Once you start using Cloudflare as a CDN solution for your hosting, you are adding another firewall into the equation, albeit a very good one, but you may want to pass your servers local firewall fail2bans IP blocks over to Cloudflare and keep the two firewalls synchronised. This guide is using ServerPilot/fai2ban on a Vultr instance but similar hosting will be the same.
2 problems need to be overcome, the first is the transparency of Cloudflares IP addresses and the second is pushing the fail2ban IP bans on your server firewall over to the Cloudflare firewall.
Reveal True IP Addresses
Cloudflare wraps a visitors IP address in its own address, this can cause issues with the fail2ban IP rules as you may be blocking the wrong addresses, so the real IPs need to be revealed – this is referenced on the Cloudflare site, and has a number of solutions for different web serving apps.
ServerPilot uses nginx as a front end tool and have already made these changes in their nginx config. Check /etc/nginx-sp/nginx.conf
# CloudFlare proxy addresses. # Do not modify this list. If you believe the CloudFlare proxy address list is # out of date, please contact firstname.lastname@example.org. set_real_ip_from 220.127.116.11/22; set_real_ip_from 18.104.22.168/22; set_real_ip_from 22.214.171.124/22; set_real_ip_from 126.96.36.199/12; set_real_ip_from 188.8.131.52/18; set_real_ip_from 184.108.40.206/22; set_real_ip_from 220.127.116.11/18; set_real_ip_from 18.104.22.168/15; set_real_ip_from 22.214.171.124/13; set_real_ip_from 126.96.36.199/20; set_real_ip_from 188.8.131.52/20; set_real_ip_from 184.108.40.206/20; set_real_ip_from 220.127.116.11/22; set_real_ip_from 18.104.22.168/17; set_real_ip_from 22.214.171.124/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; real_ip_header X-Forwarded-For;
So that’s great – already done here, if you are not using ServerPilot look at the earlier referenced link for a solution.
Pushing fail2ban IP rules to Cloudflare
For every fail2ban jail client you set up, as in the one set up for wordpress-hard you can add an action when the fail2ban rule is triggered, there is a whole bunch of actions in /etc/fail2ban/action.d/ directory including a cloudflare.conf one, which synchronises your local firewall to the Cloudflare one.
You just rename/backup the old cloudflare.conf and add in the new one above and add in your Cloudflare username/email and API key at the bottom where indicated on lines 67 & 73.
Then you reference the action in your jail.local file under the WordPress defined jail.
[wordpress-hard] enabled = true filter = wordpress-hard logpath = /var/log/auth.log maxretry = 3 port = http,https action = cloudflare
service fail2ban restart
Now you will see your Cloudflare firewall updated with your ServerPilots fail2ban banned IP addresses and if you unban addressess they will also be sync’ed.
So if you unban an IP address at your server firewall (example below uses our wordpress_hard jail…
fail2ban-client set wordpress-hard unbanip 126.96.36.199
It will be sync’ed to Cloudflare so also removed there.