NPM changed its log format. Old filters expected classic nginx format:
PROXY_IP - - [date] "METHOD PATH" STATUS BYTES "REF" "UA" [Client IP]
Actual current format:
[date] - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
fail2ban strips the timestamp before applying failregex, so patterns
must match the post-strip line (no ^ timestamp prefix).
All three filters updated: http-errors, npm-probe, badbot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dockerized Fail2Ban + dashboard for Nginx Proxy Manager.
- Single-container image (fail2ban + Node.js + supervisord)
- Pre-built NPM filters: badbot, http-errors, npm-probe, manual-bans
- Web dashboard with live ban feed, log scanner, AbuseIPDB integration
- Configurable via environment variables and .env file
- Persistent volumes for config and ban history
- Webhook support for ban event notifications
- README, .gitignore, MIT license
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
