Initial release: F2B Control Center v1.0

Fail2Ban + Nginx Proxy Manager dashboard in a single Docker container.

Features:
- Auto-ban via badbot, http-errors, npm-probe, manual-bans, recidive jails
- Web dashboard: live ban grid, log scanner, per-IP access log viewer
- iptables-nft banning (DOCKER-USER + INPUT chains)
- Optional Cloudflare WAF banning
- Optional AbuseIPDB threat scoring
- Two-tier IP management: whitelist (trusted) vs exempt (reviewed)
- Auto log-file detection via logwatch (no restart needed for new NPM hosts)

fail2ban/action.d/cloudflare.conf

@@ -0,0 +1,33 @@
+[Definition]
+
+# Blocks/unblocks IPs at the Cloudflare account level via the Access Rules API.
+# Bans are enforced by Cloudflare before traffic reaches your server.
+# Enable by setting CF_EMAIL + CF_APIKEY in docker-compose.yml.
+#
+# NOTE: Uses the user-level API — applies across all zones on your account.
+# For zone-scoped rules replace the URL with:
+#   https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules
+
+actionban = curl -s -X POST \
+              -H "X-Auth-Email: %(cf_email)s" \
+              -H "X-Auth-Key: %(cf_apikey)s" \
+              -H "Content-Type: application/json" \
+              -d "{\"mode\":\"block\",\"configuration\":{\"target\":\"ip\",\"value\":\"<ip>\"},\"notes\":\"f2b-cc: <name>\"}" \
+              "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
+              > /dev/null 2>&1 || true
+
+actionunban = RULE_ID=$(curl -s \
+                -H "X-Auth-Email: %(cf_email)s" \
+                -H "X-Auth-Key: %(cf_apikey)s" \
+                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?configuration_target=ip&configuration_value=<ip>&mode=block&page=1&per_page=1" | \
+                jq -r '.result[0].id // empty' 2>/dev/null) ; \
+              [ -n "$RULE_ID" ] && \
+              curl -s -X DELETE \
+                -H "X-Auth-Email: %(cf_email)s" \
+                -H "X-Auth-Key: %(cf_apikey)s" \
+                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$RULE_ID" \
+                > /dev/null 2>&1 || true
+
+[Init]
+cf_email  =
+cf_apikey =

fail2ban/action.d/docker-npm.conf

@@ -0,0 +1,15 @@
+[Definition]
+
+# Three rules per ban:
+# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
+# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
+#    (requires xt_string kernel module on the host: modprobe xt_string)
+# 3. INPUT: blocks direct connections to host services
+
+actionban = iptables-nft -I DOCKER-USER -s <ip> -j DROP
+            iptables-nft -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
+            iptables-nft -A INPUT -s <ip> -j DROP
+
+actionunban = iptables-nft -D DOCKER-USER -s <ip> -j DROP || true
+              iptables-nft -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
+              iptables-nft -D INPUT -s <ip> -j DROP || true

fail2ban/filter.d/badbot.conf

@@ -0,0 +1,18 @@
+[Definition]
+
+# ── NPM access log format (current) ──────────────────────────────────────────
+# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
+#   [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
+#
+# fail2ban strips the timestamp before applying failregex, leaving:
+#   " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ... "UA" ..."
+#
+# UA appears after [Sent-to ...] so .* is used between <HOST> and the UA match.
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
+# ─────────────────────────────────────────────────────────────────────────────
+
+failregex = - \d+ \d+ - \S+ \S+ \S+ "[^"]*" \[Client <HOST>\].*"(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*"
+
+ignoreregex =

fail2ban/filter.d/http-errors.conf

@@ -0,0 +1,20 @@
+[Definition]
+
+# ── NPM access log format (current) ──────────────────────────────────────────
+# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
+#   [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
+#
+# fail2ban strips the timestamp before applying failregex, leaving:
+#   " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ..."
+#
+# Bans IPs generating excessive 4xx/5xx errors.
+# Default jail: 15 errors in 5 minutes (tunable in jail.local).
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/http-errors.conf
+# ─────────────────────────────────────────────────────────────────────────────
+
+failregex = - [45]\d\d \d+ - \S+ \S+ \S+ "[^"]*" \[Client <HOST>\]
+
+# Exclude common benign 404s to reduce noise.
+ignoreregex = - 404 \d+ - \S+ \S+ \S+ "/(?:favicon\.ico|robots\.txt|sitemap\.xml|apple-touch-icon[^"]*|\.well-known/[^"]*)" \[Client <HOST>\]

fail2ban/filter.d/manual-bans.conf

@@ -0,0 +1,15 @@
+# ── F2B Control Center — manual-bans filter ──────────────────────────────────
+#
+# Empty filter — this jail is used exclusively for manual banning via the
+# dashboard or `fail2ban-client set manual-bans banip <IP>`.
+#
+# No log-based automatic detection is performed. Bans are permanent (bantime = -1)
+# and are only added or removed through explicit operator action.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[Definition]
+
+# Empty failregex: no automatic log-based detection
+failregex =
+
+ignoreregex =

