Initial release: F2B Control Center v1.0

Dockerized Fail2Ban + dashboard for Nginx Proxy Manager.

- Single-container image (fail2ban + Node.js + supervisord)
- Pre-built NPM filters: badbot, http-errors, npm-probe, manual-bans
- Web dashboard with live ban feed, log scanner, AbuseIPDB integration
- Configurable via environment variables and .env file
- Persistent volumes for config and ban history
- Webhook support for ban event notifications
- README, .gitignore, MIT license

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/filter.d/badbot.conf

@@ -0,0 +1,28 @@
+# ── F2B Control Center — badbot filter ───────────────────────────────────────
+#
+# Blocks known malicious scanners, vulnerability testers, and exploit frameworks
+# by their HTTP User-Agent string.
+#
+# LOG FORMAT:
+#   Primary pattern matches NPM logs with [Client IP] real-IP field:
+#     PROXY_IP - - [date] "GET /" 200 146 "-" "UserAgent" [Client REAL_IP]
+#
+#   If your NPM logs have the client IP at line start (standard nginx combined),
+#   uncomment the alternative failregex lines instead.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[Definition]
+
+# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
+failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" \d{3} \d+ "[^"]*" "(?:masscan|zgrab|python-requests|Go-http-client/1\.1|[Nn]uclei|sqlmap|dirbuster|gobuster|nikto|nmap|wfuzz|Metasploit|libwww-perl|WPScan|ZmEu|jorgee|NetcraftSurveyAgent|Expanse|Shodan|censys|BinaryEdge|internet-measurement|SemrushBot|AhrefsBot)[^"]*" \[Client <HOST>\]
+
+# ── Alternative: standard nginx combined format (IP at line start) ────────────
+# Uncomment and comment out the Primary line above to use this instead.
+# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" \d{3} \d+ "[^"]*" "(?:masscan|zgrab|python-requests|Go-http-client/1\.1|[Nn]uclei|sqlmap|dirbuster|gobuster|nikto|nmap|wfuzz|Metasploit|libwww-perl|WPScan|ZmEu|jorgee|NetcraftSurveyAgent|Expanse|Shodan|censys|BinaryEdge|internet-measurement)[^"]*"
+
+ignoreregex =
+
+# ── Notes ────────────────────────────────────────────────────────────────────
+# Add more UA patterns to the failregex alternation as needed.
+# Test your filter with:
+#   fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf

fail2ban/filter.d/http-errors.conf

@@ -0,0 +1,28 @@
+# ── F2B Control Center — http-errors filter ──────────────────────────────────
+#
+# Bans IPs generating a high volume of HTTP 4xx/5xx error responses.
+# Works well for catching brute-force login attempts, path traversal scans,
+# and generally misbehaving clients.
+#
+# Tune `maxretry` and `findtime` in jail.local to adjust sensitivity.
+# Default: 15 errors in 5 minutes.
+#
+# LOG FORMAT:
+#   Primary pattern matches NPM logs with [Client IP] real-IP field.
+#   See badbot.conf for details on switching to standard nginx format.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[Definition]
+
+# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
+# Matches any 4xx or 5xx response (excluding 200 implicitly by the status code).
+failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" [45]\d\d \d+ "[^"]*" "[^"]*" \[Client <HOST>\]
+
+# ── Alternative: standard nginx combined format ───────────────────────────────
+# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "[A-Z]+ [^"]*" [45]\d\d
+
+# Ignore common false-positive 4xx codes:
+#   404 — very common for missing favicons, /robots.txt, etc. Remove from
+#          ignoreregex below if you DO want to count 404s (recommended for
+#          aggressive probe detection when combined with high maxretry).
+ignoreregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "[A-Z]+ /(?:favicon\.ico|robots\.txt|apple-touch-icon[^"]*) HTTP[^"]*" 404 .* \[Client <HOST>\]

fail2ban/filter.d/manual-bans.conf

@@ -0,0 +1,15 @@
+# ── F2B Control Center — manual-bans filter ──────────────────────────────────
+#
+# Empty filter — this jail is used exclusively for manual banning via the
+# dashboard or `fail2ban-client set manual-bans banip <IP>`.
+#
+# No log-based automatic detection is performed. Bans are permanent (bantime = -1)
+# and are only added or removed through explicit operator action.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[Definition]
+
+# Empty failregex: no automatic log-based detection
+failregex =
+
+ignoreregex =

fail2ban/filter.d/npm-probe.conf

@@ -0,0 +1,29 @@
+# ── F2B Control Center — npm-probe filter ────────────────────────────────────
+#
+# Bans IPs probing for well-known vulnerable paths.
+# These requests almost always indicate automated exploit scanning — a single
+# hit warrants a long ban (configured to 48h / maxretry 3 in jail.local).
+#
+# Covered categories:
+#   - PHP-based CMS admin paths (WordPress, Joomla, etc.)
+#   - Common config/credential file leaks (.env, .git, etc.)
+#   - Java frameworks (actuator, Spring Boot, Struts)
+#   - Web shells and common RCE payloads
+#   - Device/router admin interfaces (HNAP, boaform)
+#   - PHPMyAdmin, Adminer, database tools
+#   - Path traversal attempts (../)
+#
+# LOG FORMAT:
+#   Primary pattern matches NPM logs with [Client IP] real-IP field.
+#   See badbot.conf for details on switching to standard nginx format.
+# ─────────────────────────────────────────────────────────────────────────────
+
+[Definition]
+
+# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
+failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD|OPTIONS) (?:/.env(?:\.[^"]*)?|/.git(?:/[^"]*)?|/wp-login\.php|/wp-admin(?:/[^"]*)?|/xmlrpc\.php|/phpmyadmin(?:/[^"]*)?|/pma(?:/[^"]*)?|/adminer(?:\.php)?|/admin\.php|/config\.php|/setup\.php|/install\.php|/actuator(?:/[^"]*)?|/console|/manager/html|/invoker/JMXInvokerServlet|/solr(?:/[^"]*)?|/geoserver(?:/[^"]*)?|/boaform(?:/[^"]*)?|/HNAP1(?:/[^"]*)?|/cgi-bin/[^"]*|/shell\.php|/cmd\.php|/eval-stdin\.php|/[^"]*\.\./[^"]*) HTTP[^"]*" \d{3} .* \[Client <HOST>\]
+
+# ── Alternative: standard nginx combined format ───────────────────────────────
+# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD) (?:/.env|/.git|/wp-login\.php|/wp-admin|/xmlrpc\.php|/phpmyadmin|/pma|/adminer|/admin\.php|/actuator|/console|/boaform|/HNAP1|/cgi-bin/|/shell\.php) HTTP"
+
+ignoreregex =