small program to block bad ips in cloudflare. Suppose you have 1000's of ips and you want to block it you can use below program.

#!/bin/sh

# Block IP in Cloudflare from file list


GLOBAL_API_KEY="xxxxxxxx"   # Global api key can be obtained from here https://dash.cloudflare.com/profile/api-tokens
ACCOUNTS_EMAIL="[email protected]"  # Email address of your cloudflare account
IPLIST="./ips.txt"   # Create ips.txt in same folder of software
MODES="challenge" # challenge, block, js_challenge, managed_challenge
NOTES="ddos`date +"%Y%m%d"`"

while read host; do
    HOSTIP=($host)

    curl -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" -H "X-Auth-Key:${GLOBAL_API_KEY}" -H "X-Auth-Email:${ACCOUNTS_EMAIL}" -H "Content-Type:application/json" --data "{\"mode\":\"${MODES}\",\"configuration\":{\"target\":\"ip\",\"value\":\"${HOSTIP[0]}\"},\"notes\":\"${NOTES}\"}"
done < $IPLIST

Nu trebuia setat undeva si domeniul pentru care vrem sa aplicam astea ?

 

[Bullten]

No need to add domain. Its for full cloudflare account using API.