A bash script that automatically manages CloudFlare's DDoS protection based on your server's CPU load. The script monitors system resources and dynamically adjusts CloudFlare's security level through their API.
- Automatic DDoS protection based on CPU load
- Secure configuration handling
- Logging
- Email notifications
- Temporary file management
- Automatic cleanup
- curl (for API requests)
- jq (for JSON parsing)
- mailutils/mailx (for notifications)
sudo apt-get update
sudo apt-get install -y curl jq mailutilssudo yum install -y curl jq mailx- CloudFlare account
- CloudFlare API token with the following permissions:
- Zone - Zone Settings - Read
- Zone - Zone Settings - Edit
- CloudFlare Zone ID
- Clone or download the script:
curl -o protection.sh https://raw.githubusercontent.com/bobbyiliev/cloudflare-ddos-protection/main/protection.sh- Make the script executable:
chmod +x protection.shSet your CloudFlare credentials as environment variables:
export CF_ZONE_ID="your_zone_id"
export CF_EMAIL_ADDRESS="your_email"
export CF_API_TOKEN="your_api_token"Edit the script and update the following variables:
CF_ZONE_ID="your_zone_id"
CF_EMAIL_ADDRESS="your_email"
CF_API_TOKEN="your_api_token"NOTIFICATIONS_ENABLED: Set to 1 to enable email notifications (default: 1)- You can modify the CPU load thresholds by adjusting the calculation in the
get_allowed_cpu_loadfunction
Run the script directly:
./protection.shSet up a cron job to run the script every 30 seconds:
- Open your crontab:
crontab -e- Add the following lines:
* * * * * /full/path/to/protection.sh
* * * * * ( sleep 30 ; /full/path/to/protection.sh )The script logs all activities to ~/.cloudflare/ddos.log. Each log entry includes:
- Timestamp
- Action taken (enabled/disabled DDoS protection)
- Current CPU load
- Any errors encountered
Example log entry:
2024-11-19 14:30:00 - Enabled DDoS protection (Load: 8)
When NOTIFICATIONS_ENABLED is set to 1, you'll receive email notifications for:
- DDoS protection enabled/disabled
- Error conditions
- Configuration issues
Note that the email notifications require a working mail command on your system and do not support SMTP authentication. This may require additional configuration for some mail servers as you might not be able to send emails directly from your server.
- The configuration directory is created with restricted permissions (700)
- Temporary files are securely created and automatically cleaned up
- API credentials are protected from exposure in logs
- Input validation is performed on all variables
If you encounter any security issues, please report them to @bobbyiliev_.
Add set -x at the beginning of the script for verbose output:
#!/bin/bash
set -x
# rest of the script...You can test the script manually by setting the TEST_MODE and SIMULATED_LOAD environment variables:
# Test under normal load
TEST_MODE=1 SIMULATED_LOAD=5 ./protection.sh
# Test high load (should trigger protection)
TEST_MODE=1 SIMULATED_LOAD=30 ./protection.sh
# Test returning to normal
TEST_MODE=1 SIMULATED_LOAD=5 ./protection.shFor more information about the CloudFlare API endpoints used in this script, visit:
Feel free to submit issues and enhancement requests!