joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: joao.goncalves:main
Branches Tags
joao.goncalves:main
joao.goncalves:producao
joao.goncalves:antes-do-docker
...
pull from: joao.goncalves:producao
Branches Tags
joao.goncalves:producao
joao.goncalves:antes-do-docker
joao.goncalves:main

54 Commits
main ... producao

Author SHA1 Message Date
João Pedro Toledo Goncalves e4a4714ee5 deploy configuraçao do atendimento.grupopralog.com.br no proxy 
correçao do fail2ban que nao agia em cima dos logs
 2026-02-12 12:45:13 -03:00
João Pedro Toledo Goncalves a5788fc66d feat: sync timezone to America/Sao_Paulo, add diagnostic scripts to producao/scripts, and update PSDE docs 2026-02-08 15:54:09 -03:00
João Pedro Toledo Goncalves be7b271357 fix: restore legacy GEMINI docs, fix modsec loop, encoding issues 2026-02-08 14:24:23 -03:00
João Pedro Toledo Goncalves 982423c3ff feat: re-enable geoip logging and variable mapping 2026-02-08 13:51:49 -03:00
João Pedro Toledo Goncalves 0317b5217a securyti maps 2026-02-08 11:29:10 -03:00
João Pedro Toledo Goncalves dba24f08bc feat: hybrid deployment script with geoip auto-update and improved docs 2026-02-08 11:05:53 -03:00
João Pedro Toledo Goncalves b0b9485b1a Hardening: Integrate CVE 2025-2026 defenses (React2Shell, MadeYouReset, SolarWinds, Fortinet) 2026-02-07 14:21:51 -03:00
João Pedro Toledo Goncalves 7af7fa0ec7 Update README with Pathfinder V2 operational workflow and security features 2026-02-07 13:53:27 -03:00
João Pedro Toledo Goncalves 42a9ea5582 Integrate OWASP CRS v4 and Anti-Brute Force Security Rules 2026-02-07 13:48:47 -03:00
João Pedro Toledo Goncalves 93d0324426 docs(README): finalize 7-vector WAF documentation and combinatorial matrix details 2026-02-07 12:46:56 -03:00
João Pedro Toledo Goncalves ec536dfe9a feat(security): implement 7-vector combinatorial WAF matrix, 2024-2025 CVE protections, GeoIP integration and descriptive JSON logging 2026-02-07 12:45:51 -03:00
João Pedro Toledo Goncalves f81ac3aa73 tudo certo 2026-02-07 02:14:17 -03:00
João Pedro Toledo Goncalves 254ecb09f7 docs: update snippets catalog and ignore .gemini 2026-02-07 02:12:40 -03:00
João Pedro Toledo Goncalves fa29d48ed1 Merge branch 'producao' of https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder into producao 2026-02-07 01:57:37 -03:00
João Pedro Toledo Goncalves 58be68baaf updates e estabilizaçao 2026-02-07 01:57:35 -03:00
João Pedro Toledo Goncalves aa219f8510 Merge branch 'producao' of https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder into producao 2026-02-07 01:56:37 -03:00
João Pedro Toledo Goncalves 2a1646c726 feat(nginx): Recompilacao com Stream, AIO threads e correcao de logs 2026-02-07 01:55:53 -03:00
João Pedro Toledo Goncalves 78c3c82a69 feat(elite): expansao da stack elite 2026 - modulos, performance, forense e upgrade zero-downtime 2026-02-07 00:20:07 -03:00
João Pedro Toledo Goncalves e932ca8f7d feat(waf): implementado modsecurity 3.0.14, plugins crs v4 e tunings específicos por app 2026-02-06 22:18:42 -03:00
João Pedro Toledo Goncalves 5ada628ac4 docs: refina instruções de emissão SSL e caminhos 2026-02-06 18:21:13 -03:00
João Pedro Toledo Goncalves d64f3c527f fix(ssl): atualiza caminhos do certificado LetsEncrypt com sufixo -0001 2026-02-06 18:20:16 -03:00
João Pedro Toledo Goncalves 9c9c747a4b docs: detalha workflow de ativação de sites e SSL 2026-02-06 18:07:29 -03:00
João Pedro Toledo Goncalves 326a3711f0 docs: atualiza README.md com guias de instalação nativa e padrões ouro 2026-02-06 18:05:39 -03:00
João Pedro Toledo Goncalves 0d395f42c5 docs: consolidate READMEs and update for configuration-only model 2026-02-06 16:44:41 -03:00
João Pedro Toledo Goncalves af977eb2cb chore: pivot repository to configuration-only (removed docker artifacts and sensitive data) 2026-02-06 16:41:59 -03:00
João Pedro Toledo Goncalves 454cd564a1 fix: restore missing ssl certificates from history 2026-02-06 16:28:35 -03:00
João Pedro Toledo Goncalves 7e5ce88adb fix: add ssl certificates to ferreirareal config and confirm test-backend removal 2026-02-06 16:24:40 -03:00
João Pedro Toledo Goncalves 7aea780cb1 . 2026-02-06 15:52:35 -03:00
João Pedro Toledo Goncalves 58b5fbd3e2 . 2026-02-06 15:48:47 -03:00
João Pedro Toledo Goncalves 56a9c5e91a fix: isolate dynamic config (blacklist) to separate volume and bake static configs to prevent mount errors 2026-02-06 14:45:03 -03:00
João Pedro Toledo Goncalves 21a9c393c5 fix: bake nginx config into image and remove bind mount to prevent portainer directory error 2026-02-06 14:13:14 -03:00
João Pedro Toledo Goncalves 368cda2b76 feat: split logs into human-readable (stdout) and json (file) for better observability 2026-02-06 13:17:20 -03:00
João Pedro Toledo Goncalves 9e7decd6de refactor: restructure sites-ativos into nginx and logs folders for cleaner docker volume mapping 2026-02-06 13:14:05 -03:00
João Pedro Toledo Goncalves 354759743f feat: consolidate sites-ativos into production branch for single-source deployment 2026-02-06 13:08:51 -03:00
João Pedro Toledo Goncalves 0048b1a70b fix: resolve nginx infinite loop, crlf issues and missing modules 2026-02-05 15:53:26 -03:00
João Pedro Toledo Goncalves 34bb52d60d . 2026-02-05 15:41:27 -03:00
João Pedro Toledo Goncalves 3eafb5891b chore: ignore default fail2ban jails 2026-02-05 14:43:00 -03:00
João Pedro Toledo Goncalves 61a4fce622 feat(fail2ban): cleanup unused jails and add nginx-unified config 2026-02-05 14:37:47 -03:00
João Pedro Toledo Goncalves 74b1f3892d fix(docker): migrate to alpine 3.18, fix modsecurity and brotli build 2026-02-05 14:29:58 -03:00
João Pedro Toledo Goncalves f0abf2932f fix: Ajusta failregex para padrão numérico do Nginx JSON 2026-02-04 19:52:13 -03:00
João Pedro Toledo Goncalves 441b69658c docs: Adiciona análise de sizing e segurança de cache 2026-02-04 19:42:47 -03:00
João Pedro Toledo Goncalves 44c0220cba docs: Atualiza README com detalhes da nova infraestrutura 2026-02-04 19:20:34 -03:00
João Pedro Toledo Goncalves 609c92f484 feat: Implementa Nginx High-End com HTTP/3 e ModSecurity 2026-02-04 19:18:22 -03:00
João Pedro Toledo Goncalves d8c6607b3a fix: adiciona certbot-nginx para suportar comando --nginx 2026-01-30 11:43:31 -03:00
João Pedro Toledo Goncalves 9f18a4598a fix: escape password special characters in Dockerfile 2026-01-29 14:51:22 -03:00
João Pedro Toledo Goncalves 216630a219 feat: adiciona usuario itguys com acesso root e sudo no .bashrc 2026-01-29 09:25:36 -03:00
João Pedro Toledo Goncalves 6ee169464c fix: mount volume to directory instead of file to avoid OCI error 2026-01-29 09:22:52 -03:00
João Pedro Toledo Goncalves 368855f2b0 fix: troca bind mounts por volumes e ajuste busca git sites-ativos 2026-01-29 09:18:36 -03:00
João Pedro Toledo Goncalves 54f8a4283b feat: custom shell, SSH porta 122 e network_mode host 2026-01-29 09:13:14 -03:00
João Pedro Toledo Goncalves c3b9316fd2 remoçao do .gemini 2026-01-29 09:03:08 -03:00
João Pedro Toledo Goncalves 7e20ba5c87 Cleanup: Remove configs (conf.d, snippets) from production branch (moved to sites-ativos) 2026-01-27 14:35:44 -03:00
João Pedro Toledo Goncalves 4cb6b85f29 Fix: Remove snippets bind-mount to prevent empty directory shadowing 2026-01-27 14:17:52 -03:00
João Pedro Toledo Goncalves fd770b61a2 Fix: Add nano and remove nginx.conf host-mount for Portainer compatibility 2026-01-27 14:14:33 -03:00
João Pedro Toledo Goncalves 975d6ab90b Refactor: Simplify infrastructure to single Nginx container (Legacy Removed) 2026-01-27 14:03:04 -03:00
654 changed files with 25734 additions and 7764 deletions
Show Stats Expand all files Collapse all files

48
.dockerignore
View File

@ -1,48 +0,0 @@
# Documentation and config folders
.gemini/
.git/
.github/
.vscode/
.idea/
# Legacy files (not needed in container)
legacy/
# Logs and debug files
*.log
debug_logs*.txt
nginx_test*.log
# Environment files
.env
.env.local
# Git files
.gitignore
.gitattributes
# Documentation
README.md
*.md
!nginx.conf
# Docker files (avoid recursive includes)
docker-compose*.yml
Dockerfile*
# Temporary and backup files
*.tmp
*.bak
*.swp
*.swo
*~
# OS files
.DS_Store
Thumbs.db
# SSL private keys (should be mounted as volume, not baked in)
ssl/*.key
# Disabled configs
*.disabled

