Fail2Ban-Dashboard---NPM/fail2ban/jail.local

# ── F2B Control Center — fail2ban jail configuration ─────────────────────────
#
# This file is written to /etc/fail2ban/jail.local on first container start.
# After first run it is persisted in the f2b-config Docker volume so your
# customisations survive image updates.
#
# IMPORTANT: The dashboard manages the `ignoreip` line automatically.
#            Do not edit it by hand unless you are not using the dashboard.
#
# LOG FORMAT NOTE:
#   The default filters expect Nginx Proxy Manager access logs that include
#   the real client IP in a [Client X.X.X.X] field — the format produced
#   when NPM forwards through Cloudflare or another proxy.
#
#   If your NPM logs have the client IP at the start of each line (standard
#   nginx combined format), edit the failregex lines in each filter to use:
#     failregex = ^<HOST> - - \[...
#   See fail2ban/filter.d/*.conf for both patterns (commented examples included).
# ─────────────────────────────────────────────────────────────────────────────

[DEFAULT]
# Default ban duration (supports suffixes: s, m, h, d)
bantime  = 1h

# Time window in which maxretry violations trigger a ban
findtime = 10m

# Number of violations before banning
maxretry = 5

# IPs and subnets to never ban.
# The dashboard appends whitelisted IPs here — do not remove this line.
# The entrypoint script expands SUBNETS_TO_IGNORE from your .env on first run.
ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

# Default ban action: iptables-allports blocks all ports for banned IPs.
# Requires NET_ADMIN capability (granted in docker-compose.yml) and
# network_mode: host to affect host-level traffic.
banaction = iptables-allports

# ── NPM: Bad Bots ─────────────────────────────────────────────────────────────
# Blocks known malicious scanners and exploit frameworks by User-Agent.
# Stricter settings: low maxretry, long ban time.
[badbot]
enabled  = true
filter   = badbot
logpath  = /nginx-logs/proxy-host-*_access.log
bantime  = 24h
findtime = 10m
maxretry = 3
action   = %(action_)s

# ── NPM: HTTP Error Spamming ──────────────────────────────────────────────────
# Bans IPs that generate a high volume of 4xx/5xx errors.
# Useful for catching brute-force attempts, broken crawlers, and probes.
[http-errors]
enabled  = true
filter   = http-errors
logpath  = /nginx-logs/proxy-host-*_access.log
bantime  = 1h
findtime = 5m
maxretry = 15
action   = %(action_)s

# ── NPM: Exploit Probing ──────────────────────────────────────────────────────
# Bans IPs requesting well-known vulnerable paths (.env, wp-admin, etc.).
# These are almost always malicious — short maxretry, long ban.
[npm-probe]
enabled  = true
filter   = npm-probe
logpath  = /nginx-logs/proxy-host-*_access.log
bantime  = 48h
findtime = 30m
maxretry = 3
action   = %(action_)s

# ── Manual Bans ───────────────────────────────────────────────────────────────
# Permanent bans added via the dashboard or `fail2ban-client set manual-bans banip`.
# No automatic log-based detection — only manual entries via the dashboard.
[manual-bans]
enabled  = true
filter   = manual-bans
logpath  = /dev/null
bantime  = -1
findtime = 1d
maxretry = 1
action   = %(action_)s

# ── Recidive ──────────────────────────────────────────────────────────────────
# Escalated bans for repeat offenders across any jail.
# Disabled by default — enable if you want long-term blocks for persistent attackers.
[recidive]
enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
bantime  = 7d
findtime = 1d
maxretry = 3
action   = %(action_)s