1. Receive Thinkst Canary webhooks
2. Parse, create, and buffer syslog messages
3. Submit applicable events to abuseipdb (optional)
4. Publish a real-time IP blocklist
1. Fetch syslog events from the buffer
2. Push these events to a syslog UDP collector or a local file
- Thinkst Canary account with at least one Canary (https://canary.tools/)
- It may also be possible with Opencanary, but this has not been tested.
- A Cloudflare account (https://www.cloudflare.com/)
- Don't have one? This solution can be deployed to even a free account!
- (optional) An abuseipdb.com account to report events.
- Log in to your Cloudflare dashboard, choose your account, select "Workers & Pages" and click "KV."
- Click "Create a namespace," enter "Canary-Blocks" for the name, and click "Add."
- Click "Create a namespace," enter "Canary-Events" for the name, and click "Add."
- Now click on "Overview" below the "Workers & Pages" menu option.
- Click "Create application"
- Click the "Create Worker" button
- Enter "canary-receiver" for the name and click "Deploy"
- IMPORTANT: Make note of the URL shown on the Congratulations page under, "Preview your worker."
- It will look something like https://canary-receiver.organization.workers.dev
- You will need this URL to set up the Canary webhook
- Click "Configure Worker"
- Click "Settings" above the summary section of the page
- Click the "Variables" menu option
- Under "KV Namespace Bindings" click "Add binding"
- Enter "canaryblocks" for the variable name and select "Canary-Blocks" for the KV namespace
- Click "Save and deploy"
- Again, click "Add binding"
- Enter "canaryevents" for the variable name and select "Canary-Events" for the KV namespace
- Click "Save and deploy"
- Click on the "Quick Edit" button at the top right area of the page
- Copy and paste the full contents of the canary-receiver.js file into the editor window
- Review the declared variables at the top of the script and adjust as desired/necessary for your environment.
- MyCanary should be set to the name of a public-facing Canary you would like to use to create your IP blocklist.
- Make note of the value you set for authString -- this is the auth value you configure for the Canary webhook custom header.
- Click "Save and deploy."
- Click "Create application"
- Click the "Create Worker" button
- Enter "canary-request-blocklist" for the name and click "Deploy"
- IMPORTANT: Make note of the URL shown on the Congratulations page under, "Preview your worker."
- It will look something like https://canary-request-blocklist.organization.workers.dev
- You will need this URL for any device (eg. firewall) or program that will be consuming this IP list
- Click "Configure Worker"
- Click "Settings" above the summary section of the page
- Click the "Variables" menu option
- Under "KV Namespace Bindings" click "Add binding"
- Enter "canaryblocks" for the variable name and select "Canary-Blocks" for the KV namespace
- Click "Save and deploy"
- Click on the "Quick Edit" button at the top right area of the page
- Copy and paste the full contents of the canary-request-blocklist.js file into the editor window
- Edit the AllowedIPs string variable to include any IP addresses that should be permitted to retrieve the IP blocklist and click "Save and deploy."
- Click "Create application"
- Click the "Create Worker" button
- Enter "canary-request-syslog" for the name and click "Deploy"
- IMPORTANT: Make note of the URL shown on the Congratulations page under, "Preview your worker."
- It will look something like https://canary-request-syslog.organization.workers.dev
- You will need this URL for any device (eg. firewall) or program that will be consuming this IP list
- Click "Configure Worker"
- Click "Settings" above the summary section of the page
- Click the "Variables" menu option
- Under "KV Namespace Bindings" click "Add binding"
- Enter "canaryevents" for the variable name and select "Canary-Events" for the KV namespace
- Click "Save and deploy"
- Click on the "Quick Edit" button at the top right area of the page
- Copy and paste the full contents of the canary-request-syslog.js file into the editor window
- Edit authString to be a unique string value. This will be used with the Fetch-Canary-Syslog.ps1 script
- Log in to your Canary account
- Click on the "Gear" and then "Global Settings" to go to the Global Settings page.
- Click on Webhooks and paste the canary-block URL from Cloudflare Setup step 5 into the "Generic" option.
- Select custom headers and add a header called, "auth" with a value of "canhasauthenticated" or the custom value you entered for authString in step 5 example screenshot and click "Add."
- You can easily change this default authentication value by editing the JavaScript within the canary-receiver Worker.
- Get your API key and enter this value for the "abuseIPDBKey" variable in the Canary-Receiver CloudFlare worker JavaScript.
- Download Fetch-Canary-Syslog.ps1 and Fetch-Canary-Syslog-Config.xml
- Right-click each file, select Properties, check "Unblock" and click "Ok"
- Edit the xml file in Notepad according to your environment
- Save the files to an appropriate location for execution
- Create a scheduled task to execute Fetch-Canary-Syslog.ps1 as often as you would like:
- Run whether user is logged in or not
- Trigger: Daily, every 15 minutes
- Program: powershell
- Arguments: -file Full\Path\To\Fetch-Canary-Syslog.ps1
- Start in: path to the Fetch-Canary-Syslog files
- You can now trigger a Canary event
- Alternately, you can re-open the code editor for the canary-receiver Worker (setup step 5) and perform a POST request using the supplied ExampleRequest.json.
- Be sure to include the authString "auth" header value as you set in setup step 5 (default: canhasauthenticated).
- Open a file browser to the https://canary-request-blocklist.organization.workers.dev URL to view the live IP list.
- Make sure the machine you're using is in the IP allowlist for the canary-request-blocklist worker.
- Alternately, you can re-open the code editor for the canary-receiver Worker (setup step 5) and perform a POST request using the supplied ExampleRequest.json.
- If you need to delete or clean up any IP list database entries:
- Log in to your Cloudflare dashboard
- Choose your account
- Select "Workers & Pages" and click "KV."
- Click the "View" link for "Canary-Blocks" and/or "Canary-Events"
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent
