1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
#!/bin/bash
# --------------------------使用前修改以下配置值--------------------------
mode="load"
# 两种模式可选,一:load (负载) 二:cpu。建议选 load
challenge="1"
# 是否同时开启验证码质询 设为1即开启。建议开启
keeptime="180"
# ≈开盾最小时间,如60 则开盾60秒内负载降低不会关,60秒后关。建议值 180
interval="1"
# 检测间隔时间,默认0.5秒。建议设为1
email="눈_눈"
# CloudFlare 账号邮箱
api_key="눈_눈"
# CloudFlare API KEY
zone_id="눈_눈"
# 区域ID 在域名的概述页面获取
default_security_level="high"
# 默认安全等级 关闭UAM时将会把安全等级调整为它
check="6"
#自定义开盾阈值(非必需)。load模式建议设为CPU核心数 + 2,如4核则设为6。
#load模式填负载值 如:8 cpu模式填百分数值 如:90
# --------------------------下方无需修改--------------------------
api_url="https://api.cloudflare.com/client/v4/zones/$zone_id/settings/security_level"
# API的地址
api_url1="https://api.cloudflare.com/client/v4/zones/$zone_id/firewall/rules"
# API的地址之二
api_url2="https://api.cloudflare.com/client/v4/zones/$zone_id/filters"
# API的地址之三
# 安装依赖
if ! which jq &> /dev/null; then
echo "jq not found!"
if [[ -f "/usr/bin/apt-get" ]]; then
apt-get install -y jq
elif [[ -f "/usr/bin/dnf" ]]; then
dnf install -y epel-release
dnf install -y jq
elif [[ -f "/usr/bin/yum" ]]; then
yum install -y epel-release
yum install -y jq
fi
fi
for ((;;)); do
if [[ "$mode" == "cpu" ]]; then
check=${check:-90}
#系统空闲时间
TIME_INTERVAL=5
time=$(date "+%Y-%m-%d %H:%M:%S")
LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
LAST_SYS_IDLE=$(echo $LAST_CPU_INFO | awk '{print $4}')
LAST_TOTAL_CPU_T=$(echo $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
sleep ${TIME_INTERVAL}
NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
NEXT_SYS_IDLE=$(echo $NEXT_CPU_INFO | awk '{print $4}')
NEXT_TOTAL_CPU_T=$(echo $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
#系统空闲时间
SYSTEM_IDLE=$(echo ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}')
#CPU总时间
TOTAL_TIME=$(echo ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}')
load=$(echo ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}')
else
load=$(cat /proc/loadavg | colrm 5)
check=${check:-$(cat /proc/cpuinfo | grep "processor" | wc -l)}
fi
if [[ ! -f "status.txt" ]]; then
echo "" > status.txt
else
status=$(cat status.txt)
fi
if [[ -f "ruleid.txt" ]]; then
ruleid=$(cat ruleid.txt)
fi
if [[ -f "filterid.txt" ]]; then
filterid=$(cat filterid.txt)
fi
now=$(date +%s)
time=$(date +%s -r status.txt)
echo "当前$mode负载:$load"
if [[ $status -eq 1 ]]; then
echo "UAM ON!"
if [[ "$challenge" -eq 1 ]]; then
echo "Challenge ON!"
fi
else
echo "UAM OFF!"
if [[ "$challenge" -eq 1 ]]; then
echo "Challenge OFF!"
fi
fi
newtime=$(expr $now - $time)
closetime=$(expr $keeptime - $newtime)
if [[ $(awk 'BEGIN {print ('$load'<'$check') ? 1:0}') -eq 1 ]] && [[ $status -eq 1 ]] && [[ $newtime -gt $keeptime ]]; then
echo -e "\n$mode负载低于$check,当前已开盾超过规定时间$newtime秒,尝试调整至默认安全等级($default_security_level)"
# Disable Under Attack Mode
result=$(curl -X PATCH "$api_url" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" \
--data "{
\"value\": \"$default_security_level\"
}" --silent \
| jq -r '.success')
if [[ "$result" = "true" ]]; then
echo 0 > status.txt
echo -e "\n成功"
fi
if [[ "$challenge" -eq 1 ]]; then
result=$(curl -X DELETE "$api_url1/$ruleid" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" \
--silent)
result1=$(curl -X DELETE "$api_url2/$filterid" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" \
--silent)
if echo $result | jq -e '.success' && echo $result1 | jq -e '.success'; then
echo -e "\n验证码关闭成功"
fi
fi
elif [[ $(awk 'BEGIN {print ('$load'<'$check') ? 1:0}') -eq 1 ]]; then
echo -e "\n$mode负载低于$check,不做任何改变,状态持续了$newtime秒"
if [[ $status -eq 1 ]]; then
echo -e "将于$closetime秒后调整安全等级至$default_security_level"
fi
elif [[ $(awk 'BEGIN {print ('$load'>'$check') ? 1:0}') -eq 1 ]] && [[ $status -eq 1 ]] && [[ $newtime -gt $keeptime ]]; then
echo -e "\n$mode负载高于$check,当前已开启UAM超过$keeptime秒,UAM无效"
elif [[ $(awk 'BEGIN {print ('$load'>'$check') ? 1:0}') -eq 1 ]] && [[ $status -eq 1 ]]; then
echo -e "\n$mode负载高于$check,当前已开启($newtime秒),请再观察"
elif [[ $(awk 'BEGIN {print ('$load'>'$check') ? 1:0}') -eq 1 ]]; then
echo -e "\n$mode负载高于$check,开启UAM"
# Enable Under Attack Mode
result=$(curl -X PATCH "$api_url" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" \
--data "{
\"value\": \"under_attack\"
}" --silent \
| jq -r '.success')
if [[ "$result" = "true" ]]; then
echo 1 > status.txt
echo -e "\n成功"
fi
if [[ "$challenge" -eq 1 ]]; then
while :; do
result=$(curl -X POST "$api_url2" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" \
--data '[{
"expression": "(not cf.client.bot)"
}]' --silent)
if echo $result | jq -e '.success'; then
filterid=$(echo $result | jq -r '.result[].id')
else
filterid=$(echo $result | jq -r '.errors[].meta.id')
for i in $filterid; do
result1=$(curl -X DELETE "$api_url2/$i" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" --silent)
done
if echo $result1 | jq -e '.success'; then
echo "\n冲突的filter删除成功"
fi
fi
echo $result | jq -e '.success' && break
done
result=$(curl -X POST "$api_url1" \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $api_key" \
-H "Content-Type: application/json" \
--data "[{
\"action\": \"challenge\",
\"filter\": {
\"id\": \"$filterid\",
\"expression\": \"(not cf.client.bot)\"
}
}]" --silent)
if echo $result | jq -e '.success'; then
ruleid=$(echo $result | jq -r '.result[].id')
echo "$filterid" > filterid.txt
echo "$ruleid" > ruleid.txt
echo -e "验证码开启成功,规则id:$ruleid"
fi
fi
else
echo 0 > status.txt
fi
sleep $interval
clear
done
|