• Make sure that the mod_cloudflare Apache module is installed and active. This can be done by installing the ServerShield by CloudFlare extension or manually using these instructions
• Make sure to add the Cloudflare IP addresses from https://www.cloudflare.com/ips/ to ignore permanently
/etc/csf/csf.ignoreto prevent them from being blocked by the login failure daemon.
This features provides interaction with the Cloudflare Firewall.
As Cloudflare is a reverse proxy, any attacking IP addresses (so far as iptables is concerned) come from the Cloudflare IP's. To counter this, an Apache module mod_cloudflare is available that obtains the true attackers IP from a custom HTTP header record (similar functionality is available for other HTTP daemons.
However, despite now knowing the true attacking IP address, iptables cannot be used to block that IP as the traffic is still coming from the Cloudflare servers.
To work around this, Cloudflare have provided a Firewall feature within the user account where rules can be added to block, challenge or whitelist IP addresses. Using the Cloudflare API, this feature adds and removes attacking IPs from that firewall and provides CLI (and via the UI) additional commands.
LF_MODSECas only through these can the domain name be determined. Any users that own domains that are involved in the trigger will get a block in their Cloudflare Firewall. Additionally, any users with the special case "any" will also get blocks.
CF_TEMPis used instead.
LF_TRIGGERmust not be used, the feature will not work with it enabled.
URLGETmust be set to 2 (i.e. LWP) must be used.
PERMBLOCKis used, the last tempblock will remain and never be cleared. So any Cloudflare Firewall entries must be manually cleared in Cloudflare or via CLI.
CF_TEMP should be configured taking into account the maximum number of rules
that the Cloudflare account allows: https://support.cloudflare.com/hc/en-us/articles/200434798-How-many-IPs-can-I-add-to-rules-in-the-IP-Firewall-
All Cloudflare users for the domains that are involved in
LF_MODSEC will have a Cloudflare rule added. Any Cloudflare accounts
configured to use the special case "any" field value in
/etc/csf/csf.cloudflare will have a Cloudflare rule added regardless of domain.