Initial release: F2B Control Center v1.0

Fail2Ban + Nginx Proxy Manager dashboard in a single Docker container. Features: - Auto-ban via badbot, http-errors, npm-probe, manual-bans, recidive jails - Web dashboard: live ban grid, log scanner, per-IP access log viewer - iptables-nft banning (DOCKER-USER + INPUT chains) - Optional Cloudflare WAF banning - Optional AbuseIPDB threat scoring - Two-tier IP management: whitelist (trusted) vs exempt (reviewed) - Auto log-file detection via logwatch (no restart needed for new NPM hosts)
2026-02-20 18:59:56 +00:00
commit c104e27506
24 changed files with 3333 additions and 0 deletions
--- a/fail2ban/filter.d/badbot.conf
+++ b/fail2ban/filter.d/badbot.conf
@@ -0,0 +1,18 @@
+[Definition]
+
+# ── NPM access log format (current) ──────────────────────────────────────────
+# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
+#   [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
+#
+# fail2ban strips the timestamp before applying failregex, leaving:
+#   " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ... "UA" ..."
+#
+# UA appears after [Sent-to ...] so .* is used between <HOST> and the UA match.
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
+# ─────────────────────────────────────────────────────────────────────────────
+
+failregex = - \d+ \d+ - \S+ \S+ \S+ "[^"]*" \[Client <HOST>\].*"(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*"
+
+ignoreregex =
--- a/fail2ban/filter.d/http-errors.conf
+++ b/fail2ban/filter.d/http-errors.conf
@@ -0,0 +1,20 @@
+[Definition]
+
+# ── NPM access log format (current) ──────────────────────────────────────────
+# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
+#   [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
+#
+# fail2ban strips the timestamp before applying failregex, leaving:
+#   " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ..."
+#
+# Bans IPs generating excessive 4xx/5xx errors.
+# Default jail: 15 errors in 5 minutes (tunable in jail.local).
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/http-errors.conf
+# ─────────────────────────────────────────────────────────────────────────────
+
+failregex = - [45]\d\d \d+ - \S+ \S+ \S+ "[^"]*" \[Client <HOST>\]
+
+# Exclude common benign 404s to reduce noise.
+ignoreregex = - 404 \d+ - \S+ \S+ \S+ "/(?:favicon\.ico|robots\.txt|sitemap\.xml|apple-touch-icon[^"]*|\.well-known/[^"]*)" \[Client <HOST>\]
--- a/fail2ban/filter.d/manual-bans.conf
+++ b/fail2ban/filter.d/manual-bans.conf
@@ -0,0 +1,15 @@
+# ── F2B Control Center — manual-bans filter ──────────────────────────────────
+#
+# Empty filter — this jail is used exclusively for manual banning via the
+# dashboard or `fail2ban-client set manual-bans banip <IP>`.
+#
+# No log-based automatic detection is performed. Bans are permanent (bantime = -1)
+# and are only added or removed through explicit operator action.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[Definition]
+
+# Empty failregex: no automatic log-based detection
+failregex =
+
+ignoreregex =
--- a/fail2ban/filter.d/npm-probe.conf
+++ b/fail2ban/filter.d/npm-probe.conf
@@ -0,0 +1,19 @@
+[Definition]
+
+# ── NPM access log format (current) ──────────────────────────────────────────
+# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
+#   [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
+#
+# fail2ban strips the timestamp before applying failregex, leaving:
+#   " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ..."
+#
+# Bans IPs probing for well-known vulnerable paths.
+# Default jail: 3 hits in 30 minutes → 48h ban (very aggressive, intentionally).
+#
+# Test against your logs:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/npm-probe.conf
+# ─────────────────────────────────────────────────────────────────────────────
+
+failregex = - \d+ \d+ - \S+ \S+ \S+ "/(?:\.env[^"]*|\.git[^"]*|wp-login\.php[^"]*|wp-admin[^"]*|xmlrpc\.php[^"]*|phpmyadmin[^"]*|pma/[^"]*|adminer[^"]*|admin\.php[^"]*|config\.php[^"]*|setup\.php[^"]*|install\.php[^"]*|actuator[^"]*|console[^"]*|manager/html[^"]*|invoker/[^"]*|solr/[^"]*|geoserver/[^"]*|boaform/[^"]*|HNAP1[^"]*|cgi-bin/[^"]*|shell\.php[^"]*|cmd\.php[^"]*|eval-stdin\.php[^"]*)[^"]*" \[Client <HOST>\]
+
+ignoreregex =