Question ModSecurity - How to build a IP block list?

[alvesjc]

Hello all,

Since I've moved to cloudflare, I've lost the ability to block malicious IP sources from known lists with ubuntu iptables.

I've found this info about adding IP's to block.

https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

Is this possible to integrate with WAF provided in plesk?

For now I've it running with comodo account, but would be great to restore the ability to block bad IP sources from my site again.

Help apreciated.

my system info:

• OS: ‪Ubuntu 16.04.3 LTS‬
• Product: Plesk Onyx 17.5.3 Update #39 , last updated at Feb 4, 2018 11:23 PM
• Checked at Feb 4, 2018 07:29 AM.

 

[virtubox]

Hello all,

Since I've moved to cloudflare, I've lost the ability to block malicious IP sources from known lists with ubuntu iptables.

I've found this info about adding IP's to block.

https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

Is this possible to integrate with WAF provided in plesk?

For now I've it running with comodo account, but would be great to restore the ability to block bad IP sources from my site again.

Help apreciated.

my system info:

• OS: ‪Ubuntu 16.04.3 LTS‬
• Product: Plesk Onyx 17.5.3 Update #39 , last updated at Feb 4, 2018 11:23 PM
• Checked at Feb 4, 2018 07:29 AM.

Hello, you can still block malicious IPs with fail2ban and Cloudflare : Can I still use fail2ban while using Cloudflare?
You just have to create a file /etc/nginx/conf.d/cloudflare.conf with the following content to restore visitors real IP :

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

Additionally there is an fail2ban action available to automatically block an IP with iptables and Cloudflare at the same time : Adding Cloudflare support to fail2ban | Le Blog

 

[alvesjc]

Hi Virtubox.

Thank you for your inputs.

That is very nice, I'll setup the API also.

But cloudflare limits the CIDR to /16 or /24 subnets.
In my list I have a lot /11 subnets to block and many others diferent subnets.

Is it possible to block this address list with 66k entries in nginx reliable and without much impact in performance?

 

[virtubox]

Hi Virtubox.

Thank you for your inputs.

That is very nice, I'll setup the API also.

But cloudflare limits the CIDR to /16 or /24 subnets.
In my list I have a lot /11 subnets to block and many others diferent subnets.

Is it possible to block this address list with 66k entries in nginx reliable and without much impact in performance?

Block those IPs directly with fail2ban on your server, it will set all iptables properly. But even if you block them only with Nginx, it should not impact your server performance because nginx will directly display a 403 forbidden for blocked IP.

You can also add some jails to ban IPs by checking nginx access logs (for example, too much 404 error mean directory bruteforce). There is a nice tutorial available here : How to Secure an nginx Server with Fail2Ban