Troubleshooting: Plesk bans Cloudflare / CDN IP addresses with fail2ban

Troubleshooting: Plesk bans Cloudflare / CDN IP addresses with fail2ban

Plesk is designed for “normal” use by default, so sometimes the Cloudflare IP addresses are banned when your website is attacked. If this happens very often, it will eventually lead to the fact that your pages are no longer accessible for Cloudflare itself.

It would be much more effective to block the attackers themselves and not Cloudflare itself.

For this, the remote IP module must be activated, verifiable with:

(apache2ctl -M || httpd -M) | grep remoteip_module

Let’s start to solve the problem … i assume that nginx is used as upstream proxy.

touch /root/ && chmod 700 /root/
nano /root/

Then we add the following content:

if [[ "$(/usr/local/psa/admin/bin/nginxmng --status)" != "Enabled" ]] ; then
	echo "Nginx is not in use on this Plesk server. Exiting..." && exit 0

if [ -f /etc/nginx/conf.d/cf-stop ] ; then
	printf "Previous execution of the script failed!\nThere is /etc/nginx/conf.d/cf-stop\nReview the script functional and remove the /etc/nginx/conf.d/cf-stop\n"
	printf "The script execution was halted.\n" && exit 0 # also add some notifications here if you would like to receive them

curl -sS >$CFTEMP && printf "\n" >> $CFTEMP
curl -sS >>$CFTEMP
sed -i -e 's/^/set_real_ip_from /' $CFTEMP
sed -i '1ireal_ip_header CF-Connecting-IP' $CFTEMP
sed -i '/[^;] *$/s/$/;/' $CFTEMP

	mv $CFTEMP /etc/nginx/conf.d/cloudflare.conf

if [ ! -f /etc/nginx/conf.d/cloudflare.conf ] ; then
	# CF IP List is missing in conf.d
	# CF IP List exists in conf.d 
	if [[ ! -z "$(cat /etc/nginx/conf.d/cloudflare.conf)" ]] ; then
		# The list is not empty. Back up the previous one and install the new one.
		cp /etc/nginx/conf.d/cloudflare.conf{,.bkp} && placeconf

nginx -t 2>/dev/null > /dev/null
if [[ $? == 0 ]]; then
	# configuration is valid
 	echo "Configuration applied. Restarting Nginx."
 	systemctl restart nginx
 	# Configuration is not valid. Switching to the old CF IP list
 	echo "Nginx conf test failed. Rolling back"
 	mv /etc/nginx/conf.d/cloudflare.conf.bkp /etc/nginx/conf.d/cloudflare.conf
 	t2=$(nginx -t 2>/dev/null > /dev/null)
 	if [ "$t2" == 0 ] ; then
 		# Previous config is valid. Restarting.
 		echo "Rolled back to the older config. Restarting Nginx"
 		systemctl restart nginx
 		echo "Old config file also causes failure. Disabling the CF list completely"
 		mv /etc/nginx/conf.d/cloudflare.conf{,.disabled}
 		# Add any notification of your liking(telegram/mail/etc...)
 		systemctl restart nginx
 		# creating a stop flag
 		touch /etc/nginx/conf.d/cf-stop

exit 0

and run the script


It may be necessary to run the script again from time to time. Therefore it makes sense to create a cronjob.

2 Antworten zu “Troubleshooting: Plesk bans Cloudflare / CDN IP addresses with fail2ban”

  1. FYI, your script is missing some backslashes on the newlines, so copy/paste fails. Specifically because of the printf “n”.

Leave a Reply

Your email address will not be published. Required fields are marked *