fail2ban/filter.d/npm-probe.conf

@@ -0,0 +1,19 @@
+[Definition]
+
+# ── NPM access log format (current) ──────────────────────────────────────────
+# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
+#   [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
+#
+# fail2ban strips the timestamp before applying failregex, leaving:
+#   " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ..."
+#
+# Bans IPs probing for well-known vulnerable paths.
+# Default jail: 3 hits in 30 minutes → 48h ban (very aggressive, intentionally).
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/npm-probe.conf
+# ─────────────────────────────────────────────────────────────────────────────
+
+failregex = - \d+ \d+ - \S+ \S+ \S+ "/(?:\.env[^"]*|\.git[^"]*|wp-login\.php[^"]*|wp-admin[^"]*|xmlrpc\.php[^"]*|phpmyadmin[^"]*|pma/[^"]*|adminer[^"]*|admin\.php[^"]*|config\.php[^"]*|setup\.php[^"]*|install\.php[^"]*|actuator[^"]*|console[^"]*|manager/html[^"]*|invoker/[^"]*|solr/[^"]*|geoserver/[^"]*|boaform/[^"]*|HNAP1[^"]*|cgi-bin/[^"]*|shell\.php[^"]*|cmd\.php[^"]*|eval-stdin\.php[^"]*)[^"]*" \[Client <HOST>\]
+
+ignoreregex =

fail2ban/jail.cloudflare.local

@@ -0,0 +1,74 @@
+# ── F2B Control Center — jail configuration (Cloudflare) ─────────────────────
+# Installed when CF_EMAIL + CF_APIKEY are set in docker-compose.yml.
+# Adds the Cloudflare WAF action to every jail alongside iptables.
+# Credentials are injected from environment — not stored here.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[DEFAULT]
+bantime    = 1h
+findtime   = 10m
+maxretry   = 5
+allowipv6  = auto
+
+# Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
+# Updated live by the dashboard — do not edit by hand.
+ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
+# Cloudflare credentials — set CF_EMAIL and CF_APIKEY in docker-compose.yml.
+cf_email  = %(ENV[CF_EMAIL])s
+cf_apikey = %(ENV[CF_APIKEY])s
+
+# ── NPM: Bad Bots ─────────────────────────────────────────────────────────────
+[badbot]
+enabled  = true
+filter   = badbot
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 24h
+findtime = 10m
+maxretry = 3
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── NPM: HTTP Error Spamming ──────────────────────────────────────────────────
+[http-errors]
+enabled  = true
+filter   = http-errors
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 1h
+findtime = 5m
+maxretry = 15
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── NPM: Exploit Probing ──────────────────────────────────────────────────────
+[npm-probe]
+enabled  = true
+filter   = npm-probe
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 48h
+findtime = 30m
+maxretry = 3
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── Manual Bans ───────────────────────────────────────────────────────────────
+[manual-bans]
+enabled  = true
+filter   = manual-bans
+logpath  = /dev/null
+bantime  = -1
+findtime = 1d
+maxretry = 1
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]
+
+# ── Recidive — repeat offenders ───────────────────────────────────────────────
+[recidive]
+enabled  = false
+filter   = recidive
+logpath  = /var/log/fail2ban.log
+bantime  = 7d
+findtime = 1d
+maxretry = 3
+action   = docker-npm
+           cloudflare[cf_email="%(cf_email)s", cf_apikey="%(cf_apikey)s"]

fail2ban/jail.local

@@ -0,0 +1,69 @@
+# ── F2B Control Center — jail configuration ───────────────────────────────────
+# Installed to /etc/fail2ban/jail.local on first container start.
+# Persisted in the f2b-config Docker volume — survives image updates.
+#
+# CLOUDFLARE: set CF_EMAIL + CF_APIKEY in docker-compose.yml to enable WAF banning.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[DEFAULT]
+bantime    = 1h
+findtime   = 10m
+maxretry   = 5
+allowipv6  = auto
+
+# Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
+# Updated live by the dashboard — do not edit by hand.
+ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
+# ── NPM: Bad Bots ─────────────────────────────────────────────────────────────
+[badbot]
+enabled  = true
+filter   = badbot
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 24h
+findtime = 10m
+maxretry = 3
+action   = docker-npm
+
+# ── NPM: HTTP Error Spamming ──────────────────────────────────────────────────
+[http-errors]
+enabled  = true
+filter   = http-errors
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 1h
+findtime = 5m
+maxretry = 15
+action   = docker-npm
+
+# ── NPM: Exploit Probing ──────────────────────────────────────────────────────
+[npm-probe]
+enabled  = true
+filter   = npm-probe
+logpath  = /nginx-logs/proxy-host-*_access.log
+bantime  = 48h
+findtime = 30m
+maxretry = 3
+action   = docker-npm
+
+# ── Manual Bans ───────────────────────────────────────────────────────────────
+# Populated via dashboard or: fail2ban-client set manual-bans banip <IP>
+[manual-bans]
+enabled  = true
+filter   = manual-bans
+logpath  = /dev/null
+bantime  = -1
+findtime = 1d
+maxretry = 1
+action   = docker-npm
+
+# ── Recidive — repeat offenders ───────────────────────────────────────────────
+# Escalates bans to 7d for IPs that get banned 3+ times within a day.
+# Enable once your other jails have been running for a while.
+[recidive]
+enabled  = false
+filter   = recidive
+logpath  = /var/log/fail2ban.log
+bantime  = 7d
+findtime = 1d
+maxretry = 3
+action   = docker-npm