Records now works without running a scan first. If logs aren't cached in memory from a scan, the endpoint greps the nginx access logs directly for [Client IP] matches and returns the last 500 lines.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
\s* in the regex matches \n, so when ignoreip = is empty:
^ignoreip\s*=\s*(.+)$ → consumes the newline, captures [badbot] from
the next section header as if it were an IP address.
Fix: use [ \t]* instead of \s* so the regex never crosses a line boundary.
Also tighten the addWhitelist line-finder to use the same pattern.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously isWhitelisted() checked SUBNETS_TO_IGNORE env var in addition
to jail.local ignoreip. This meant removing a subnet from the dashboard
whitelist updated fail2ban but the dashboard scan still excluded those IPs,
creating a visible disconnect.
Now isWhitelisted() reads and does CIDR matching only against jail.local.
Dashboard whitelist changes are immediately reflected in scan/records,
1:1 with what fail2ban enforces.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
NPM changed its log format. Old filters expected classic nginx format:
PROXY_IP - - [date] "METHOD PATH" STATUS BYTES "REF" "UA" [Client IP]
Actual current format:
[date] - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
fail2ban strips the timestamp before applying failregex, so patterns
must match the post-strip line (no ^ timestamp prefix).
All three filters updated: http-errors, npm-probe, badbot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fail2ban only expands glob logpath at startup, so proxy-host-2_access.log
and later files are never monitored until a manual reload.
Adds logwatch.sh (supervisord-managed) that polls /nginx-logs every 30s
and runs fail2ban-client reload whenever a new proxy-host-*_access.log
is detected.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Hosts running Docker with the default Debian/Ubuntu iptables use the
nf_tables backend (iptables-nft). Inserting rules via iptables-legacy
created them in a separate, unreferenced table — bans were recorded in
fail2ban but packets were never dropped.
Switching action commands to iptables-nft writes into the same
DOCKER-USER chain that Docker manages, so bans take effect immediately.
Also reverts the update-alternatives override from the Dockerfile since
it is no longer needed (and generated noisy warnings).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Debian node:18-slim defaults to iptables-nft which requires nftables
kernel access that Docker's seccomp profile blocks even with NET_ADMIN.
Switch to iptables-legacy which works correctly with NET_ADMIN + NET_RAW.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- docker-compose: add cap_add NET_ADMIN + NET_RAW — without these,
iptables commands inside the container silently fail (permission denied)
so bans were recorded in fail2ban but no rules were ever applied
- docker-npm.conf: add DOCKER-USER source IP rule so direct connections
to NPM are blocked (INPUT rule only covers host services, not containers)
xt_string rule now has || true so missing module doesn't abort the ban
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- entrypoint: create proxy-host-placeholder_access.log if no NPM logs
exist so fail2ban can start before any proxy hosts are configured
- docker-compose: remove :ro from nginx-logs mount (needed for placeholder)
- Dockerfile: add jq (required by cloudflare.conf actionunban)
- cloudflare.conf: replace python3 JSON parsing with jq; clean stale comments
- jail.local + jail.cloudflare.local: add allowipv6 = auto to suppress warning
- jail.cloudflare.local: remove stale .env and docker-compose.cloudflare.yml refs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- supervisor.conf: node is at /usr/local/bin/node in node:18-slim, not /usr/bin/node
- Dockerfile: remove /etc/fail2ban/jail.d/defaults-debian.conf at build time
to prevent fail2ban crashing on missing sshd log file
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ip had a high severity SSRF vuln (GHSA-2p57-rm9w-gvfp) with no upstream fix.
Replace with:
- net.isIPv4/isIPv6 (Node built-in) for format validation
- ipaddr.js for CIDR subnet matching
Add package-lock.json for reproducible builds (required for npm ci).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- jail.local: fix comment pointing to deleted docker-compose.cloudflare.yml
- .gitignore: remove .env entry (no env file in use)
- README: full rewrite to match current state (no .env, no webhook,
correct file structure, inline compose config, CF setup instructions)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Having both build: and image: caused Docker Compose to attempt a registry
pull before building locally. Drop image: so it always builds from source.
Remove obsolete version: field.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove WEBHOOK_URL from server.js and compose (too many untestable edge cases)
- Delete .env.example (config is now inline in docker-compose.yml)
- Comment out ABUSEIPDB_API_KEY, CF_EMAIL, CF_APIKEY in compose by default
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove telegram_notif.sh and all Telegram references
- Remove webhook.conf fail2ban action (dashboard webhook stays)
- docker-npm.conf: iptables ban/unban only, no lifecycle hooks
- Merge docker-compose.cloudflare.yml into docker-compose.yml
CF_EMAIL/CF_APIKEY always present — fill in to enable WAF banning
- Remove TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from compose
- Drop .env.example dependency — all config inline in compose file
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dockerized Fail2Ban + dashboard for Nginx Proxy Manager.
- Single-container image (fail2ban + Node.js + supervisord)
- Pre-built NPM filters: badbot, http-errors, npm-probe, manual-bans
- Web dashboard with live ban feed, log scanner, AbuseIPDB integration
- Configurable via environment variables and .env file
- Persistent volumes for config and ban history
- Webhook support for ban event notifications
- README, .gitignore, MIT license
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
