mykey/Fail2Ban-Dashboard---NPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Fail2Ban-Dashboard---NPM/entrypoint.sh
gitea c104e27506 Initial release: F2B Control Center v1.0 
Fail2Ban + Nginx Proxy Manager dashboard in a single Docker container.

Features:
- Auto-ban via badbot, http-errors, npm-probe, manual-bans, recidive jails
- Web dashboard: live ban grid, log scanner, per-IP access log viewer
- iptables-nft banning (DOCKER-USER + INPUT chains)
- Optional Cloudflare WAF banning
- Optional AbuseIPDB threat scoring
- Two-tier IP management: whitelist (trusted) vs exempt (reviewed)
- Auto log-file detection via logwatch (no restart needed for new NPM hosts)
2026-02-20 18:59:56 +00:00

67 lines
3.3 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# ── F2B Control Center — container entrypoint ────────────────────────────────
# Handles first-run initialisation, then hands off to supervisord.
# ─────────────────────────────────────────────────────────────────────────────
set -e
echo "[f2b-cc] Starting F2B Control Center..."
# ── Kernel module: xt_string (required for X-Forwarded-For matching) ──────────
if modprobe xt_string 2>/dev/null; then
echo "[f2b-cc] xt_string kernel module loaded OK"
else
echo "[f2b-cc] WARNING: xt_string module unavailable — X-Forwarded-For iptables rules will NOT work"
echo "[f2b-cc] Run 'modprobe xt_string' on the Docker host to fix this."
fi
# ── DOCKER-USER chain (must exist for the ban action to insert rules) ─────────
if iptables -L DOCKER-USER -n > /dev/null 2>&1; then
echo "[f2b-cc] DOCKER-USER iptables chain found OK"
else
echo "[f2b-cc] DOCKER-USER chain missing — creating it"
iptables -N DOCKER-USER 2>/dev/null || true
fi
# ── First-run: install default fail2ban config if none exists ─────────────────
if [ ! -f /etc/fail2ban/jail.local ]; then
echo "[f2b-cc] First run — installing default fail2ban configuration..."
cp -r /etc/f2b-defaults/. /etc/fail2ban/
# Cloudflare credentials present → use the CF-enabled jail config
if [ -n "${CF_EMAIL}" ] && [ -n "${CF_APIKEY}" ]; then
echo "[f2b-cc] CF_EMAIL + CF_APIKEY detected — enabling Cloudflare jail config"
cp /etc/f2b-defaults/jail.cloudflare.local /etc/fail2ban/jail.local
fi
# Apply SUBNETS_TO_IGNORE from environment into jail.local's ignoreip line
if [ -n "${SUBNETS_TO_IGNORE}" ]; then
IGNORE_LINE="ignoreip = 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
sed -i "s|^ignoreip = .*|${IGNORE_LINE}|" /etc/fail2ban/jail.local
echo "[f2b-cc] ignoreip set to: 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
fi
echo "[f2b-cc] Default configuration installed at /etc/fail2ban/"
echo "[f2b-cc] Edit /etc/fail2ban/jail.local to customise jails."
else
echo "[f2b-cc] Using existing fail2ban configuration."
fi
# ── Ensure required directories and files exist ───────────────────────────────
mkdir -p /data /var/log /var/run/fail2ban
# Create fail2ban log file if it doesn't exist (prevents startup errors)
touch /var/log/fail2ban.log
# Ensure nginx-logs directory exists and has at least one file matching the glob.
# fail2ban requires a matching file to exist at startup — create a placeholder
# if NPM hasn't generated any proxy host logs yet.
mkdir -p /nginx-logs
if ! ls /nginx-logs/proxy-host-*_access.log > /dev/null 2>&1; then
echo "[f2b-cc] No NPM logs found — creating placeholder so fail2ban can start."
touch /nginx-logs/proxy-host-placeholder_access.log
fi
# ── Start supervisord (manages fail2ban + dashboard) ─────────────────────────
echo "[f2b-cc] Starting supervisord (fail2ban + dashboard)..."
exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf
Reference in New Issue View Git Blame Copy Permalink