Issue with WAF
hello is there an issue with cloudflare WAF? custom rules?
DAs my custom rules, after 5minutes or less get changed to block, and unused filter.
Dlike this.
Dpretty much the action changes.
CCI would check your Audit Log to see what's changing it. If you're using a partner like Ezotic or something with access to your account
D
DUser cloudflare... and it changes the value this part specifically.
Cshow the full audit event (hiding your account name/etc as needed)?
D
D]
D
Cis there any other events or interest around/before that? That w/ the firewall api property kind of looks like something using the old firewalls api and it being translated to a custom rule update
CLike terraform or something like that, using those old endpoints
Di have 3 api keys
D1 which i should remove, and i will do now,
1 for subdomains (custom stuff)
1 for fail2ban
1 for subdomains (custom stuff)
1 for fail2ban
Di think fail2ban is the issue, as it wasnt doing this before
D
Cyou don't see anything else in the audit log, and fail2ban is given access to that domain/zone?
Dyes fail2ban has access to the zone
D
Ccould you just stop/pause fail2banfor a bit, change the custom rule back, and see if it happens again?
Ceasier to turn back on then reissuing the token and setting it up again
Do9k ill pause it and see what happens
Dok ill pause fail2ban everywhere
Dk paused everywhere, now ill change the rule again.
Dand now we wait 
Dseems like that was the issue.
Dbut i need fail2ban with cloudflare, not sure what i did wrong with permission.
Cnot permission based, not sure how exactly fail2ban interfaces with Cloudflare (a plugin maybe?), but it looks like it's 1. using the old Firewall API (will be gone in 2025 Jan) and 2. overriding other rules
DOk how can i use the new firewall api ig
Dfor the record it's here - /etc/fail2ban/action.d/cloudflare.conf and it should be there by default.
Dthis is what i had there.
Di have removed personal information.
DAny idea what could be causing it to change the rules?
Cit was making a fw rule per ban? You'd run out rather quickly I would assume
CI'm not sure of all the auto translation magic between old firewall api and the new custom rules, there's some docs here: https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-api-users
Cloudflare Docs
Cloudflare converted existing firewall rules into WAF custom rules. With custom rules, you get the same level of protection and a few additional …
DThe goal was just to make the ip get banned on all the servers nothing else
DLike if it gets banned on 1 server, it gets banned everywhere
Cwhy not use IP Access Rules and their api?
Clooks like they even have a default config which uses them: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare-token.conf
GitHub
Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
Dill use that configuration, and let you know how it works.
Dthanks
Csure, you can have up to 50,000 of those, should be plenty
Dill use this config, let you know if the issue persist, thanks!
Dok so i started reconfigurring the servers, and i noticed this, is it normal that you don't see the same amount of bans on all the servers?
Dok finally updated alll configurations, now let's see.
Dwill see if it get's changed again.
CI do not use fail2ban, but I would assume each server is independent
Dthe issue still persists
