gitea
c104e27506
Fail2Ban + Nginx Proxy Manager dashboard in a single Docker container. Features: - Auto-ban via badbot, http-errors, npm-probe, manual-bans, recidive jails - Web dashboard: live ban grid, log scanner, per-IP access log viewer - iptables-nft banning (DOCKER-USER + INPUT chains) - Optional Cloudflare WAF banning - Optional AbuseIPDB threat scoring - Two-tier IP management: whitelist (trusted) vs exempt (reviewed) - Auto log-file detection via logwatch (no restart needed for new NPM hosts)
19 lines
1.2 KiB
Plaintext
19 lines
1.2 KiB
Plaintext
[Definition]
|
|
|
|
# ── NPM access log format (current) ──────────────────────────────────────────
|
|
# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
|
|
# [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
|
|
#
|
|
# fail2ban strips the timestamp before applying failregex, leaving:
|
|
# " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ... "UA" ..."
|
|
#
|
|
# UA appears after [Sent-to ...] so .* is used between <HOST> and the UA match.
|
|
#
|
|
# Test against your logs:
|
|
# fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
failregex = - \d+ \d+ - \S+ \S+ \S+ "[^"]*" \[Client <HOST>\].*"(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*"
|
|
|
|
ignoreregex =
|