216
.gemini/GEMINI.md
View File

@ -1,135 +1,129 @@
# NGINX Pathfinder Proxy - Documentação Técnica
# 🤖 Instruções para Agentes Gemini
## Visão Geral
**Especialista NGINX/Linux Brasileiro. Gerencia Pathfinder Proxy. Escrita: direta e técnica.**
Projeto de infraestrutura para Proxy Reverso de Alta Disponibilidade, utilizando Containers Docker para modularidade e fácil manutenção.
## 🌍 Ambiente
## Arquitetura de Containers
- **OS**: Ubuntu 24.04 (Nativo). **IP**: 172.17.0.253.
- **Login**: itguys | **Senha**: vR7Ag$Pk
- **Git**: https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder.git.
- **Stack**: Nginx Mainline (1.29.5) + ModSec (3.0.14) + Fail2Ban (1.0.2).
O projeto roda sobre 3 serviços orquestrados via `docker-compose.yml`:
## 🧩 Snippets (`producao/nginx/snippets/`)
| Serviço | Imagem | Porta Exposta | Função |
|---------|--------|---------------|--------|
| **modsecurity** | `owasp/modsecurity-crs:nginx-alpine` | `80`, `443` | **Frontend (WAF)**. Recebe todo o tráfego da internet, filtra ataques (SQLi, XSS) e encaminha requisições limpas para o Proxy. |
| **nginx-proxy** | `alpine` (Custom Build) | `8080` (Interna) | **Backend Proxy**. Gerencia vhosts, terminação SSL, cache, compressão Brotli e roteamento para as aplicações finais. |
| **fail2ban** | `crazymax/fail2ban` | - | **Watchdog**. Lê logs compartilhados dos dois containers acima e bane IPs maliciosos diretamente no host (via iptables). |
- **acme_challenge**: Desafios Certbot (HTTP-01).
- **ads_disallow**: Bloqueia acesso a ads.txt.
- **bandwidth_limit**: Controle de banda e downloads (10MB+ limited to 1MB/s).
- **blacklist**: Lista dinâmica de IPs banidos pelo Fail2Ban.
- **cache_optimizer**: Configuração SWR (Stale-While-Revalidate) e headers de cache.
- **cache_proxy_params**: Parâmetros padrão para proxy cache (Lock, Stale).
- **cache_zones**: Definição de zonas de cache e chaves dinâmicas.
- **compression**: Stack moderna de compressão (Gzip + Brotli).
- **fingerprinting**: Cache imutável para assets versionados (Immutable).
- **humans.txt**: Créditos técnicos e ferramentas.
- **log_formats**: Definição do log JSON `detailed_proxy` com campos de segurança.
- **modsecurity**: Ativação do motor WAF e inclusão da Blacklist.
- **proxy_params**: Headers de proxy, timeouts e ofuscação de backend.
- **rate_limit**: Zonas de limitação (Global vs Punição).
- **robots_allow**: Permite indexação total em robots.txt.
- **robots_disallow**: Bloqueia indexação total em robots.txt.
- **security.txt**: Standard de reporte de vulnerabilidades (RFC 9116).
- **security_actions**: Ações de bloqueio baseadas no score (Retorna 444).
- **security_headers**: Headers de borda 2026 (COOP, COEP, CORP, Permissions).
- **security_maps**: Motor PSDE (Detecção de Bots, URIs, Métodos e Scoring).
- **ssl_params**: Stack TLS 1.3, HSTS e HTTP/3 (QUIC).
- **stub_status**: Métricas de estado do Nginx para monitoramento.
- **well_known**: Agregador de arquivos padrão (.well-known, robots, humans).
> **Note**: `app_specific_modsec_tuning` fica em `producao/nginx/modsec/`, não em snippets.
## 🔄 Workflow: Novo Site ou Atualização
**Sempre pergunte e pesquise antes de configurar:**
### Perguntas Obrigatórias
- **Novo Site?** Perguntar: Tipo de site, IP e URL destino.
- **Atualização?** Perguntar: Atualizar IP? Alterar URL destino?
### Regras
- **Pesquisa Web**: Obrigatório pesquisar ajustes finos específicos para o sistema/engine alvo.
- **Git**: Alt em `producao/` -> commit e push para branch `producao`.
- **Proibição**: NUNCA sincronize `.gemini/` ou `antes-do-docker/`.
- **Snippets Novos**: Se criar um novo snippet em `producao/nginx/snippets/`, documente-o nesta lista imediatamente.
---
## Automação SSL
## 🚀 Workflow de Deploy Técnico (Automação)
O sistema possui um mecanismo de **auto-cura** para certificados SSL.
**NUNCA faça commit direto na branch `producao` sem antes validar a configuração.**
### Componentes
1. **Certbot**: Instalado dentro do container `nginx-proxy`.
2. **Volumes**:
- `ssl/`: Onde ficam os arquivos `.crt` e `.key` usados pelo NGINX.
- `certbot/`: Onde o Certbot guarda os arquivos originais do Let's Encrypt.
3. **Scripts**:
- `scripts/inject_acme.sh`: Varre todos os arquivos em `conf.d/` e injeta o snippet de validação ACME (`.well-known`) se não existir.
- `scripts/renew_ssl.sh`:
1. Verifica a data de expiração de cada certificado ativo.
2. Se faltar **3 dias ou menos**, dispara `certbot renew`.
3. Copia os novos arquivos gerados para a pasta `ssl/`.
4. Recarrega o NGINX.
O repositório conta com um script de automação híbrido (`producao/scripts/deploy_pathfinder.py`) que deve ser usado para **todo e qualquer deploy**.
### Agendamento
- **Cron**: Configurado no `pre-flight.sh` para rodar todos os dias às **01:00 AM**.
- **Startup**: A verificação também roda a cada reinício do container.
### Passo a Passo para Agentes:
---
1. **Faça suas alterações** nos arquivos de configuração (`nginx/`).
2. **Valide e Deploye** rodando o script abaixo no terminal do Windows:
```powershell
python producao/scripts/deploy_pathfinder.py sync --all
```
3. **Verifique a Saída**:
- O script fará o upload, testará a configuração (`nginx -t`) no servidor e fará o reload.
- Se houver erro, **corrija antes de prosseguir**. O script fará rollback automático no servidor, mas seu código local estará "quebrado".
4. **Confirmar**: Somente após o sucesso do comando acima ("Deploy Remoto Concluído com Sucesso!"), faça o commit das alterações.
## Estrutura de Arquivos
## 🛠️ Comandos Úteis
```
.
├── conf.d/ # Configurações de sites (VHosts)
├── snippets/ # Trechos reutilizáveis
│ ├── acme_challenge.conf # Snippet para validação Let's Encrypt
│ ├── internal_networks.conf # IPs permitidos (VPN/Local)
│ └── ...
├── scripts/ # Scripts de automação
│ ├── pre-flight.sh # Entrypoint (DNS Check + Cron Setup)
│ ├── inject_acme.sh # Injetor de config ACME
│ └── renew_ssl.sh # Lógica de renovação
├── ssl/ # Certificados em uso
├── fail2ban/ # Configs do Fail2ban
│ ├── jail.d/ # Definição das prisões
│ └── filter.d/ # Regex de detecção
├── .gemini/ # Documentação do projeto
└── docker-compose.yml # Orquestração
```
- **Sincronizar Tudo (Nginx + Fail2Ban + GeoIP)**:
`python producao/scripts/deploy_pathfinder.py sync --all`
- **Deploy de Novo Site**:
`python producao/scripts/deploy_pathfinder.py site --deploy dominio.com`
- **Atualizar GeoIP Manualmente**:
`python producao/scripts/deploy_pathfinder.py geoip --update`
---
## ⚠️ Pontos de Atenção
## Módulos Especiais
- **GeoIP**: O script baixa automaticamente os bancos GeoIP se faltarem. Não precisa baixar manualmente.
- **Paramiko**: O script usa `paramiko` para SSH. Se não estiver instalado, instale com `pip install paramiko`.
- **Credenciais**: As credenciais de acesso ao servidor estão embutidas no cabeçalho do script. Não as exponha em logs públicos.
### 1. Brotli & Headers More
O container `nginx-proxy` é construído manualmente (`Dockerfile`) para incluir módulos que não vêm por padrão no Alpine:
- `nginx-mod-http-brotli`
- `nginx-mod-http-headers-more`
## 🐛 Solução de Problemas e Lições Aprendidas (2026-02-08)
### 2. ModSecurity (WAF)
Rodar o WAF em container separado (`modsecurity`) evita a necessidade de compilar o ModSecurity no NGINX principal.
### 1. Conflitos de ModSecurity (Loop em `nginx -t`)
- **Sintoma**: O deploy reporta sucesso, mas as alterações não aparecem no servidor. O log remoto mostra `nginx: [emerg] "modsecurity_rules_file" directive is duplicate`.
- **Causa**: O arquivo `snippets/modsecurity.conf` já define `modsecurity_rules_file`. Se você incluir esse snippet E também definir a diretiva `modsecurity_rules_file` no bloco `server` (ex: `ferreirareal.com.br.conf`), o Nginx falhará.
- **Solução**: Use apenas `include snippets/modsecurity.conf;` no bloco server. A diretiva `modsecurity_rules_file /etc/nginx/modsec/main.conf;` deve ficar comentada ou removida do vhost.
**Arquitetura Customizada:**
- **Injeção de Template**: Um arquivo `modsec.conf.template` local é montado durante o boot para contornar limitações de permissão do container oficial. Ele instrui o NGINX a carregar regras customizadas.
- **Regras Modulares**: Localizadas em `modsec_rules/`, divididas por aplicação (`gitea-rule-exceptions.conf`, `nextcloud...`).
- **Global**: `global-exceptions.conf` define apenas a whitelist de rede.
- **Bypass de Emergência**: Se o WAF falhar, altere as portas no `docker-compose.yml` para expor o `nginx-proxy` diretamente.
### 2. Scripts de Diagnóstico e Recuperação (2026-02-08)
---
Foram criados scripts auxiliares em `producao/scripts/` para situações de emergência ou validação profunda. Use-os com cautela:
## Fluxo de Deploy Atualizado
- **`restore_nginx.py`**:
- **Função**: Força o upload do `nginx.conf` local para o servidor e reinicia o serviço.
- **Uso**: `python producao/scripts/restore_nginx.py`
- **Quando usar**: Se o `deploy_pathfinder.py` falhar ou se o Nginx não subir por erro de configuração crítica (ex: variáveis faltando).
- **`fetch_logs.py`**:
- **Função**: Baixa logs específicos do servidor para análise local.
- **Uso**: `python producao/scripts/fetch_logs.py`
- **Quando usar**: Para investigar ataques ou erros sem precisar logar via SSH.
- **`verify_time_and_logs.py`**:
- **Função**: Verifica a data do servidor e os últimos logs de acesso.
- **Uso**: `python producao/scripts/verify_time_and_logs.py`
- **Quando usar**: Para confirmar se o timezone está correto (-0300) e se o Nginx está gerando logs novos.
```mermaid
graph TD
Start[Deploy] --> DetectIP[Detectar IP Público]
DetectIP --> Build[Docker Build (NGINX + Certbot)]
Build --> Up[Docker Compose Up]
Up --> PreFlight[Pre-Flight Script]
PreFlight --> DNSCheck[Validar DNS dos Domínios]
DNSCheck --> CronSetup[Configurar Cron Job]
CronSetup --> SSLCheck[Verificar Validade SSL]
SSLCheck -- Vence > 3 dias --> StartNginx[Iniciar NGINX]
SSLCheck -- Vence <= 3 dias --> Renew[Rodar renew_ssl.sh]
Renew --> StartNginx
```
### 3. Falhas Silenciosas de Rollback
- **Cuidado**: O script `deploy_pathfinder.py` executa um rollback automático se `nginx -t` falhar.
- **O que acontece**: O script restaura o backup anterior e reinicia o Nginx. Isso faz o deploy parecer bem-sucedido (exit code 0), mas seus arquivos novos foram descartados.
- **Verificação**: **SEMPRE** verifique o timestamp dos arquivos remotos após um deploy crítico para garantir que foram atualizados:
```python
# Exemplo de verificação rápida
client.exec_command("ls -l /etc/nginx/snippets/log_formats.conf")
```
---
### 3. Encoding Windows vs Linux
- **Problema**: `UnicodeEncodeError: 'charmap' codec can't encode character...` ao rodar scripts Python no Windows.
- **Causa**: O console do Windows padrão (cp1252) não suporta emojis como 🚀 ou ✅.
- **Regra**: Evite usar emojis ou caracteres especiais em scripts que rodam no lado do cliente (Windows). Use `[OK]`, `[ERROR]`, `[+]` em vez de ícones.
## Comandos Operacionais
**Verificar status dos serviços:**
```bash
docker compose ps
```
**Verificar validade dos SSL (Log):**
```bash
docker compose logs nginx-proxy | grep "SSL"
```
**Forçar renovação SSL manualmente:**
```bash
docker compose exec nginx-proxy /scripts/renew_ssl.sh
```
**Reload Zero-Downtime (Blue-Green Logic):**
Este comando valida a configuração e executa um reload gracioso (`nginx -s reload`), onde novos workers assumem as novas configurações enquanto os antigos terminam as requisições correntes.
```bash
./scripts/reload.sh # Linux
./scripts/reload.ps1 # Windows PowerShell
```
**Banir um IP manualmente:**
```bash
docker compose exec fail2ban fail2ban-client set nginx-badbots banip 1.2.3.4
```
**Adicionar novo site:**
1. Criar `conf.d/novo-site.conf`
2. `docker compose restart nginx-proxy`
3. O script de startup irá validar o DNS e injetar o suporte ACME automaticamente.
### 4. Organização e Limpeza
- **Área de Diagnóstico**: Use a pasta `logs/` na raiz do projeto (`ngnix-pathfinder-proxy/logs`) para armazenar logs temporários, downloads de debug e "bagunça" necessária durante investigações.
- **Limpeza**: Após resolver o problema, **limpe** esta pasta para não commitar lixo no repositório. O `.gitignore` deve ignorar essa pasta, mas mantenha o hábito de limpeza.

40
.gemini/TODO.md
View File

@ -1,40 +0,0 @@
# Tarefas Pendentes e Melhorias Futuras
## 1. Gestão Dinâmica de DNS
**Origem:** Migração de `legacy/hosts`
- **Problema:** O método atual usa `extra_hosts` no `docker-compose.yml`, que é estático e exige recriação do container para alterações.
- **Objetivo:** Mudar o modo de registro e atualização de DNS para ser mais dinâmico ou simples.
- **Ideias:** DNS containerizado (Bind/CoreDNS) ou Service Discovery.
## 2. Revisão de Regras ModSecurity
**Origem:** Migração de `legacy/nginx/modsecurity/*.conf` (Regras Antigas)
- **Status:** ✅ Concluído.
- **Resolução:** Regras refatoradas para estrutura modular (`modsec_rules/`). WAF ativo e configurado via template injection para Gitea, Nextcloud, Exchange, Zabbix e outros.
- **Ação:** Monitorar logs (`modsec_audit.log`) para ajustes finos futuros.
## 3. Atualizações Zero-Downtime (Sem Queda)
**Objetivo:** Criar um método para atualizar configurações de sites sem que clientes externos percam a conexão.
- **Status:** ✅ Concluído.
- **Solução Implementada:** Script `./scripts/reload.sh` que executa `nginx -t` e `nginx -s reload` (Reload Suave/Process-Level Blue-Green).
- **Como usar:** Execute `./scripts/reload.sh` após alterar qualquer `.conf`.
## 4. Conexão Direta na Interface do Host
**Objetivo:** Configurar o proxy para rotear tráfego tanto internamente (entre containers Docker) quanto externamente (para serviços fora do Docker).
- **Status:** 🧪 Implementado - Aguardando Teste no Host
- **Solução Implementada:**
- Adicionado `host.docker.internal:host-gateway` no `docker-compose.yml` para ambos containers
- Criado `snippets/docker_resolver.conf` para resolução DNS dinâmica de containers
- Criado `conf.d/test-connectivity.conf` (temporário) com endpoints de teste
- Atualizado diagrama de arquitetura no `README.md`
- **Testes Necessários (no host de deploy):**
```bash
# Rebuild e restart
docker compose build --no-cache nginx-proxy
docker compose down && docker compose up -d
# Testar conectividade
docker compose exec nginx-proxy ping -c 2 10.10.253.254
docker compose exec nginx-proxy ping -c 2 10.10.253.128
```
- **Após Validação:** Deletar `conf.d/test-connectivity.conf` e marcar como ✅ Concluído.

51
.gemini/workflows/hardening_guidelines.md Normal file
View File

@ -0,0 +1,51 @@
---
description: Guia detalhado para garantir a segurança máxima (Hardening) em sites e no sistema Pathfinder Proxy.
---
# Workflow: Hardening de Segurança Pathfinder
Este workflow orienta o agente na aplicação das proteções mais rígidas para o ecossistema Nginx + ModSecurity + Fail2Ban.
### 1. Uso de Snippets de Segurança Existentes
Sempre utilize os snippets em `producao/nginx/snippets/` como base:
- **`ssl_params.conf`**: Configuração base de TLS e HTTP/3.
- **`security_headers.conf`**: Headers de borda modernos (Referrer, COOP, COEP).
- **`modsecurity.conf`**: Ativação do WAF e integração com a `blacklist.conf`.
- **`security_maps.conf`**: Inteligência de Scoring (PSDE).
- **`security_actions.conf`**: Decisão final de bloqueio (444).
- **`well_known.conf`**: Agregador de arquivos de raiz (robots, security, humans).
- **`rate_limit.conf`**: Limites de tráfego e zonas de punição.
### 2. Criação de Novos Snippets
Se as proteções atuais não forem suficientes para um sistema específico:
- **Crie um novo snippet** em `producao/nginx/snippets/` com nome descritivo.
- **Siga o padrão**: Use comentários claros e mantenha a modularidade.
- **Documentação Obrigatória**: Se criar um snippet novo, você **DEVE** adicionar sua descrição na seção `🛠️ Snippets` do arquivo `GEMINI.md` imediatamente.
### 3. Reforço da Camada SSL/TLS (Snippet `ssl_params`)
- **Protocolos**: Garanta o uso exclusivo de TLS 1.2 e TLS 1.3. Desative versões legadas.
- **HSTS**: Verifique se o header `Strict-Transport-Security` está ativo com pelo menos 1 ano (`31536000s`) e inclui subdomínios.
- **OCSP Stapling**: Certifique-se de que a validação de certificado é feita no servidor para reduzir latência e aumentar a privacidade.
- **HTTP/3**: Sempre anuncie os headers de QUIC (`Alt-Svc`) para navegadores compatíveis.
### 4. Implementação de Headers de Proteção de Borda
- **Anti-Clickjacking**: Use `X-Frame-Options: SAMEORIGIN` em todos os VHosts, a menos que o site precise ser emoldurado por domínios específicos.
- **Anti-Sniffing**: O header `X-Content-Type-Options: nosniff` deve ser obrigatório para evitar que o navegador execute arquivos com tipos MIME incorretos.
- **Segurança de Conteúdo (CSP)**: Analise os recursos (Scripts, Imagens, Estilos) e crie uma política que restrinja fontes externas não confiáveis.
- **Permissions-Policy**: Desative acessos desnecessários a hardware (Câmera, Microfone, Geolocalização) diretamente no nível de header.
### 5. Orquestração ModSecurity + PSDE
- **Motor Ativo**: O ModSecurity deve estar em modo de bloqueio (`SecRuleEngine On`) para todas as rotas sensíveis.
- **Sincronização com PSDE**: A lógica descrita no `security_maps.conf` deve atuar como a primeira linha de defesa (Fast-fail) para bots e URIs suspeitas.
- **Tratamento de Falsos Positivos**: Em caso de bloqueio indevido, a correção deve ser feita via remoção seletiva de regras por ID nos respectivos VHosts.
### 6. Blindagem contra Robôs e Scrapers (Snippet `well_known`)
- **Arquivos de Raiz (Well-Known)**: Utilize o snippet `well_known.conf` que já consolida as melhores práticas de identificação e bloqueio.
- **`robots_disallow.conf`**: Já configurado para retornar `Disallow: /`, instruindo robôs legítimos a não indexarem o site.
- **`security.txt.conf`**: Define o contato padrão de segurança (`mailto:suporte@itguys.com.br`).
- **`ads_disallow.conf`**: Bloqueia vendedores de anúncios não autorizados.
- **Bloqueio de IA e Má-Fé**: O sistema já possui no `security_maps.conf` uma lista extensa de assinaturas de IAs (GPTBot, ClaudeBot, Gemini-Ai, etc.) e Scrapers que ignoram o `robots.txt`. O agente deve apenas garantir que este mapeamento esteja ativo via `security_actions.conf`.
### 7. Gestão de Blacklist e Fail2Ban
- **Ação do Firewall**: O Nginx deve incluir o snippet `blacklist.conf` dentro do bloco do ModSecurity.
- **Isolamento de Erros**: Configurações de VHost que geram excesso de erros 403/404 devem ser monitoradas agressivamente pelo Fail2Ban.

78
.gemini/workflows/performance_tuning.md Normal file
View File

@ -0,0 +1,78 @@
---
description: Guia passo a passo para otimizar buffers, timeouts e cache no Nginx baseado no tipo de carga de trabalho.
---
# 🚀 Workflow: Performance Tuning (Pathfinder Proxy)
Este workflow guia o ajuste fino do Nginx para extrair a máxima performance, garantindo que o tempo de resposta (`request_time`) e a carga da CPU sejam minimizados.
### 1. Base Tecnológica (Obrigatório)
Todo site no Pathfinder deve começar com a fundação de compressão e parâmetros base:
```nginx
# No bloco 'http' ou 'server'
include snippets/compression.conf; # Gzip + Brotli (Google)
include snippets/proxy_params.conf; # Real-IP + Headers + Buffers Base
```
### 2. Aplicação de Presets por Carga de Trabalho
#### ⚡ Preset: APIs e Node.js
O `proxy_params.conf` já traz timeouts de 60s. Para APIs de tempo real, você deve **sobrescrever** para timeouts mais agressivos:
```nginx
location /api/ {
include snippets/proxy_params.conf;
# Sobrescrita para baixa latência
proxy_read_timeout 30s;
proxy_buffering off;
# Suporte a WebSockets (Necessário para Traccar/Socket.io)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
```
#### 📂 Preset: Downloads e Assets Estáticos
Otimize usando o motor SWR (Stale-While-Revalidate):
```nginx
location /static/ {
include snippets/cache_optimizer.conf; # Ativa SWR + X-Cache-Status
# Performance de Sistema
sendfile on;
tcp_nopush on;
# Cache no Browser (1 ano para assets com hash)
expires 365d;
add_header Cache-Control "public, no-transform";
}
```
#### 🎬 Preset: Streaming (Vídeo/Áudio)
Para streaming, precisamos de buffers maiores que o padrão do `proxy_params.conf`:
```nginx
location /stream/ {
include snippets/proxy_params.conf;
# Suporte a Range Requests (Seek no vídeo)
proxy_cache_key "$host$request_uri$http_range";
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
# Tuning de Buffer Exclusivo
proxy_buffers 32 16k;
proxy_buffer_size 64k;
proxy_read_timeout 600s;
}
```
### 3. Caching Inteligente (Pseudo-CDN)
Use o snippet `cache_zones.conf` para definir onde o cache reside e o `cache_proxy_params.conf` para comportamento padrão de cache.
### 4. Verificação de Performance
Utilize o formato de log **detailed_proxy** (definido em `snippets/log_formats.conf`) para depurar gargalos:
```bash
# Monitorar tempo de resposta do backend em tempo real
tail -f /var/log/nginx/access_json.log | jq '. | {url: .uri, status: .status, upstream_time: .upstream_response_time, cache: .upstream_cache_status}'
```

42
.gitignore vendored
View File

@ -1,34 +1,12 @@
# Logs and debug files
*.log
debug_logs*.txt
nginx_test*.log
# Environment files
.env
.env.local
# Runtime Data
logs/
ssl/
certbot/
# Docker
docker-compose.override.yml
# SSL certificates (sensitive - should be managed separately)
ssl/*.key
ssl/*.crt
ssl/*.pem
# Editor files
.vscode/
.idea/
*.swp
*.swo
*~
# OS files
.DS_Store
Thumbs.db
# Temporary files
*.tmp
*.bak
# Disabled configs
*.disabled
docker-compose.yml
Dockerfile
*.sh
.env
.gemini/
logs/

19
Dockerfile
View File

@ -1,19 +0,0 @@
FROM alpine:latest
# Install NGINX and tools
RUN apk add --no-cache nginx nginx-mod-http-brotli nginx-mod-http-headers-more bind-tools openssl curl certbot git
# Copy custom config
COPY nginx.conf /etc/nginx/nginx.conf
COPY conf.d/ /etc/nginx/conf.d/
# Copy snippets
COPY snippets/ /etc/nginx/snippets/
# Copy scripts
COPY scripts/ /scripts/
RUN chmod +x /scripts/*.sh
# Entrypoint
ENTRYPOINT ["/scripts/pre-flight.sh"]
CMD ["nginx", "-g", "daemon off;"]

4
Dockerfile.fail2ban
View File

@ -1,4 +0,0 @@
FROM crazymax/fail2ban:latest
# Copy fail2ban configurations
COPY fail2ban/ /data/

12
Dockerfile.modsec
View File

@ -1,12 +0,0 @@
FROM owasp/modsecurity-crs:nginx-alpine
# Copy custom configuration template
COPY modsec.conf.template /etc/nginx/templates/modsecurity.d/modsecurity.conf.template
# Copy custom rules
COPY modsec_rules/ /etc/nginx/custom_rules/
# Copy custom Nginx Configs (Frontend)
# Remove default.conf to avoid conflicts and ensure our config takes precedence
RUN rm -f /etc/nginx/conf.d/default.conf
COPY modsec_conf/ /etc/nginx/conf.d/

371
README.md
View File

@ -1,238 +1,189 @@
# NGINX Pathfinder Proxy
# 🛡️ Nginx Pathfinder Proxy
Solução moderna de Proxy Reverso containerizado, construída com NGINX, ModSecurity WAF e automação de SSL.
## 🚀 Funcionalidades
### 🛡️ Segurança em Primeiro Lugar
- **ModSecurity WAF**: Conjunto de Regras OWASP (CRS) integrado rodando como proxy sidecar/frontend.
- **Fail2ban**: Serviço "cão de guarda" que bane IPs com comportamento suspeito (bots ruins, excesso de erros 4xx/5xx).
- **Mapas de Segurança**: Bloqueio automatizado de User-Agents maliciosos e restrições de rede interna.
### ⚡ Performance
- **HTTP/3 (QUIC)**: Habilitado para conexões modernas de baixa latência.
- **Compressão Brotli**: Melhores taxas de compressão que o Gzip padrão.
- **Headers More**: Manipulação avançada de cabeçalhos para respostas limpas.
### 🔒 SSL Automatizado
- **Renovação Zero-Touch**: O Certbot integrado verifica a validade diariamente.
- **Auto-Renovação**: Renova automaticamente certificados próximos do vencimento (<= 3 dias).
- **Injeção Inteligente**: Injeta automaticamente os snippets de desafio ACME nas configurações dos sites.
Este repositório é o núcleo de inteligência e configuração do **Pathfinder Proxy**, instalado nativamente em **Ubuntu 24.04**. Ele combina performance extrema (HTTP/3, Brotli) com um motor de segurança multicamadas (PSDE + WAF + Fail2Ban).
---
## 🛠️ Como Trabalhar neste Repositório
## 🏗️ Estrutura de Pastas e Componentes
A configuração é modular para permitir manutenção rápida e alta disponibilidade.
- `nginx.conf`: O "cérebro" global. Configura workers, logs JSON e carrega os módulos dinâmicos.
- `conf.d/`: Contém as definições de cada site (**VHosts**).
- `snippets/`: Componentes reutilizáveis (SSL, Proxy, Cache, WAF, Headers).
- `modsec/`: Configuração do ModSecurity, regras **OWASP CRS v4** e tunings específicos.
- `dynamic/`: Arquivos modificados em tempo real (ex: `blacklist.conf` pelo Fail2Ban).
- `scripts/`: Scripts de automação e diagnóstico (`deploy_pathfinder.py`, `restore_nginx.py`, `fetch_logs.py`).
---
## 🧩 Guia de Snippets (Uso Obrigatório)
Para garantir o **Padrão Ouro**, todo site deve incluir os snippets básicos:
1. `include snippets/ssl_params.conf;`: Ativa TLS 1.3, HSTS e anuncia **HTTP/3 (QUIC)**.
2. `include snippets/proxy_params.conf;`: Headers padrão e ofuscação de tecnologia de backend (`Server`, `X-Powered-By`).
3. `include snippets/security_headers.conf;`: **Headers de 2026** (COOP, COEP, CORP) para proteção de isolamento do navegador.
4. `include snippets/modsecurity.conf;`: Ativa o WAF e a Blacklist dinâmica.
5. `include snippets/security_actions.conf;`: Toma a decisão final de bloquear (`444`) se o motor PSDE detectar risco alto.
6. `include snippets/cache_optimizer.conf;`: Otimiza a entrega de estáticos com cache inteligente (SWR).
### 📚 Catálogo Completo de Snippets
Abaixo, a lista completa de componentes modulares disponíveis em `nginx/snippets/`:
#### 🔒 Segurança & WAF
- **`modsecurity.conf`**: Ativa o WAF (OWASP CRS v4) e carrega a blacklist.
- **`security_headers.conf`**: Headers de borda 2026 (COOP, COEP, CORP, Permissions-Policy).
- **`security_actions.conf`**: Executa o bloqueio (Return 444) baseado no score do PSDE.
- **`security_maps.conf`**: Motor de decisão (PSDE), detecção de bots, scorings e variáveis de risco.
- **`blacklist.conf`**: Lista dinâmica de IPs banidos (gerenciado pelo Fail2Ban).
- **`ads_disallow.conf`**: Bloqueia acesso a `ads.txt`.
- **`robots_disallow.conf`**: Bloqueia indexação total (para ambientes de homologação/privados).
- **`robots_allow.conf`**: Permite indexação total.
#### 🚀 Performance & Cache
- **`cache_optimizer.conf`**: Otimização fina de SWR (Stale-While-Revalidate) e headers de cache.
- **`cache_proxy_params.conf`**: Configurações padrão de lock e validade de cache para upstream.
- **`cache_zones.conf`**: Definição das zonas de memória compartilhada e chaves de cache.
- **`compression.conf`**: Stack de compressão moderna (Brotli + Gzip) com níveis otimizados.
- **`fingerprinting.conf`**: Cache imutável (1 ano) para assets versionados com hash no nome.
#### 🚦 Controle de Tráfego
- **`rate_limit.conf`**: Zonas de limitação de requisições (Global vs Punição por Score).
- **`bandwidth_limit.conf`**: Limita a velocidade de download após X MB transferidos.
- **`proxy_params.conf`**: Headers de encaminhamento (Real-IP, Forwarded) e ofuscação de backend.
- **`ssl_params.conf`**: Configuração TLS 1.3, HSTS e HTTP/3 (QUIC).
- **`acme_challenge.conf`**: Endpoint para renovação de certificados SSL (Certbot).
#### 📊 Monitoramento & Identidade
- **`log_formats.conf`**: Define o formato JSON `detailed_proxy` rico em metadados de segurança.
- **`stub_status.conf`**: Endpoint de métricas internas do Nginx (para Zabbix/Prometheus).
- **`humans.txt.conf`**: Rota para arquivos de créditos técnicos.
- **`security.txt.conf`**: Rota padrão (RFC 9116) para reporte de segurança.
- **`well_known.conf`**: Agregador que inclui robots, humans e security.txt de uma vez.
---
## 🛡️ Camada de WAF (ModSecurity 3.0.14)
O Pathfinder Proxy utiliza o **ModSecurity v3** compilado sob medida para o Nginx Mainline.
- **Versão Nginx**: 1.29.5 Mainline (Oficial).
- **Versão ModSec**: 3.0.14.
- **Regras**: OWASP Core Rule Set (CRS) v4 (Instalação Minimalista).
- **Anti-Brute Force**: Proteção integrada contra força bruta em páginas de login via ModSecurity Collections (Phase 1).
- **API Support**: Métodos **PUT, PATCH e DELETE** liberados por padrão para suporte a sistemas modernos.
- **Tuning**: Arquivo `modsec/app_specific_modsec_tuning.conf` centraliza exceções granulares (Zabbix, Gitea, UniFi, Veeam).
---
## 🧠 Motor de Segurança PSDE "Elite" (8-Vector Matrix)
Diferente de firewalls comuns, o Pathfinder utiliza uma **Matriz de Pontuação Combinatória** no `security_maps.conf` que analisa 8 vetores simultâneos:
1. **🛡️ Bot:** Bloqueio de 600+ user-agents maliciosos.
2. **🌐 URI:** Acesso a arquivos sensíveis e assinaturas de CVEs recentes.
3. **⚙️ Method:** Métodos HTTP perigosos (TRACE, DEBUG) em rotas críticas.
4. **🔥 Payload:** Inspeção profunda de `$args` (SQLi, XSS, RCE, Log4j).
5. **🌍 Geo:** Risco por país (CN, RU, KP, IR) via **GeoIP2**.
6. **🚦 Protocol:** Violações como User-Agents vazios ou falsificados.
7. **🔗 Referer:** 400+ domínios de spam e phishing bloqueados instantaneamente.
8. **🤯 Header:** Detecção de anomalias em cabeçalhos customizados (ex: React2Shell CVE-2025-55182).
### 📈 Lógica de Decisão
- **Nivel 3 (ATAQUE_CRITICO)**: Payloads maliciosos, Referer Spam, Headers Corrompidos ou combinação de 3+ vetores.
- **Nivel 2 (RISCO_ALTO)**: Combinação de 2 vetores de risco (ex: Bot + Geo-Risco).
- **Nivel 1 (SUSPEITO)**: Detecção de sinais individuais.
---
## 🛠️ Workflow Operacional: Ativando um Novo Site
Siga este procedimento para colocar um novo sistema no ar com segurança máxima:
### 1. Preparação no Repositório (Local)
1. Crie o arquivo `nginx/conf.d/nome-do-site.conf` seguindo o **Padrão Ouro**.
2. **Atenção:** Aponte os caminhos de certificado para `/etc/letsencrypt/live/nome-do-site/`.
3. Faça o commit e push para a branch `producao`.
### 2. Sincronização no Servidor (SSH)
1. Entre no servidor e vá para o diretório de scripts: `cd /etc/nginx/scripts/`.
2. Execute o deploy seguro: `sudo python3 deploy_pathfinder.py`.
- **Nota:** Este script faz backup automático e rollback se a configuração estiver errada.
---
## 🛠️ Automação de Deploy (Pathfinder Automator V2 - Hybrid)
O Pathfinder conta com o orquestrador `scripts/deploy_pathfinder.py`, que agora funciona em modo **Híbrido (Windows Client -> Linux Server)**. Você roda o script na sua máquina local e ele faz todo o trabalho sujo.
### Pré-requisitos
- Docker & Docker Compose instalados
- Acesso à internet (para baixar imagens e validar SSL)
- Python 3 instalado no Windows.
- Biblioteca Paramiko: `pip install paramiko`
### 1. Implantar o Servidor (Deploy)
Para iniciar toda a infraestrutura:
```bash
./deploy.sh
```
*Este script detecta seu IP público, configura o ambiente e sobe os containers.*
### Comandos Principais
- **`python producao/scripts/deploy_pathfinder.py sync --all`**:
- Empacota suas configs locais.
- Conecta no servidor via SSH.
- Atualiza bancos GeoIP automaticamente.
- Sincroniza configurações e recarrega o Nginx.
- **Faz Rollback Automático** se o `nginx -t` falhar.
### 2. Adicionar um Novo Site
Todas as configurações de sites ficam na pasta `conf.d/`.
- **`python producao/scripts/deploy_pathfinder.py site --deploy <domínio>`**:
- Sobe um novo VHost + Certificado SSL + Teste de DNS.
1. **Crie o arquivo de configuração**:
Crie um arquivo `.conf` em `conf.d/` (ex: `meusite.com.br.conf`). Use um dos arquivos existentes como modelo.
**Modelo Básico (com SSL):**
```nginx
# Backend (para onde vai o tráfego)
upstream meu_backend {
server 192.168.1.10:8080;
}
- **`python producao/scripts/deploy_pathfinder.py geoip --update`**:
- Força a atualização dos bancos de dados GeoIP2 (Mirror GitHub).
# Redirecionamento HTTP -> HTTPS
server {
listen 80;
server_name meusite.com.br;
include /etc/nginx/snippets/acme_challenge.conf; # Importante para SSL
return 301 https://$host$request_uri;
}
### 🛡️ Segurança de Operação
- **Backup & Rollback Atômico**: Cada alteração gera um `.bak`. Se `nginx -t` falhar, o script desfaz a alteração imediatamente.
- **Auditoria Syslog**: Todas as ações são registradas no syslog do servidor.
- **Validação Local**: O script retorna `Exit Code 1` no Windows se falhar no Linux, ideal para CI/CD.
- **DNS Safeguard**: O deploy de SSL só ocorre se o DNS já estiver apontando para o IP do servidor, evitando bloqueios no Let's Encrypt.
# Bloco HTTPS
server {
listen 443 ssl;
http2 on;
server_name meusite.com.br;
---
ssl_certificate /etc/nginx/ssl/meusite.com.br.crt;
ssl_certificate_key /etc/nginx/ssl/meusite.com.br.key;
## 🔐 Gestão de SSL (Let's Encrypt)
include /etc/nginx/snippets/ssl_params.conf;
O Pathfinder Proxy usa o desafio **HTTP-01** via snippet `acme_challenge.conf`. Isso permite emitir certificados sem parar o Nginx.
location / {
proxy_pass http://meu_backend;
include /etc/nginx/includes/proxy_backend.conf;
}
}
```
### Emissão do Primeiro Certificado
Rode os comandos abaixo (substitua o domínio):
2. **Aplique as alterações**:
1. **Criar pasta de desafios (se não existir):**
```bash
docker compose restart nginx-proxy
sudo mkdir -p /var/lib/letsencrypt && sudo chown www-data:www-data /var/lib/letsencrypt
```
*No reinício, o script de pre-flight validará o DNS e injetará configurações de SSL necessárias.*
### 3. Modificar Configurações Globais
As configurações globais são modularizadas na pasta `snippets/`.
2. **Gerar o certificado:**
```bash
sudo certbot certonly --webroot -w /var/lib/letsencrypt/ -d meusite.com.br -d www.meusite.com.br
```
- **Rate Limiting**: Edite `snippets/rate_limit.conf` para ajustar os limites de requisições por segundo.
- **Bloqueio de Bots**: Edite `snippets/security_maps.conf` para adicionar novos User-Agents à lista negra.
- **Cache**: Edite `snippets/cache_zones.conf` para definir novas zonas ou tempos de cache.
### 3.1. Modificar Regras do WAF (ModSecurity)
O WAF agora utiliza uma estrutura modular de regras localizada na pasta `modsec_rules/`.
- **Arquivos Específicos**: Regras para Gitea, Nextcloud, Exchange, Zabbix, etc. ficam em seus respectivos arquivos `.conf`.
- **Global**: `global-exceptions.conf` contém apenas whitelists de rede interna.
- **Aplicação**: Após editar qualquer regra, reinicie o container do WAF para aplicar:
```bash
docker compose restart modsecurity
```
> **Nota Técnica**: O arquivo `modsec.conf.template` na raiz é injetado no container durante o boot para contornar problemas de permissão e garantir o carregamento das regras customizadas.
### 4. Gerenciar Certificados SSL
O sistema gerencia isso automaticamente, mas você pode intervir manualmente se necessário.
- **Verificar Validade**:
Verifique os logs do startup para ver o status de todos os domínios:
```bash
docker compose logs nginx-proxy | grep "SSL"
```
- **Forçar Renovação**:
Se precisar renovar um certificado imediatamente:
```bash
docker compose exec nginx-proxy /scripts/renew_ssl.sh
```
- **Reload sem Downtime (Recomendado)**:
Para aplicar alterações de configuração (vhosts, SSL) sem derrubar conexões ativas:
```bash
./scripts/reload.sh
```
### 5. Monitorar e Debugar
- **Verificar Status dos Containers**:
```bash
docker compose ps
```
- **Ver Logs em Tempo Real**:
```bash
docker compose logs -f
```
- **Verificar se o WAF (ModSecurity) bloqueou algo**:
```bash
docker compose logs modsecurity | grep "Access denied"
```
- **Verificar Banimentos do Fail2ban**:
```bash
docker compose exec fail2ban fail2ban-client status nginx-badbots
```
> [!TIP]
> **Atenção aos Caminhos:** Se o Certbot gerar uma pasta com final `-0001`, certifique-se de que o arquivo `.conf` do seu site em `/etc/nginx/conf.d/` aponta para o caminho exato gerado por ele. Você pode conferir os caminhos ativos com `sudo certbot certificates`.
---
## 🏗️ Visão Geral da Stack
## 🚀 Manutenção e Logs
```mermaid
graph TD
subgraph Internet
Client[Cliente Externo]
end
### Recompilar WAF e Performance (Se necessário)
Se o Nginx for atualizado ou se precisar habilitar o Brotli, o módulo precisará ser recompilado usando o script:
`sudo ./scripts/setup_pathfinder.sh`
subgraph Host["Host Docker (Portainer)"]
subgraph PathfinderStack["Stack: Pathfinder-Proxy<br/>Rede: 172.112.0.0/16"]
WAF["ModSecurity WAF<br/>172.112.0.3<br/>:80, :443"]
NGINX["nginx-proxy<br/>172.112.0.2<br/>:8080 interno"]
F2B["fail2ban<br/>network: host"]
end
subgraph HostNetwork["Rede Física do Host"]
HostIP["host.docker.internal<br/>(gateway)"]
end
subgraph OtherStacks["Outras Stacks Docker"]
Container1["Container A<br/>172.111.0.x"]
Container2["Container B<br/>172.113.0.x"]
end
end
subgraph ExternalServers["Servidores Externos"]
Server254["10.10.253.254"]
Server128["10.10.253.128<br/>Gitea"]
end
Client -->|":80/:443"| WAF
WAF -->|"proxy_pass :8080"| NGINX
F2B -.->|"lê logs"| WAF
F2B -.->|"lê logs"| NGINX
NGINX -->|"extra_hosts<br/>host-gateway"| HostIP
NGINX -.->|"bridge network"| Container1
NGINX -.->|"bridge network"| Container2
HostIP -->|"roteamento"| Server254
HostIP -->|"roteamento"| Server128
style WAF fill:#e74c3c,stroke:#c0392b,color:#fff
style NGINX fill:#3498db,stroke:#2980b9,color:#fff
style F2B fill:#27ae60,stroke:#1e8449,color:#fff
style Server128 fill:#9b59b6,stroke:#8e44ad,color:#fff
style Server254 fill:#9b59b6,stroke:#8e44ad,color:#fff
style HostIP fill:#f39c12,stroke:#d68910,color:#fff
style Container1 fill:#1abc9c,stroke:#16a085,color:#fff
style Container2 fill:#1abc9c,stroke:#16a085,color:#fff
### Validação
Sempre teste a configuração antes do reload:
```bash
sudo nginx -t
sudo systemctl reload nginx
```
---
### Auditoria e Diagnósticos
O Pathfinder agora reporta a **razão exata** do bloqueio nos logs JSON:
`tail -f /var/log/nginx/access_json.log | jq -r '"[\(.risk_category)] -> \(.risk_reason) | \(.request)"'`
## 📋 Sistemas e Servidores Configurados
- **`risk_category`**: TAG curta para máquinas (LIMPO, SUSPEITO, RISCO_ALTO, ATAQUE_CRITICO).
- **`risk_reason`**: Motivo humano detalhado (ex: "COMBINACAO: Bot conhecido em local sensivel").
Lista de todos os sistemas roteados pelo proxy, organizados por tipo de infraestrutura.
| Domínio | IP/Backend | Docker | VM | LXC | Descrição |
|---------|------------|:------:|:--:|:---:|-----------|
| `git.itguys.com.br` | 10.10.253.128 | ❌ | ❌ | ✅ | Gitea - Servidor Git |
| `zammad.itguys.com.br` | 172.16.254.59 | ❌ | ❌ | ✅ | Zammad - Helpdesk |
| `monitoramento.itguys.com.br` | 172.16.254.x | ❌ | ❌ | ✅ | Zabbix/Grafana |
| `mimir.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Mimir - Métricas |
| `windmill.grupopralog.com.br` | 172.16.253.103:8000 | ❌ | ❌ | ✅ | Windmill - Automação |
| `katalog.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Katalog |
| `verbocloud.itguys.com.br` | 172.16.253.13:11580 | ❌ | ❌ | ✅ | Nextcloud AIO |
| `cloud.grupopralog.com.br` | 172.16.253.12 | ❌ | ❌ | ✅ | Nextcloud Pralog |
| `srvoffice001.itguys.com.br` | 172.16.253.101 | ❌ | ✅ | ❌ | Exchange Server |
| `business.itguys.com.br` | 172.16.121.13 | ❌ | ✅ | ❌ | Exchange OWA |
| `vcenter.itguys.com.br` | 172.16.254.110:443 | ❌ | ✅ | ❌ | VMware vCenter |
| `unifi.itguys.com.br` | 172.16.254.123:8443 | ❌ | ✅ | ❌ | UniFi Controller |
| `workspace.itguys.com.br` | 172.16.121.2 | ❌ | ✅ | ❌ | Workspace Windows |
| `vscode.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | VS Code Server |
| `telefonia.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Central Telefônica |
| `proxy.itguys.com.br` | localhost | ✅ | ❌ | ❌ | Este proxy |
| `itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Principal |
| `pralog.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Pralog |
| `anatram.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Anatram |
| `ferreirareal.com.br` | 172.16.x.x | ✅ | ❌ | ❌ | Site Ferreira Real |
| `petytransportes.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Pety Transportes |
| `solucionei.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Solucionei |
| `rhema.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Rhema |
| `integra.grupopralog.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Integração Pralog |
| `ns1.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Primário |
| `ns2.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Secundário |
| `dns-primario.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Admin |
> [!NOTE]
> **Legenda:** Docker = Container Docker | VM = Máquina Virtual (VMware/Hyper-V) | LXC = Linux Container (Proxmox)
>
> IPs marcados como `172.16.x.x` precisam ser verificados nos arquivos de configuração individuais.
---
*Mantido por IT Guys*
---

7
certbot/conf/options-ssl-nginx.conf
View File

@ -1,7 +0,0 @@
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

8
certbot/conf/ssl-dhparams.pem
View File

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBDAKCAQEA7aEz2xmnoIbgtStbhLjO2kIgHb+mXbTBJi2aXSnMlih9Q2WWfEOY
TrSw98BLop6l/6FS9XqCNAaB06AQLYIrXx1V3MtT1x9JcHfwbgKacDsEf+B+yYXS
Avv8G6j6t4k0s7ovg9tVEpRr1n8YCDj1bWv1iiQjfotmzeex6NNE9rX31GvRpRhP
jY+I9JDU0xG7GA16dNYYkq7kNPF7f1HmpFZOPiqox+IoMxZPlMZsKfRxmWpNPbgy
Pmzbrf7i3Wj9gjjGbPSvJ5dnaz4XGqUxAXemAXhjQ9TLVEig2NNo8LeYp/1r22+H
Wls/ddseH7N2lOr3M4oHsaUo4vsKG/SAfwIBAgICAOE=
-----END DH PARAMETERS-----

88
conf.d/gps.oestepan.com.br.conf
View File

@ -1,88 +0,0 @@
# ==============================================================================
# ARQUIVO: /etc/nginx/sites-available/gps.oestepan.com.br.conf
# AUTOR: Gemini (Especialista NGINX)
# DATA: 27/01/2026
#
# CONTEXTO:
# Proxy Reverso para Traccar GPS (OESTEPAN).
# ModSecurity (WAF) termina o SSL e envia tráfego descriptografado para a porta 8080.
# ==============================================================================
upstream traccar_backend {
server host.docker.internal:8083;
keepalive 32;
}
# ------------------------------------------------------------------------------
# BLOCO PRINCIPAL: Porta 8080 (Tráfego vindo do ModSecurity)
# ------------------------------------------------------------------------------
server {
listen 8080;
listen [::]:8080;
server_name gps.oestepan.com.br;
include /etc/nginx/snippets/acme_challenge.conf;
limit_req zone=global_limit burst=20 nodelay;
# ============================================================================
# LOGS
# ============================================================================
client_max_body_size 50M;
access_log /var/log/nginx/gps.oestepan.com.br.access.log detailed_proxy;
error_log /var/log/nginx/gps.oestepan.com.br.error.log warn;
# ============================================================================
# ROTAS (Sem SSL pois o WAF já terminou a encriptação)
# ============================================================================
# 1. WebSocket
location /api/socket {
proxy_pass http://traccar_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
}
# 2. Rota Principal
location / {
proxy_pass http://traccar_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 90s;
}
}
# ------------------------------------------------------------------------------
# BLOCO DUMMY: Apenas para que o script renew_ssl.sh encontre os caminhos do SSL
# ------------------------------------------------------------------------------
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gps.oestepan.com.br;
# Important: These paths MUST be in /etc/nginx/ssl/ (shared volume)
# so ModSecurity can access them. renew_ssl.sh will copy the certs here.
ssl_certificate /etc/nginx/ssl/gps.oestepan.com.br.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/gps.oestepan.com.br.privkey.pem;
# Retorna 444 (No Response) se alguém tentar conectar direto (bypass WAF)
location / {
return 444;
}
}

12
conf.d/internal_networks.conf
View File

@ -1,12 +0,0 @@
# Internal Networks Configuration
# Define internal network ranges for access control
# Allow access from internal networks
allow 10.10.0.0/16;
allow 10.11.0.0/16;
allow 10.12.0.0/16;
allow 172.16.0.0/16;
allow 127.0.0.1;
# Deny all others (uncomment if needed)
# deny all;

22
deploy.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
set -e
echo "Detecting Public IP..."
CURRENT_IP=$(curl -s https://ifconfig.me)
if [ -z "$CURRENT_IP" ]; then
echo "Error: Could not detect Public IP."
exit 1
fi
echo "Public IP detected: $CURRENT_IP"
echo "HOST_PUBLIC_IP=$CURRENT_IP" > .env
echo "Building and testing..."
docker compose build
docker compose run --rm nginx-proxy nginx -t
echo "Deploying..."
docker compose up -d
echo "Done! Proxy is running."

94
docker-compose.yml
View File

@ -1,94 +0,0 @@
services:
# ============================================
# ModSecurity WAF (Frente do NGINX)
# ============================================
modsecurity:
build:
context: .
dockerfile: Dockerfile.modsec
container_name: modsecurity-waf
restart: always
ports:
- "80:80"
- "443:443"
environment:
# - BACKEND=http://nginx-proxy:8080 # Replaced by static config mount
- PARANOIA=1
- ANOMALY_INBOUND=5
- ANOMALY_OUTBOUND=4
volumes:
- ssl_data:/etc/nginx/ssl:ro
- modsec_logs:/var/log/modsecurity
depends_on:
- nginx-proxy
extra_hosts:
- "host.docker.internal:host-gateway"
- "srvproxy001.itguys.com.br:172.16.254.1"
- "srvproxy001:172.16.254.1"
- "zammad.itguys.com.br:172.16.254.59"
- "zammad:172.16.254.59"
- "cloud.grupopralog.com.br:172.16.253.12"
- "business.itguys.com.br:172.16.121.13"
- "verbocloud.itguys.com.br:172.16.253.13"
- "srvoffice001.itguys.com.br:172.16.253.101"
- "srvoffice001:172.16.253.101"
# ============================================
# NGINX Proxy (Backend do ModSecurity)
# ============================================
nginx-proxy:
