feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,28 +1,15 @@
|
||||
# ── F2B Control Center — badbot filter ───────────────────────────────────────
|
||||
#
|
||||
# Blocks known malicious scanners, vulnerability testers, and exploit frameworks
|
||||
# by their HTTP User-Agent string.
|
||||
#
|
||||
# LOG FORMAT:
|
||||
# Primary pattern matches NPM logs with [Client IP] real-IP field:
|
||||
# PROXY_IP - - [date] "GET /" 200 146 "-" "UserAgent" [Client REAL_IP]
|
||||
#
|
||||
# If your NPM logs have the client IP at line start (standard nginx combined),
|
||||
# uncomment the alternative failregex lines instead.
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
[Definition]
|
||||
|
||||
# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
|
||||
failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" \d{3} \d+ "[^"]*" "(?:masscan|zgrab|python-requests|Go-http-client/1\.1|[Nn]uclei|sqlmap|dirbuster|gobuster|nikto|nmap|wfuzz|Metasploit|libwww-perl|WPScan|ZmEu|jorgee|NetcraftSurveyAgent|Expanse|Shodan|censys|BinaryEdge|internet-measurement|SemrushBot|AhrefsBot)[^"]*" \[Client <HOST>\]
|
||||
# ── NPM access log format ─────────────────────────────────────────────────────
|
||||
# PROXY_IP - - [DD/Mon/YYYY:HH:MM:SS +0000] "METHOD PATH HTTP/VER" STATUS BYTES "REFERER" "UA" [Client REAL_IP]
|
||||
#
|
||||
# <HOST> is placed at the [Client REAL_IP] position — this is the IP that gets
|
||||
# banned, which is the real client IP forwarded by Cloudflare/CDN via X-Forwarded-For.
|
||||
#
|
||||
# Test against your logs:
|
||||
# fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ── Alternative: standard nginx combined format (IP at line start) ────────────
|
||||
# Uncomment and comment out the Primary line above to use this instead.
|
||||
# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" \d{3} \d+ "[^"]*" "(?:masscan|zgrab|python-requests|Go-http-client/1\.1|[Nn]uclei|sqlmap|dirbuster|gobuster|nikto|nmap|wfuzz|Metasploit|libwww-perl|WPScan|ZmEu|jorgee|NetcraftSurveyAgent|Expanse|Shodan|censys|BinaryEdge|internet-measurement)[^"]*"
|
||||
failregex = ^\S+ - - \[[^\]]+\] "\S+ [^"]*" \d{3} \d+ "[^"]*" "(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*" \[Client <HOST>\]
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# ── Notes ────────────────────────────────────────────────────────────────────
|
||||
# Add more UA patterns to the failregex alternation as needed.
|
||||
# Test your filter with:
|
||||
# fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
|
||||
|
||||
Reference in New Issue
Block a user