Cloudflare list feature added

[Broatcast]

Add a new cloudflare action with list support

Since there isn't any solution for this problem, i was adding Cloudflare support back again.
The old solutions didn't work with the new Cloudflare plans.

This action is based on calling an php script to handle all the required logic. In the current state this will be to complex for fail2bans action wrapper.
I know it's not written in python but considering all people who will need this also have php already on the server.

The installation is easy and supported by the script it self. I will add an wiki page later for this.

Your api token need this permissions

• All accounts - Account Filter Lists:Edit, Account Settings:Read
• All zones - Zone:Read, Firewall Services:Edit
  (for more security add your server ip in the Client IP Address Filtering

Short install instructions:
Basically you only need to add your Cloudflare token to you jail.local into [DEFAULT]

[DEFAULT]
cftoken = {your-cf-api-token}
cfaccount = dummy
cfzone = dummy

Then you can run the token-test while looking at your fail2ban.log
php /etc/fail2ban/action.d/cloudflare.php token-test

This will add the following lines to your logfile

2022-10-31 23:02:31,000 fail2ban.actions [123551]: INFO [cloudflare] ================
2022-10-31 23:02:31,000 fail2ban.actions [123551]: INFO [cloudflare] Cloudlfare API token-test
2022-10-31 23:02:31,000 fail2ban.actions [123551]: INFO [cloudflare] ================
2022-10-31 23:02:31,000 fail2ban.actions [123551]: INFO [cloudflare] Testing api token
2022-10-31 23:02:32,000 fail2ban.actions [123551]: INFO [cloudflare] This API Token is valid and active
2022-10-31 23:02:32,000 fail2ban.actions [123551]: INFO [cloudflare] You can now run setup and permission-test

After this you are ready for the setup process run
php /etc/fail2ban/action.d/cloudflare.php setup

This will list all needed information in you fail2ban.log

2022-10-31 23:08:52,000 fail2ban.actions [123551]: INFO [cloudflare] =============
2022-10-31 23:08:52,000 fail2ban.actions [123551]: INFO [cloudflare] Cloudlfare API setup
2022-10-31 23:08:52,000 fail2ban.actions [123551]: INFO [cloudflare] =============
2022-10-31 23:08:52,000 fail2ban.actions [123551]: INFO [cloudflare] Try to list account information
2022-10-31 23:08:53,000 fail2ban.actions [123551]: INFO [cloudflare] Found account, ID: {your-cf-account-id} Name: [email protected]'s Account Type: standard
2022-10-31 23:08:53,000 fail2ban.actions [123551]: INFO [cloudflare]
2022-10-31 23:08:53,000 fail2ban.actions [123551]: INFO [cloudflare] Try to list zone id's
2022-10-31 23:08:53,000 fail2ban.actions [123551]: INFO [cloudflare] Found zone, ID: {your-cf-zone-id} Name: example.com Status: active

The only thing left is to copy your account id and your zone id and write it to you jail.local into [DEFAULT]

[DEFAULT]
cftoken = {your-cf-api-token}
cfaccount = {your-cf-account-id}
cfzone = {your-cf-zone-id}

Finish
You can now use this action in any jailconfig you like by overwriting the banaction in your jail.local.

Example for nginx-http-auth

[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_access_log)s
banaction = cloudflare-list

In case of any problems
Keep an look at your fail2ban.log, there is many information logged, api errors get parsed and written to the logfile.

[Broatcast]

This will also address this Issues:

• [RFE]: cloudflare IP lists instead of rules #3239

[sebres]

I know it's not written in python but considering all people who will need this also have php already on the server.

I don't think so, but OK.
The question is rather how large is the effort to rewrite it as a pythonic action (combining both cloudflare-list.conf and cloudflare.php as single cloudflare-list.py file written in python)?

[Broatcast]

The question is rather how large is the effort to rewrite it as a pythonic action
In the current state you can see all the necessary logic behind it. Just for the basic functionality.
Considering the all the possible features for the future (see PLANED FEATURES), i don't think this is even possible to clean combine it into a single cloudflare-list.conf. This will only end in a pure mess.

A better solution would be a additional python lib later, like smtp.py for example. This is a solution i see but sadly i'am not good enough in python to convert it.

Rather i like to contribute to the project with a working and clean written solution even if its in php, but for this, clean and functional. You can see i even hooking into the logfiles, with the right format. Working with tmp files to massive reduce needed api calls, and work modular with the config files from fail2ban like fail2ban.conf, fail2ban.local, jail.conf, jail.local. To provide a modular working solution no matter how the system config is different from default.

When you look at the old cloudflare solutions i dont see an working update to them in the near future, i would even think about to remove cloudflare.conf doing its outdated state (it's only received an update to work again with the token auth, the same you already have with cloudflare-token.conf)
In addition to rename cloudfare-token.conf to cloudflare-enterprise-plan.conf. Even then its have not enough firewall rules! (just 1000 is real not enough if you think about it).

The old solutions just adding a firewallrule for each ban, and remove them later. The free plan (5 rules) and even pro (20 rules) get useless for this.

We need a solution to work with the list functionality of cloudflare. You can see in code you need to watch multiple thing now for this. (like firewall rules, filter-rule, lists and some more complex logic). To cover all this in a single file f2b wrapper would be a real mess.

Outsourcing this seams to be the cleanest solution for me.

I don't think so, but OK.

In today time if you provide some services on port 80/443 90% would have php on the server. And that is in 99% the only reason to block someone on this service. (login try's ect.)
Even if you don't have it (when using things like python webserver or other languages to provide services on 80/443), you only need to install php-cli in addition.
I know its a dependency added in this state.

But as long as no python pro have the time to do a extra py lib for this (like smtp.py). I just like to add an opportunity for the community and users with a working and clean solution. Whose capability's can easy be extended.

No front or offense, but i think the old solutions are no longer effective to work with cloudflare and a solution is not nearly to see in the near future (otherwise someone write a py lib, alone the syntax fix for the api calls are crappy needed in this api version.).
(see line 445)

I just like to help and support this project. And be fine with deleting this solution in the feature if a py lib is ready. Until then this is a fine working solution.

[sebres]

In today time if you provide some services on port 80/443 90% would have php on the server

No. 90% of some private hosting - maybe, but I still doubt about the proportion of whole community.
Especially people which may need cloudflare.

Rather i like to contribute to the project with a working and clean written solution even if its in php, but for this, clean and functional

Sure and thank you!...
Although I speak php, unfortunately neither I have cloudflare, nor I think it would be good idea to check this php action blindly (without the cloudflare access).

Anyway we can leave it open here up to next regular release, in hope someone'd rewrite it to pythonic action.
People which need it and in mood to experiment could use the files as is from this PR.