feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 15:08:06 +00:00
parent dd7f8dd1a2
commit 920b69cfca
14 changed files with 446 additions and 224 deletions
--- a/fail2ban/filter.d/badbot.conf
+++ b/fail2ban/filter.d/badbot.conf
@@ -1,28 +1,15 @@
-# ── F2B Control Center — badbot filter ───────────────────────────────────────
-#
-# Blocks known malicious scanners, vulnerability testers, and exploit frameworks
-# by their HTTP User-Agent string.
-#
-# LOG FORMAT:
-#   Primary pattern matches NPM logs with [Client IP] real-IP field:
-#     PROXY_IP - - [date] "GET /" 200 146 "-" "UserAgent" [Client REAL_IP]
-#
-#   If your NPM logs have the client IP at line start (standard nginx combined),
-#   uncomment the alternative failregex lines instead.
-# ─────────────────────────────────────────────────────────────────────────────
-
 [Definition]

-# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
-failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" \d{3} \d+ "[^"]*" "(?:masscan|zgrab|python-requests|Go-http-client/1\.1|[Nn]uclei|sqlmap|dirbuster|gobuster|nikto|nmap|wfuzz|Metasploit|libwww-perl|WPScan|ZmEu|jorgee|NetcraftSurveyAgent|Expanse|Shodan|censys|BinaryEdge|internet-measurement|SemrushBot|AhrefsBot)[^"]*" \[Client <HOST>\]
+# ── NPM access log format ─────────────────────────────────────────────────────
+# PROXY_IP - - [DD/Mon/YYYY:HH:MM:SS +0000] "METHOD PATH HTTP/VER" STATUS BYTES "REFERER" "UA" [Client REAL_IP]
+#
+# <HOST> is placed at the [Client REAL_IP] position — this is the IP that gets
+# banned, which is the real client IP forwarded by Cloudflare/CDN via X-Forwarded-For.
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
+# ─────────────────────────────────────────────────────────────────────────────

-# ── Alternative: standard nginx combined format (IP at line start) ────────────
-# Uncomment and comment out the Primary line above to use this instead.
-# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" \d{3} \d+ "[^"]*" "(?:masscan|zgrab|python-requests|Go-http-client/1\.1|[Nn]uclei|sqlmap|dirbuster|gobuster|nikto|nmap|wfuzz|Metasploit|libwww-perl|WPScan|ZmEu|jorgee|NetcraftSurveyAgent|Expanse|Shodan|censys|BinaryEdge|internet-measurement)[^"]*"
+failregex = ^\S+ - - \[[^\]]+\] "\S+ [^"]*" \d{3} \d+ "[^"]*" "(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*" \[Client <HOST>\]

 ignoreregex =
-
-# ── Notes ────────────────────────────────────────────────────────────────────
-# Add more UA patterns to the failregex alternation as needed.
-# Test your filter with:
-#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
--- a/fail2ban/filter.d/http-errors.conf
+++ b/fail2ban/filter.d/http-errors.conf
@@ -1,28 +1,14 @@
-# ── F2B Control Center — http-errors filter ──────────────────────────────────
-#
-# Bans IPs generating a high volume of HTTP 4xx/5xx error responses.
-# Works well for catching brute-force login attempts, path traversal scans,
-# and generally misbehaving clients.
-#
-# Tune `maxretry` and `findtime` in jail.local to adjust sensitivity.
-# Default: 15 errors in 5 minutes.
-#
-# LOG FORMAT:
-#   Primary pattern matches NPM logs with [Client IP] real-IP field.
-#   See badbot.conf for details on switching to standard nginx format.
-# ─────────────────────────────────────────────────────────────────────────────
-
 [Definition]

-# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
-# Matches any 4xx or 5xx response (excluding 200 implicitly by the status code).
-failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" [45]\d\d \d+ "[^"]*" "[^"]*" \[Client <HOST>\]
+# ── NPM access log format ─────────────────────────────────────────────────────
+# Bans IPs generating excessive 4xx/5xx errors.
+# Default jail: 15 errors in 5 minutes (tunable in jail.local).
+#
+# PROXY_IP - - [date] "METHOD PATH HTTP/VER" STATUS BYTES "REFERER" "UA" [Client REAL_IP]
+# ─────────────────────────────────────────────────────────────────────────────

-# ── Alternative: standard nginx combined format ───────────────────────────────
-# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" [45]\d\d
+failregex = ^\S+ - - \[[^\]]+\] "\S+ [^"]*" [45]\d\d \d+ "[^"]*" "[^"]*" \[Client <HOST>\]

