Troubleshooting: Plesk bans Cloudflare / CDN IP addresses with fail2ban

3. October 2022

Plesk is designed for “normal” use by default, so sometimes the Cloudflare IP addresses are banned when your website is attacked. If this happens very often, it will eventually lead to the fact that your pages are no longer accessible for Cloudflare itself.

It would be much more effective to block the attackers themselves and not Cloudflare itself.

For this, the remote IP module must be activated, verifiable with:

(apache2ctl -M || httpd -M) | grep remoteip_module

Let’s start to solve the problem … i assume that nginx is used as upstream proxy.

touch /root/cf.sh && chmod 700 /root/cf.sh

nano /root/cf.sh

Then we add the following content:

#!/bin/bash
if [[ "$(/usr/local/psa/admin/bin/nginxmng --status)" != "Enabled" ]] ; then
	echo "Nginx is not in use on this Plesk server. Exiting..." && exit 0
fi

if [ -f /etc/nginx/conf.d/cf-stop ] ; then
	printf "Previous execution of the script failed!\nThere is /etc/nginx/conf.d/cf-stop\nReview the script functional and remove the /etc/nginx/conf.d/cf-stop\n"
	printf "The script execution was halted.\n" && exit 0 # also add some notifications here if you would like to receive them
fi	

PATH=$PATH:/sbin:/bin:/usr/sbin:/usr/bin
CFTEMP=/tmp/cloudflare-ips.txt
curl -sS https://www.cloudflare.com/ips-v4 >$CFTEMP && printf "\n" >> $CFTEMP
curl -sS https://www.cloudflare.com/ips-v6 >>$CFTEMP
sed -i -e 's/^/set_real_ip_from /' $CFTEMP
sed -i '1ireal_ip_header CF-Connecting-IP' $CFTEMP
sed -i '/[^;] *$/s/$/;/' $CFTEMP

placeconf(){
	mv $CFTEMP /etc/nginx/conf.d/cloudflare.conf
}


if [ ! -f /etc/nginx/conf.d/cloudflare.conf ] ; then
	# CF IP List is missing in conf.d
	placeconf
else
	# CF IP List exists in conf.d 
	if [[ ! -z "$(cat /etc/nginx/conf.d/cloudflare.conf)" ]] ; then
		# The list is not empty. Back up the previous one and install the new one.
		cp /etc/nginx/conf.d/cloudflare.conf{,.bkp} && placeconf
	fi
fi

nginx -t 2>/dev/null > /dev/null
if [[ $? == 0 ]]; then
	# configuration is valid
 	echo "Configuration applied. Restarting Nginx."
 	systemctl restart nginx
else
 	# Configuration is not valid. Switching to the old CF IP list
 	echo "Nginx conf test failed. Rolling back"
 	mv /etc/nginx/conf.d/cloudflare.conf.bkp /etc/nginx/conf.d/cloudflare.conf
 	t2=$(nginx -t 2>/dev/null > /dev/null)
 	if [ "$t2" == 0 ] ; then
 		# Previous config is valid. Restarting.
 		echo "Rolled back to the older config. Restarting Nginx"
 		systemctl restart nginx
 	else
 		echo "Old config file also causes failure. Disabling the CF list completely"
 		mv /etc/nginx/conf.d/cloudflare.conf{,.disabled}
 		# Add any notification of your liking(telegram/mail/etc...)
 		systemctl restart nginx
 		# creating a stop flag
 		touch /etc/nginx/conf.d/cf-stop
 	fi
fi


exit 0

and run the script

/root/cf.sh

It may be necessary to run the script again from time to time. Therefore it makes sense to create a cronjob.

Plesk

2 Antworten zu “Troubleshooting: Plesk bans Cloudflare / CDN IP addresses with fail2ban”

Jon says:
24. February 2023 at 21:57
FYI, your script is missing some backslashes on the newlines, so copy/paste fails. Specifically because of the printf “n”.
1. Daniel says:
  14. March 2023 at 3:44
  I can’t confirm that but you have to add #!/bin/bash to the header. I added it now and hope it works for everybody.

2 Antworten zu “Troubleshooting: Plesk bans Cloudflare / CDN IP addresses with fail2ban”

Leave a Reply Cancel reply