Following my previous post about using fail2ban to stop malicious requests to xmlrpc.php
, I set up a CloudFlare account. In doing so, I ran into two issues:
First, my access logs were only showing CloudFlare’s IP address, not those of the users making the requests. That’s due to how CloudFlare proxies every request. Fortunately, CloudFlare provides an Apache module to translate the IP addresses for your logs.
Second, even with the correct IP address in the logs, fail2ban was no longer effective in stopping requests (since it handled the requests before the Apache module translated the IP addresses). I needed to stop the requests at CloudFlare, before they ever made it to my server. Fortunately, it’s simple to set up a fail2ban action that utilizes the CloudFlare API to block those requests. Create an action including:
actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=<account>&tkn=<token>" actionunban = curl -s "https://www.cloudflare.com/api.html?a=nul&key=<ip>&u=<account>&tkn=<token>"
And set your filter(s) to use that action.
I’m having the exact same issue with one of my wordpress blogs. Have you managed to get cloudflare to block access to xmlrpc.php ?
I didn’t specifically block xmlrpc.php. fail2ban monitors the access log, and any IP address that tries to POST to xmlrpc.php too many times will be blocked (via the CloudFlare API). That way normal pingbacks still work, but abusive requests should be blocked.
The ip which fail2ban sees is cloudflare’s ip. So you’re essentially telling cloudflare to ban its own ip.