CD
Cloudflare Developers2mo ago
Jay

Fail2Ban Cloudflare not unbanning IPV6 addresses

When attempting to run actionunban on cloudflare unban script using fail2ban, it bans and unbans ipv4 just fine, but ipv6 it bans but doesn't unban.
3 Replies
Jay
Jay2mo ago
actionunban = curl -s -X GET "<_cf_api_url>" \
              <_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

            # Using jq to extract the ID associated with the IP
            id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.value == $ip) | .id' /var/log/fail2ban-unban-full-response.log)

            # Conditional operation based on whether an ID was found
            if [ -z "$id" ]; then
                jq -r '.result[] | {id, mode, notes, configuration}' /var/log/fail2ban-unban-full-response.log
                exit 0
            fi

            # Command to delete the rule using the extracted ID
            curl -s -X DELETE "<_cf_api_url>/$id" \
                <_cf_api_prms> \
                --data '{"cascade": "none"}'
actionunban = curl -s -X GET "<_cf_api_url>" \
              <_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

            # Using jq to extract the ID associated with the IP
            id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.value == $ip) | .id' /var/log/fail2ban-unban-full-response.log)

            # Conditional operation based on whether an ID was found
            if [ -z "$id" ]; then
                jq -r '.result[] | {id, mode, notes, configuration}' /var/log/fail2ban-unban-full-response.log
                exit 0
            fi

            # Command to delete the rule using the extracted ID
            curl -s -X DELETE "<_cf_api_url>/$id" \
                <_cf_api_prms> \
                --data '{"cascade": "none"}'
Chaika
Chaika2mo ago
You'd have to debug your script more. Those calls look fine to me and work, just grabbing all the ip access rules and deleting them with that body is fine. Somethign else messed with the processing/IP storage maybe, would have to add logs and such. Some services may add the CIDR (/128) to the end for a specific IP, or if they try to ban the /64/pass in the /64. If you pass in the shortened version of an IP 2100::/64 CF will respond in the API after with the expanded version in the configuration 2100:0000:0000:0000:0000:0000:0000:0000/64
Jay
Jay2mo ago
actionunban = curl -s -X GET "<_cf_api_ip_search_url>" <_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

            id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.target | test("ip6?")) | select(if .configuration.target == "ip6" then .configuration.value | gsub(":0+"; ":") == ($ip | gsub(":0+"; ":")) else .configuration.value == $ip end) | .id' /var/log/fail2ban-unban-full-response.log)

            if [ -z "$id" ]; then
                exit 0
            fi

            curl -s -X DELETE "<_cf_api_url>/$id" <_cf_api_prms> --data '{"cascade": "none"}'
actionunban = curl -s -X GET "<_cf_api_ip_search_url>" <_cf_api_prms> > /var/log/fail2ban-unban-full-response.log

            id=$(jq -r --arg ip "<ip>" '.result[] | select(.configuration.target | test("ip6?")) | select(if .configuration.target == "ip6" then .configuration.value | gsub(":0+"; ":") == ($ip | gsub(":0+"; ":")) else .configuration.value == $ip end) | .id' /var/log/fail2ban-unban-full-response.log)

            if [ -z "$id" ]; then
                exit 0
            fi

            curl -s -X DELETE "<_cf_api_url>/$id" <_cf_api_prms> --data '{"cascade": "none"}'
I tried this, it unbans some IPv6 but doesn't cover all cases like the one you posted above @Chaika So what i'm doing now is searching for the ip directly using the CF api, then extracting the ID from the response Maybe instead of that additional request, does CF respond with the ID initially when the IP is banned we could just store the key value pair, ip:id then just unban using the ID without having to query for the IP every time
Want results from more Discord servers?
Add your server