Cloudflare Developers•5mo ago

Issue with WAF

hello is there an issue with cloudflare WAF? custom rules?

43 Replies

MrDadoneOP•5mo ago

As my custom rules, after 5minutes or less get changed to block, and unused filter.

MrDadoneOP•5mo ago

like this.

MrDadoneOP•5mo ago

pretty much the action changes.

Chaika•5mo ago

no known issues https://www.cloudflarestatus.com/, and nothing like that I would check your Audit Log to see what's changing it. If you're using a partner like Ezotic or something with access to your account

MrDadoneOP•5mo ago

User cloudflare... and it changes the value this part specifically.

Chaika•5mo ago

show the full audit event (hiding your account name/etc as needed)?

MrDadoneOP•5mo ago

]

MrDadoneOP•5mo ago

Chaika•5mo ago

is there any other events or interest around/before that? That w/ the firewall api property kind of looks like something using the old firewalls api and it being translated to a custom rule update Like terraform or something like that, using those old endpoints

MrDadoneOP•5mo ago

i have 3 api keys 1 which i should remove, and i will do now, 1 for subdomains (custom stuff) 1 for fail2ban i think fail2ban is the issue, as it wasnt doing this before

MrDadoneOP•5mo ago

Chaika•5mo ago

you don't see anything else in the audit log, and fail2ban is given access to that domain/zone?

MrDadoneOP•5mo ago

yes fail2ban has access to the zone

MrDadoneOP•5mo ago

Chaika•5mo ago

could you just stop/pause fail2banfor a bit, change the custom rule back, and see if it happens again? easier to turn back on then reissuing the token and setting it up again

MrDadoneOP•5mo ago

o9k ill pause it and see what happens ok ill pause fail2ban everywhere k paused everywhere, now ill change the rule again. and now we wait 😄 seems like that was the issue. but i need fail2ban with cloudflare, not sure what i did wrong with permission.

Chaika•5mo ago

not permission based, not sure how exactly fail2ban interfaces with Cloudflare (a plugin maybe?), but it looks like it's 1. using the old Firewall API (will be gone in 2025 Jan) and 2. overriding other rules

MrDadoneOP•5mo ago

Ok how can i use the new firewall api ig for the record it's here - /etc/fail2ban/action.d/cloudflare.conf and it should be there by default. this is what i had there. i have removed personal information.

# Option:  actionstart
actionstart =

# Option:  actionstop
actionstop =

# Option:  actioncheck
actioncheck =

# Option:  actionban
actionban = curl -s -o /dev/null -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/rules" \
            -H "Authorization: Bearer <YOUR_API_TOKEN>" \
            -H "Content-Type: application/json" \
            --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2Ban"}'

# Option:  actionunban
actionunban = id=$(curl -s -X GET -H "Authorization: Bearer <YOUR_API_TOKEN>" \
                   -H "Content-Type: application/json" \
                   "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/rules?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban" \
                   | jq -r '.result[0].id'); \
              if [ -z "$id" ]; then echo "Fail2Ban: id for <ip> cannot be found"; exit 0; fi; \
              curl -s -o /dev/null -X DELETE -H "Authorization: Bearer <YOUR_API_TOKEN>" \
              "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/rules/$id"

[Init]

cftoken = <YOUR_API_TOKEN>
cfuser = <YOUR_EMAIL>

# Option:  actionstart
actionstart =

# Option:  actionstop
actionstop =

# Option:  actioncheck
actioncheck =

# Option:  actionban
actionban = curl -s -o /dev/null -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/rules" \
            -H "Authorization: Bearer <YOUR_API_TOKEN>" \
            -H "Content-Type: application/json" \
            --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2Ban"}'

# Option:  actionunban
actionunban = id=$(curl -s -X GET -H "Authorization: Bearer <YOUR_API_TOKEN>" \
                   -H "Content-Type: application/json" \
                   "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/rules?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban" \
                   | jq -r '.result[0].id'); \
              if [ -z "$id" ]; then echo "Fail2Ban: id for <ip> cannot be found"; exit 0; fi; \
              curl -s -o /dev/null -X DELETE -H "Authorization: Bearer <YOUR_API_TOKEN>" \
              "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/rules/$id"

[Init]

cftoken = <YOUR_API_TOKEN>
cfuser = <YOUR_EMAIL>

Any idea what could be causing it to change the rules?

Chaika•5mo ago

it was making a fw rule per ban? You'd run out rather quickly I would assume

Chaika•5mo ago

I'm not sure of all the auto translation magic between old firewall api and the new custom rules, there's some docs here: https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-api-users

Cloudflare Docs

Firewall Rules to WAF custom rules migration · Cloudflare Web Appli...

Cloudflare converted existing firewall rules into WAF custom rules. With custom rules, you get the same level of protection and a few additional …

MrDadoneOP•5mo ago

The goal was just to make the ip get banned on all the servers nothing else Like if it gets banned on 1 server, it gets banned everywhere

Chaika•5mo ago

why not use IP Access Rules and their api?

Chaika•5mo ago

looks like they even have a default config which uses them: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare-token.conf

GitHub

fail2ban/config/action.d/cloudflare-token.conf at master · fail2ban...

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban

Chaika•5mo ago

https://community.cloudflare.com/t/does-cloudflares-fail2ban-action-still-work/640904/3?u=chaika

MrDadoneOP•5mo ago

ill use that configuration, and let you know how it works. thanks

Chaika•5mo ago

sure, you can have up to 50,000 of those, should be plenty

MrDadoneOP•5mo ago

ill use this config, let you know if the issue persist, thanks!

MrDadoneOP•5mo ago

ok so i started reconfigurring the servers, and i noticed this, is it normal that you don't see the same amount of bans on all the servers?

MrDadoneOP•5mo ago

ok finally updated alll configurations, now let's see. will see if it get's changed again.

Chaika•5mo ago

I do not use fail2ban, but I would assume each server is independent

MrDadoneOP•5mo ago

the issue still persists

Chaika•5mo ago

well it stopped when you paused fail2ban right?

MrDadoneOP•5mo ago

yep

Chaika•5mo ago

I would wager then somehow one of the servers isn't updated or is using both configs/etc

MrDadoneOP•5mo ago

i was already using that config by default, but yea i just putted the info ill doublecheck again.

Chaika•5mo ago

ps, if you didn't see the migration I linked above:

Cloudflare will internally convert your Firewall Rules API and Filters API calls into the corresponding Rulesets API calls. The converted API calls between the Firewall Rules API/Filters API and the Rulesets API appear in audit logs as generated by Cloudflare and not by the actual user making the requests.

that's why it shows as CF user

MrDadoneOP•5mo ago

ok I double checked, issue persists

MrDadoneOP•5mo ago

now it's spamming this tho

MrDadoneOP•5mo ago

maybe is there a way to "whitelist" specific rules? so they don't get touched? Well let me know if anyone has any ideas, thanks

Chaika•5mo ago

hard to test volume from that but you might want to be careful/limit things a bit to not hit the global 1200 requests per 5 minutes limit. Those ruleset updates mean something's still using the old firewall rules api

MrDadoneOP•5mo ago

Mh I'll change the api key, and update all servers, will see what happens Ok so i updated the key, i deleted the old one, updated everywhere, and for now seems to be good, ill let you know how it goes Seems like that helped thank you!

Gaming

Programming

Issue with WAF