#!/bin/sh
# Adds an IP to Cloudflare IP block list
# Path: /var/ossec/active-response/bin/cloudflare-ban.sh
# 

ACTION=$1
USER=$2
IP=$3
PWD=`pwd`
TKN='CF API KEY'
CFEMAIL='useremail@email.com'

# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> /var/ossec/logs/active-responses.log

# IP Address must be provided
if [ "x${IP}" = "x" ]; then
   echo "$0: Missing argument <action> <user> (ip)"
   exit 1;
fi

# Adding the ip to null route
if [ "x${ACTION}" = "xadd" ]; then
   curl https://www.cloudflare.com/api_json.html \
   -d 'a=ban' \
   -d 'key='${IP} \
   -d 'tkn='${TKN} \
   -d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE BANNED - ${IP}" root
   exit 0;

# Deleting from null route
# be carefull not to remove your default route
elif [ "x${ACTION}" = "xdelete" ]; then
     curl https://www.cloudflare.com/api_json.html \
     -d 'a=nul' \
     -d 'key='${IP} \
     -d 'tkn='${TKN} \
     -d 'email='${CFEMAIL} | /usr/bin/mail -s "CLOUDFLARE UNBANNED - ${IP}" root
     exit 0;

# Invalid action
else
   echo "$0: invalid action: ${ACTION}"
fi

exit 1;