build: .
container_name: nginx-proxy
restart: always
expose:
- "8080"
environment:
- HOST_PUBLIC_IP=${HOST_PUBLIC_IP}
volumes:
- ssl_data:/etc/nginx/ssl
- nginx_cache:/var/cache/nginx
- nginx_logs:/var/log/nginx
- certbot_data_conf:/etc/letsencrypt
- certbot_data_www:/var/www/certbot
- repo_data:/opt/repo
extra_hosts:
- "host.docker.internal:host-gateway"
- "server-254:10.10.253.254"
- "srvproxy001.itguys.com.br:172.16.254.1"
- "srvproxy001:172.16.254.1"
- "zammad.itguys.com.br:172.16.254.59"
- "zammad:172.16.254.59"
- "cloud.grupopralog.com.br:172.16.253.12"
- "business.itguys.com.br:172.16.121.13"
- "verbocloud.itguys.com.br:172.16.253.13"
- "srvoffice001.itguys.com.br:172.16.253.101"
- "srvoffice001:172.16.253.101"
# ============================================
# Fail2ban (Lê logs e bane IPs)
# ============================================
fail2ban:
build:
context: .
dockerfile: Dockerfile.fail2ban
container_name: fail2ban
restart: always
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- nginx_logs:/var/log/nginx:ro
- modsec_logs:/var/log/modsecurity:ro
volumes:
nginx_cache:
nginx_logs:
modsec_logs:
ssl_data:
certbot_data_conf:
certbot_data_www:
repo_data:

305
fail2ban/data/fail2ban/README.md Normal file
View File

@ -0,0 +1,305 @@
# Configuration README
!! NOTICE !!
When using [linuxserver/fail2ban](https://github.com/linuxserver/docker-fail2ban), the `*.conf` files in this directory and its subdirectories will be replaced every time the container restarts. The files are meant to be easily viewed so that you can reference them.
If you would like to customize anything, create a `*.local` file with the same name as the `*.conf` file and apply your customizations. You do not need to copy the entire `*.conf` file to `*.local`, you only need to include things you want to change.
For example, to adjust `jail.conf`, create `jail.local` and apply your customizations there.
## File Parsing Order
Fail2ban will combine action configurations in the following order:
```text
action.d/*.conf (in alphabetical order)
action.d/*.local (in alphabetical order)
```
Fail2ban will combine filter configurations in the following order:
```text
filter.d/*.conf (in alphabetical order)
filter.d/*.local (in alphabetical order)
```
Fail2ban will combine jail configurations in the following order:
```text
jail.conf
jail.d/*.conf (in alphabetical order)
jail.local
jail.d/*.local (in alphabetical order)
```
## Chains
Chains affect how access is restricted. There are two primary ways to restrict access.
### `DOCKER-USER`
The `DOCKER-USER` chain is used to restrict access to applications running in Docker containers. This will restrict access to all containers, not just the one that the jail is configured for.
### `INPUT`
The `INPUT` chain is used to restrict access to applications running on the host. This will restrict access to the host network stack. The host network stack may not be inclusive of all Docker network stacks, thus the `DOCKER-USER` chain is used separately for applications running in Docker containers.
### `FORWARD` (for legacy versions of Docker)
The `FORWARD` chain may be used on systems running older versions of Docker where the `DOCKER-USER` chain is not available.
## `jail.local` Examples
These are examples of what you can do in your `jail.local`. There is no universally correct way to setup `jail.local` as it depends on your needs.
You can enable any of the pre-made jails by reviewing the files in `jail.d/` and adding a few lines to your `jail.local` to enable the jail.
### Basic Example
This example shows how to enable jails for sshd on the host, and SWAG (nginx) running in a container. It also includes some general recommendations and optional lines commented out.
In order for bans to work correctly, the `INPUT` chain should be used for applications running on the host, and the `DOCKER-USER` chain should be used for applications running in containers.
In this basic example:
- `sshd` expects ssh to be running on the host (not in a container), so the `INPUT` chain is used
- `nginx-http-auth` expects nginx to be running in a container (ex: SWAG), so the `DOCKER-USER` chain is used
```ini
[DEFAULT]
# Prevents banning LAN subnets
ignoreip = 127.0.0.1/8 ::1
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
# The ban action "iptables-multiport" (default) should work for most
# The ban action "iptables-allports" can be used if multiport causes issues
#banaction = %(banaction_allports)s
[sshd]
# configuration inherits from jail.conf
enabled = true
chain = INPUT
action = %(known/action)s
[nginx-http-auth]
# configuration inherits from jail.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
[nginx-badbots]
# configuration inherits from jail.d/nginx-badbots.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
[nginx-botsearch]
# configuration inherits from jail.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
[nginx-deny]
# configuration inherits from jail.d/nginx-deny.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
[nginx-unauthorized]
# configuration inherits from jail.d/nginx-unauthorized.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
```
### Incremental Banning
This example only includes the configurations for incremental banning. You can add these lines to the `[DEFAULT]` section of your existing config.
With these configurations, after an IP is unbanned, if it gets banned again the ban time will increase exponentially.
```ini
[DEFAULT]
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time
bantime.increment = true
# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
bantime.maxtime = 5w
# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier
bantime.factor = 24
# "bantime" is the number of seconds that a host is banned.
bantime = 1h
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 24h
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
```
### unRAID
Add these lines to your `jail.local` to enable jails for unRAID's sshd and Web GUI.
The `port` line for the Web GUI is optional, but if you use unRAID's My Servers plugin to enable public access you should add the port you use (replace `YOUR-UNRAID-MY-SERVERS-WAN-PORT`)
Both of these jails protect unRAID at the host level using the `INPUT` chain.
```ini
[unraid-sshd]
# configuration inherits from jail.d/unraid-sshd.conf
enabled = true
chain = INPUT
action = %(known/action)s
[unraid-webgui]
# configuration inherits from jail.d/unraid-webgui.conf
enabled = true
chain = INPUT
port = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
action = %(known/action)s
```
### Unifi-Controller
Add these lines to enable the jail for Unifi-Controller.
```ini
[unifi-controller-auth]
# configuration inherits from jail.d/unifi-controller-auth.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
```
### Additional Actions
The default `action` will use `iptables` to perform bans. You may also apply bans using other services such as CloudFlare, report bans to services such as AbuseIPDB, or setup notifications for with services such as Apprise or Discord Webhooks.
```ini
[DEFAULT]
# Apply additional actions to all bans with all jails
action = %(action_)s
apprise-api[host="127.0.0.1", tag="fail2ban"]
cloudflare[cfuser="YOUR-EMAIL", cftoken="YOUR-TOKEN"]
discord-webhook[webhook="https://discord.com/api/webhooks/######/######"]
abuseipdb_apikey = YOUR-API-KEY
[sshd]
# Apply additional actions only to bans for the sshd jail
action = %(known/action)s
abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,22"]
[unifi-controller-auth]
# Apply additional actions only to bans for the unifi-controller-auth jail
action = %(known/action)s
abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
```
### Full Example
```ini
[DEFAULT]
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time
bantime.increment = true
# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
bantime.maxtime = 5w
# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier
bantime.factor = 24
# "bantime" is the number of seconds that a host is banned.
bantime = 1h
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 24h
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# Prevents banning LAN subnets
ignoreip = 127.0.0.1/8 ::1
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
# The ban action "iptables-multiport" (default) should work for most
# The ban action "iptables-allports" can be used if multiport causes issues
#banaction = %(banaction_allports)s
# Read https://github.com/sebres/PoC/blob/master/FW.IDS-DROP-vs-REJECT/README.md before changing block type
# The block type "REJECT --reject-with icmp-port-unreachable" (default behavior) should respond to, but then instantly reject connection attempts
# The block type "DROP" should not respond to connection attempts, resulting in a timeout
#banaction = iptables-multiport[blocktype=DROP]
# Add additional actions
action = %(action_)s
apprise-api[host="127.0.0.1", tag="fail2ban"]
cloudflare[cfuser="YOUR-EMAIL", cftoken="YOUR-TOKEN"]
abuseipdb_apikey = YOUR-API-KEY
[unraid-sshd]
# configuration inherits from jail.d/unraid-sshd.conf
enabled = true
chain = INPUT
action = %(known/action)s
abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,22"]
[unraid-webgui]
# configuration inherits from jail.d/unraid-webgui.conf
enabled = true
chain = INPUT
port = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
action = %(known/action)s
abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
[unifi-controller-auth]
# configuration inherits from jail.d/unifi-controller-auth.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
[vaultwarden-auth]
# configuration inherits from jail.d/vaultwarden-auth.conf
enabled = true
chain = DOCKER-USER
action = %(known/action)s
abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
```
## Customizing jails
You can customize additional aspects about a jail by modifying your `jail.local` file.
```ini
[unifi-controller-auth]
# configuration inherits from jail.d/unifi-controller-auth.conf
enabled = true
# If you are using non-standard ports for your unifi-controller, you can specify the ports you use
port = 8081,8442
# If your log file is mounted to a non-standard location inside the container, you can specify the path that the container will see your log file
logpath = /path/to/unificontroller/server.log
# If you are running the unifi-controller on your host (not in a docker container) you can change the chain to INPUT
#chain = INPUT
# If you are running the unifi-controller in a docker container you can change the chain to DOCKER-USER
#chain = DOCKER-USER
```

3
legacy/fail2ban/action.d/abuseipdb.conf → fail2ban/data/fail2ban/action.d/abuseipdb.conf
View File

@ -1,3 +1,4 @@
## Version 2024/05/20
# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
@ -80,7 +81,7 @@ actioncheck =
# use my (Shaun's) helper PHP script by commenting out the first #actionban
# line below, uncommenting the second one, and pointing the URL at
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
# <https://github.com/parseword/fail2ban-abuseipdb/>
#
# Tags: See jail.conf(5) man page
# Values: CMD

1
legacy/fail2ban/action.d/apf.conf → fail2ban/data/fail2ban/action.d/apf.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
# https://www.rfxn.com/projects/advanced-policy-firewall/
#

60
