Initial release: F2B Control Center v1.0

Fail2Ban + Nginx Proxy Manager dashboard in a single Docker container. Features: - Auto-ban via badbot, http-errors, npm-probe, manual-bans, recidive jails - Web dashboard: live ban grid, log scanner, per-IP access log viewer - iptables-nft banning (DOCKER-USER + INPUT chains) - Optional Cloudflare WAF banning - Optional AbuseIPDB threat scoring - Two-tier IP management: whitelist (trusted) vs exempt (reviewed) - Auto log-file detection via logwatch (no restart needed for new NPM hosts)
2026-02-20 18:59:56 +00:00
commit c104e27506
24 changed files with 3333 additions and 0 deletions
--- a/66
+++ b/66
@@ -0,0 +1,66 @@
+# ── F2B Control Center ────────────────────────────────────────────────────────
+# Single-container image: Fail2Ban + Node.js dashboard + supervisord
+#
+# Build: docker build -t f2b-control-center .
+# Run:   docker-compose up -d
+# ─────────────────────────────────────────────────────────────────────────────
+
+FROM node:18-slim
+
+LABEL org.opencontainers.image.title="F2B Control Center" \
+      org.opencontainers.image.description="Fail2Ban + dashboard for Nginx Proxy Manager" \
+      org.opencontainers.image.licenses="MIT"
+
+# ── System dependencies ───────────────────────────────────────────────────────
+# fail2ban     – the core banning daemon
+# supervisor   – process manager (runs fail2ban + node in one container)
+# iptables     – default ban action backend (requires NET_ADMIN + NET_RAW)
+# ipset        – optional; used by some fail2ban actions for performance
+# curl         – used by the webhook action and healthcheck
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      fail2ban \
+      supervisor \
+      iptables \
+      ipset \
+      curl \
+      jq \
+    && rm -rf /var/lib/apt/lists/* \
+    # Remove debian default jail (enables sshd which has no log file in container)
+    && rm -f /etc/fail2ban/jail.d/defaults-debian.conf
+
+# ── Dashboard dependencies ────────────────────────────────────────────────────
+WORKDIR /app
+COPY dashboard/package*.json ./
+RUN npm ci --omit=dev --prefer-offline
+
+# ── Dashboard source ──────────────────────────────────────────────────────────
+COPY dashboard/server.js ./
+COPY dashboard/public    ./public/
+
+# ── Default fail2ban config (copied to /etc/fail2ban on first run) ────────────
+COPY fail2ban/ /etc/f2b-defaults/
+
+# ── Process management ────────────────────────────────────────────────────────
+COPY supervisor.conf /etc/supervisor/conf.d/f2b-control-center.conf
+
+# ── Startup and health ────────────────────────────────────────────────────────
+COPY entrypoint.sh  /entrypoint.sh
+COPY healthcheck.sh /healthcheck.sh
+COPY logwatch.sh    /logwatch.sh
+RUN chmod +x /entrypoint.sh /healthcheck.sh /logwatch.sh
+
+# ── Runtime directories ───────────────────────────────────────────────────────
+RUN mkdir -p /data /nginx-logs /var/log /var/run/fail2ban
+
+# ── Persistent volumes ────────────────────────────────────────────────────────
+# /data          – ban-history.json and other app state
+# /nginx-logs    – mount your NPM log directory here (read-only)
+# /etc/fail2ban  – persists user-edited jail config across image updates
+VOLUME ["/data", "/nginx-logs", "/etc/fail2ban"]
+
+EXPOSE 4000
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=25s --retries=3 \
+    CMD /healthcheck.sh
+
+ENTRYPOINT ["/entrypoint.sh"]