feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 15:08:06 +00:00
parent dd7f8dd1a2
commit 920b69cfca
14 changed files with 446 additions and 224 deletions
--- a/fail2ban/jail.cloudflare.local
+++ b/fail2ban/jail.cloudflare.local
@@ -0,0 +1,78 @@
+# ── F2B Control Center — jail configuration (Cloudflare) ─────────────────────
+#
+# Used when CF_EMAIL and CF_APIKEY are set (docker-compose.cloudflare.yml).
+# Identical to jail.local but adds the cloudflare action to every jail so
+# bans are enforced at both the iptables and Cloudflare WAF levels.
+#
+# CF credentials are read from environment variables — no credentials are
+# stored in this file.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[DEFAULT]
+bantime  = 1h
+findtime = 10m
+maxretry = 5
+
+# Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
+# Updated live by the dashboard — do not edit by hand.
+ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
+# Cloudflare credentials — injected from environment at runtime.
+# Set CF_EMAIL and CF_APIKEY in your .env file.
+cf_email  = %(ENV[CF_EMAIL])s
+cf_apikey = %(ENV[CF_APIKEY])s
+
+# ── NPM: Bad Bots ─────────────────────────────────────────────────────────────
+[badbot]
+enabled  = true
+filter   = badbot
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 24h
+findtime = 10m
+maxretry = 3
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── NPM: HTTP Error Spamming ──────────────────────────────────────────────────
+[http-errors]
+enabled  = true
+filter   = http-errors
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 1h
+findtime = 5m
+maxretry = 15
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── NPM: Exploit Probing ──────────────────────────────────────────────────────
+[npm-probe]
+enabled  = true
+filter   = npm-probe
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 48h
+findtime = 30m
+maxretry = 3
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── Manual Bans ───────────────────────────────────────────────────────────────
+[manual-bans]
+enabled  = true
+filter   = manual-bans
+logpath  = /dev/null
+bantime  = -1
+findtime = 1d
+maxretry = 1
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── Recidive — repeat offenders ───────────────────────────────────────────────
+[recidive]
+enabled  = false
+filter   = recidive
+logpath  = /var/log/fail2ban.log
+bantime  = 7d
+findtime = 1d
+maxretry = 3
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]