-# Ignore common false-positive 4xx codes:
-#   404 — very common for missing favicons, /robots.txt, etc. Remove from
-#          ignoreregex below if you DO want to count 404s (recommended for
-#          aggressive probe detection when combined with high maxretry).
-ignoreregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ /(?:favicon\.ico|robots\.txt|apple-touch-icon[^"]*) HTTP[^"]*" 404 .* \[Client <HOST>\]
+# Exclude very common benign 404s to reduce noise.
+# Remove these if you want to count ALL error responses.
+ignoreregex = ^\S+ - - \[[^\]]+\] "\S+ /(?:favicon\.ico|robots\.txt|sitemap\.xml|apple-touch-icon[^"]*|\.well-known/[^"]*)[^"]*" 404 \d+ "[^"]*" "[^"]*" \[Client <HOST>\]
--- a/fail2ban/filter.d/npm-probe.conf
+++ b/fail2ban/filter.d/npm-probe.conf
@@ -1,29 +1,12 @@
-# ── F2B Control Center — npm-probe filter ────────────────────────────────────
-#
-# Bans IPs probing for well-known vulnerable paths.
-# These requests almost always indicate automated exploit scanning — a single
-# hit warrants a long ban (configured to 48h / maxretry 3 in jail.local).
-#
-# Covered categories:
-#   - PHP-based CMS admin paths (WordPress, Joomla, etc.)
-#   - Common config/credential file leaks (.env, .git, etc.)
-#   - Java frameworks (actuator, Spring Boot, Struts)
-#   - Web shells and common RCE payloads
-#   - Device/router admin interfaces (HNAP, boaform)
-#   - PHPMyAdmin, Adminer, database tools
-#   - Path traversal attempts (../)
-#
-# LOG FORMAT:
-#   Primary pattern matches NPM logs with [Client IP] real-IP field.
-#   See badbot.conf for details on switching to standard nginx format.
-# ─────────────────────────────────────────────────────────────────────────────
-
 [Definition]

-# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
-failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD|OPTIONS) (?:/.env(?:\.[^"]*)?|/.git(?:/[^"]*)?|/wp-login\.php|/wp-admin(?:/[^"]*)?|/xmlrpc\.php|/phpmyadmin(?:/[^"]*)?|/pma(?:/[^"]*)?|/adminer(?:\.php)?|/admin\.php|/config\.php|/setup\.php|/install\.php|/actuator(?:/[^"]*)?|/console|/manager/html|/invoker/JMXInvokerServlet|/solr(?:/[^"]*)?|/geoserver(?:/[^"]*)?|/boaform(?:/[^"]*)?|/HNAP1(?:/[^"]*)?|/cgi-bin/[^"]*|/shell\.php|/cmd\.php|/eval-stdin\.php|/[^"]*\.\./[^"]*) HTTP[^"]*" \d{3} .* \[Client <HOST>\]
+# ── NPM access log format ─────────────────────────────────────────────────────
+# Bans IPs probing for well-known vulnerable paths.
+# Default jail: 3 hits in 30 minutes → 48h ban (very aggressive, intentionally).
+#
+# PROXY_IP - - [date] "METHOD PATH HTTP/VER" STATUS BYTES "REFERER" "UA" [Client REAL_IP]
+# ─────────────────────────────────────────────────────────────────────────────

-# ── Alternative: standard nginx combined format ───────────────────────────────
-# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD) (?:/.env|/.git|/wp-login\.php|/wp-admin|/xmlrpc\.php|/phpmyadmin|/pma|/adminer|/admin\.php|/actuator|/console|/boaform|/HNAP1|/cgi-bin/|/shell\.php) HTTP"
+failregex = ^\S+ - - \[[^\]]+\] "[A-Z]+ /(?:\.env[^"]*|\.git[^"]*|wp-login\.php[^"]*|wp-admin[^"]*|xmlrpc\.php[^"]*|phpmyadmin[^"]*|pma/[^"]*|adminer[^"]*|admin\.php[^"]*|config\.php[^"]*|setup\.php[^"]*|install\.php[^"]*|actuator[^"]*|console[^"]*|manager/html[^"]*|invoker/[^"]*|solr/[^"]*|geoserver/[^"]*|boaform/[^"]*|HNAP1[^"]*|cgi-bin/[^"]*|shell\.php[^"]*|cmd\.php[^"]*|eval-stdin\.php[^"]*)[^"]*" \d{3} \d+ "[^"]*" "[^"]*" \[Client <HOST>\]

 ignoreregex =