Fail2Ban Cloudflare not unbanning IPV6 addresses

When attempting to run actionunban on cloudflare unban script using fail2ban, it bans and unbans ipv4 just fine, but ipv6 it bans but doesn't unban.
3 Replies
Jay
JayOP5mo ago
actionunban = curl -s -X GET "<_cf_api_url>" \
<_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

# Using jq to extract the ID associated with the IP
id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.value == $ip) | .id' /var/log/fail2ban-unban-full-response.log)

# Conditional operation based on whether an ID was found
if [ -z "$id" ]; then
jq -r '.result[] | {id, mode, notes, configuration}' /var/log/fail2ban-unban-full-response.log
exit 0
fi

# Command to delete the rule using the extracted ID
curl -s -X DELETE "<_cf_api_url>/$id" \
<_cf_api_prms> \
--data '{"cascade": "none"}'
actionunban = curl -s -X GET "<_cf_api_url>" \
<_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

# Using jq to extract the ID associated with the IP
id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.value == $ip) | .id' /var/log/fail2ban-unban-full-response.log)

# Conditional operation based on whether an ID was found
if [ -z "$id" ]; then
jq -r '.result[] | {id, mode, notes, configuration}' /var/log/fail2ban-unban-full-response.log
exit 0
fi

# Command to delete the rule using the extracted ID
curl -s -X DELETE "<_cf_api_url>/$id" \
<_cf_api_prms> \
--data '{"cascade": "none"}'
Chaika
Chaika4mo ago
You'd have to debug your script more. Those calls look fine to me and work, just grabbing all the ip access rules and deleting them with that body is fine. Somethign else messed with the processing/IP storage maybe, would have to add logs and such. Some services may add the CIDR (/128) to the end for a specific IP, or if they try to ban the /64/pass in the /64. If you pass in the shortened version of an IP 2100::/64 CF will respond in the API after with the expanded version in the configuration 2100:0000:0000:0000:0000:0000:0000:0000/64
Jay
JayOP4mo ago
actionunban = curl -s -X GET "<_cf_api_ip_search_url>" <_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.target | test("ip6?")) | select(if .configuration.target == "ip6" then .configuration.value | gsub(":0+"; ":") == ($ip | gsub(":0+"; ":")) else .configuration.value == $ip end) | .id' /var/log/fail2ban-unban-full-response.log)

if [ -z "$id" ]; then
exit 0
fi

curl -s -X DELETE "<_cf_api_url>/$id" <_cf_api_prms> --data '{"cascade": "none"}'
actionunban = curl -s -X GET "<_cf_api_ip_search_url>" <_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.target | test("ip6?")) | select(if .configuration.target == "ip6" then .configuration.value | gsub(":0+"; ":") == ($ip | gsub(":0+"; ":")) else .configuration.value == $ip end) | .id' /var/log/fail2ban-unban-full-response.log)

if [ -z "$id" ]; then
exit 0
fi

curl -s -X DELETE "<_cf_api_url>/$id" <_cf_api_prms> --data '{"cascade": "none"}'
I tried this, it unbans some IPv6 but doesn't cover all cases like the one you posted above @Chaika So what i'm doing now is searching for the ip directly using the CF api, then extracting the ID from the response Maybe instead of that additional request, does CF respond with the ID initially when the IP is banned we could just store the key value pair, ip:id then just unban using the ID without having to query for the IP every time
Want results from more Discord servers?
Add your server