首先到官网下载脚本或者本站下载:

  1. wget https://www.7198.net/Shell/cloudflare-block.sh && chmod +x cloudflare-block.sh

cloudflare-block.sh 脚本:

  1. #!/bin/bash
  2. # $1 = 1min, $2 = 5min, $3 = 15min
  3. loadavg=$(awk ‘{printf “%f”, $1}’ < /proc/loadavg)
  4. # load is 10, you can modify this if you want load more than 10
  5. maxload=10
  6. # Configuration API Cloudflare
  7. # Your Global API Key (https://dash.cloudflare.com/profile)
  8. api_key=
  9. # Email of your Cloudflare account
  10. email=
  11. # Zone ID (https://dash.cloudflare.com/_zone-id_/domain.com)
  12. zone_id=
  13. # Default security level when there is no attack, see in readme
  14. default_security_level=high
  15. # Whether to write debug messages to the debug.log file under script dir
  16. debug=0
  17. basedir=$(dirname “$0″)
  18. attacked_file=$basedir/attacked
  19. [ "$debug" -eq 1 ] && exec > “${logfile:-$basedir/debug.log}”
  20. # You can put aforementioned config values either in-place
  21. # or in the file named ‘config’ in the script’s directory.
  22. config_file=$basedir/config
  23. [ -e "$config_file" ] && source “$config_file”
  24. api_set_mode() {
  25. local mode
  26. mode=$1
  27. curl -s -X PATCH “https://api.cloudflare.com/client/v4/zones/$zone_id/settings/security_level” \
  28. -H “X-Auth-Email: $email” \
  29. -H “X-Auth-Key: $api_key” \
  30. -H “Content-Type: application/json” \
  31. –data “{\”value\”:\”$mode\”}” \
  32. || echo “Error: failed to set security level to $mode”
  33. }
  34. # create file “attacked” if doesn’t exist
  35. if [ ! -e "$attacked_file" ]; then
  36. echo 0 > “$attacked_file”
  37. fi
  38. was_under_attack=$(cat “$attacked_file”)
  39. under_attack=$(echo “$loadavg > $maxload” | bc)
  40. if [[ “$1″ != [01] ]]; then
  41. echo “Incorrect usage! Please pass either 0 or 1 as an argument”
  42. exit 1
  43. fi
  44. if [ $debug -eq 1 ]; then
  45. echo “Mode: $1; was under attack: $was_under_attack; now under attack: $under_attack”
  46. echo “Load average: $loadavg”
  47. fi
  48. if [ "$1" -eq 0 ] && [ "$was_under_attack" -eq 0 ] && [ "$under_attack" -eq 1 ]; then
  49. # attack just started and we want to enable under-attack mode
  50. # Activate protection
  51. [ "$debug" -eq 1 ] && echo “Activating under-attack mode!”
  52. echo 1 > “$attacked_file”
  53. api_set_mode under_attack
  54. elif [ "$1" -eq 1 ] && [ "$was_under_attack" -eq 1 ] && [ "$under_attack" -eq 0 ]; then
  55. # attack just finished (and up to 20 minutes passed since)
  56. # and we want to disable under-attack mode
  57. # Disable Protection
  58. [ "$debug" -eq 1 ] && echo “Leaving under-attack mode!”
  59. echo 0 > “$attacked_file”
  60. api_set_mode “$default_security_level”
  61. fi
  62. exit 0

修改 cloudflare-block.sh 配置:

  1. #您的 cloudflare API 密钥(https://dash.cloudflare.com/profile)
  2. API_KEY=
  3. #您的 Cloudflare 帐户的电子邮件
  4. email=
  5. #Zone ID(https://dash.cloudflare.com/_zone-id_/domain.com)
  6. zone_id=
  7. #没有攻击时的默认安全级别,请参阅 Cloudflare 帮助文件
  8. default_security_level=high
  9. #是否将调试消息写入脚本目录下的 debug.log 文件
  10. debug=0

脚本默认的是检测系统负载为 10,启动” I’m Under Attack! “模式,可以根据需要来调整,一般可以简单的设置为你的核心数*1.2 比如你 CPU 是双核的,可以设置为 2.4

  1. maxload= 7

设置定时任务,如果未启用保护,每 1 分钟检查一次,负载高于 7 开启 5 秒盾。如果启用保护,则每 20 分钟检查一次,负载降为 7 以下时取消 5 秒盾:

  1. */1 * * * * /root/cloudflare-block.sh 0
  2. */20 * * * * /root/cloudflare-block.sh 1

Cloudflare 是一个非常好用的防御 DDos 和 CC 攻击的工具,免费版本的 Cloudflare 结合 API 可以实现更加灵活的功能,对于普通的防御足够自己使用了。

 

https://www.yunloc.com/685.html