fail2ban/data/fail2ban/action.d/apprise-api.conf Normal file
View File

@ -0,0 +1,60 @@
## Version 2022/08/06
# Fail2Ban action configuration for apprise-api
# Author: Roxedus https://github.com/Roxedus
# Modified by: nemchik https://github.com/nemchik
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = curl -X POST -d '{"tag": "<tag>", "type": "info", "body": "The jail <name> as been started successfully."}' \
-H "Content-Type: application/json" \
<url>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = curl -X POST -d '{"tag": "<tag>", "type": "info", "body": "The jail <name> has been stopped."}' \
-H "Content-Type: application/json" \
<url>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl -X POST -d '{"tag": "<tag>", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
-H "Content-Type: application/json" \
<url>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = curl -X POST -d '{"tag": "<tag>", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
-H "Content-Type: application/json" \
<url>
[Init]
proto = http
host = apprise
port = 8000
key = apprise
url = <proto>://<host>:<port>/notify/<key>
#tag = fail2ban
tag = all

3
legacy/fail2ban/action.d/apprise.conf → fail2ban/data/fail2ban/action.d/apprise.conf
View File

@ -1,3 +1,4 @@
## Version 2024/09/02
# Fail2Ban configuration file
#
# Author: Chris Caron <lead2gold@gmail.com>
@ -10,7 +11,7 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
actionstart = printf %%b "The jail <name> has been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban

4
legacy/fail2ban/action.d/blocklist_de.conf → fail2ban/data/fail2ban/action.d/blocklist_de.conf
View File

@ -1,3 +1,4 @@
## Version 2019/06/29
# Fail2Ban configuration file
#
# Author: Steven Hiscocks
@ -30,6 +31,9 @@
[Definition]
# bypass reporting of restored (already reported) tickets:
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD

3
legacy/fail2ban/action.d/bsd-ipfw.conf → fail2ban/data/fail2ban/action.d/bsd-ipfw.conf
View File

@ -1,3 +1,4 @@
## Version 2023/11/18
# Fail2Ban configuration file
#
# Author: Nick Munger
@ -80,7 +81,7 @@ block = ip
# Option: blocktype
# Notes.: How to block the traffic. Use a action from man 5 ipfw
# Common values: deny, unreach port, reset
# ACTION defination at the top of man ipfw for allowed values.
# ACTION definition at the top of man ipfw for allowed values.
# Values: STRING
#
blocktype = unreach port

14
legacy/fail2ban/action.d/cloudflare-token.conf → fail2ban/data/fail2ban/action.d/cloudflare-token.conf
View File

@ -1,3 +1,4 @@
## Version 2025/03/01
#
# Author: Logic-32
#
@ -50,11 +51,12 @@ actionban = curl -s -X POST "<_cf_api_url>" \
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
<_cf_api_prms> \
| awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
| tr -d ' "' \
| head -n 1)
actionunban = id=$(curl -s -G -X GET "<_cf_api_url>" \
--data-urlencode "mode=<cfmode>" --data-urlencode "notes=<notes>" --data-urlencode "configuration.target=<cftarget>" --data-urlencode "configuration.value=<ip>" \
<_cf_api_prms> \
| awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
| tr -d ' "' \
| head -n 1)
if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \
curl -s -X DELETE "<_cf_api_url>/$id" \
<_cf_api_prms> \
@ -67,7 +69,7 @@ _cf_api_prms = -H "Authorization: Bearer <cftoken>" -H "Content-Type: applicatio
# Declare your Cloudflare Authorization Bearer Token in the [DEFAULT] section of your jail.local file.
# The Cloudflare <ZONE_ID> of hte domain you want to manage.
# The Cloudflare <ZONE_ID> of the domain you want to manage.
#
# cfzone =

1
legacy/fail2ban/action.d/cloudflare.conf → fail2ban/data/fail2ban/action.d/cloudflare.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
#
# Author: Mike Rushton
#

3
legacy/fail2ban/action.d/complain.conf → fail2ban/data/fail2ban/action.d/complain.conf
View File

@ -1,3 +1,4 @@
## Version 2023/11/22
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
@ -16,7 +17,7 @@
#
# Please do not use this action unless you are certain that fail2ban
# does not result in "false positives" for your deployment. False
# positive reports could serve a mis-favor to the original cause by
# positive reports could serve a misfavor to the original cause by
# flooding corresponding contact addresses, and complicating the work
# of administration personnel responsible for handling (verified) legit
# complains.

44
fail2ban/data/fail2ban/action.d/discord-webhook.conf Normal file
View File

@ -0,0 +1,44 @@
## Version 2022/08/06
# Author: Gilbn from https://technicalramblings.com
# Adapted Source: https://gist.github.com/sander1/075736a42db2c66bc6ce0fab159ca683
# Create the Discord Webhook in: Server settings -> Webhooks -> Create Webhooks
[Definition]
# Notify on Startup
actionstart = curl -X POST "<webhook>" \
-H "Content-Type: application/json" \
-d '{"username":"<botname>", "content":":white_check_mark: The **[<name>]** jail has started"}'
# Notify on Shutdown
actionstop = curl -X POST "<webhook>" \
-H "Content-Type: application/json" \
-d '{"username":"<botname>", "content":":no_entry: The **[<name>]** jail has been stopped"}'
#
actioncheck =
# Notify on Banned
actionban = curl -X POST "<webhook>" \
-H "Content-Type: application/json" \
-d '{"username":"<botname>", "content":"<discord_userid> :bell: **[<name>]** :hammer:**BANNED**:hammer: IP: [<ip>](<url_check_ip><ip>) for **<bantime>** seconds after **<failures>** failure(s). If you want to unban the IP run: `fail2ban-client unban <ip>`"}'
# Notify on Unbanned
actionunban = curl -X POST "<webhook>" \
-H "Content-Type: application/json" \
-d '{"username":"<botname>", "content":":bell: **[<name>]** **UNBANNED** IP: [<ip>](<url_check_ip><ip>)"}'
[Init]
# Discord Webhook URL
webhook = https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Discord Bot Username
botname = Fail2Ban
# User ID to ping
# ex: discord_userid = "<@!1234567890>"
discord_userid =
# URL prefix for an IP checking website
# abuseipdb is used by default since there is also an action to report an IP to their API
url_check_ip = https://www.abuseipdb.com/check/

1
legacy/fail2ban/action.d/dshield.conf → fail2ban/data/fail2ban/action.d/dshield.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>

1
legacy/fail2ban/action.d/dummy.conf → fail2ban/data/fail2ban/action.d/dummy.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/firewallcmd-allports.conf → fail2ban/data/fail2ban/action.d/firewallcmd-allports.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Donald Yandt

1
legacy/fail2ban/action.d/firewallcmd-common.conf → fail2ban/data/fail2ban/action.d/firewallcmd-common.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Donald Yandt

42
legacy/fail2ban/action.d/firewallcmd-ipset.conf → fail2ban/data/fail2ban/action.d/firewallcmd-ipset.conf
View File

@ -1,3 +1,4 @@
## Version 2024/11/07
# Fail2Ban action file for firewall-cmd/ipset
#
# This requires:
@ -18,36 +19,36 @@ before = firewallcmd-common.conf
[Definition]
actionstart = <ipstype_<ipsettype>/actionstart>
actionstart = <ipsbackend_<ipsetbackend>/actionstart>
firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionflush = <ipstype_<ipsettype>/actionflush>
actionflush = <ipsbackend_<ipsetbackend>/actionflush>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
<ipstype_<ipsettype>/actionstop>
<ipsbackend_<ipsetbackend>/actionstop>
actionban = <ipstype_<ipsettype>/actionban>
actionban = <ipsbackend_<ipsetbackend>/actionban>
# actionprolong = %(actionban)s
actionunban = <ipstype_<ipsettype>/actionunban>
actionunban = <ipsbackend_<ipsetbackend>/actionunban>
[ipstype_ipset]
[ipsbackend_ipset]
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
actionflush = ipset flush <ipmset>
actionstop = ipset destroy <ipmset>
actionstop = ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
actionunban = ipset -exist del <ipmset> <ip>
[ipstype_firewalld]
[ipsbackend_firewalld]
actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=<ipsettype> --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
# TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
actionflush =
@ -60,6 +61,11 @@ actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
[Init]
# Option: ipsettype
# Notes: specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
# Values: hash:ip, hash:net, etc... Default: hash:ip
ipsettype = hash:ip
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
@ -77,15 +83,21 @@ default-ipsettime = 0
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# Option: maxelem
# Notes: maximal number of elements which can be stored in the ipset
# You may want to increase this for long-duration/high-volume jails
# Values: [ NUM ] Default: 65536
maxelem = 65536
# expression to calculate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
# Option: ipsettype
# Notes.: defines type of ipset used for match-set (firewalld or ipset)
# Option: ipsetbackend
# Notes.: defines the backend of ipset used for match-set (firewalld or ipset)
# Values: firewalld or ipset
# Default: ipset
ipsettype = ipset
ipsetbackend = ipset
# Option: actiontype
# Notes.: defines additions to the blocking rule
@ -118,4 +130,4 @@ firewalld_familyopt = --option=family=inet6
# DEV NOTES:
#
# Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
# firewallcmd-new / iptables-ipset-proto6 combined for maximum goodness

1
legacy/fail2ban/action.d/firewallcmd-multiport.conf → fail2ban/data/fail2ban/action.d/firewallcmd-multiport.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Donald Yandt

1
legacy/fail2ban/action.d/firewallcmd-new.conf → fail2ban/data/fail2ban/action.d/firewallcmd-new.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Because of the --remove-rules in stop this action requires firewalld-0.3.8+

1
legacy/fail2ban/action.d/firewallcmd-rich-logging.conf → fail2ban/data/fail2ban/action.d/firewallcmd-rich-logging.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Authors: Donald Yandt, Sergey G. Brester

5
legacy/fail2ban/action.d/firewallcmd-rich-rules.conf → fail2ban/data/fail2ban/action.d/firewallcmd-rich-rules.conf
View File

@ -1,3 +1,4 @@
## Version 2024/08/07
# Fail2Ban configuration file
#
# Author: Donald Yandt
@ -35,10 +36,10 @@ actioncheck =
#
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp
fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
fwcmd_rich_rule = rule family=\"<family>\" source address=\"<ip>\" port port=\"$p\" protocol=\"<protocol>\" %(rich-suffix)s
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
rich-suffix = <rich-blocktype>
rich-suffix = <rich-blocktype>

52
fail2ban/data/fail2ban/action.d/gotify.conf Normal file
View File

@ -0,0 +1,52 @@
## Version 2022/12/18
# Fail2Ban configuration file
#
# Author: Quietsy
#
# Add the following to jail.local (uncommented) to apply the gotify action to all bans with all jails
# Change the url to have a valid gotify address and a valid token
#
# [DEFAULT]
# action = %(action_)s
# gotify[url="https://gotify.domain.com/message?token=lkghlkhjo8y9"]
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = curl --data '{"message": "Started <name>"}' -X POST -H Content-Type:application/json <url>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = curl --data '{"message": "Stopped <name>"}' -X POST -H Content-Type:application/json <url>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl -X POST -H Content-Type:application/json <url> \
--data '{"message": "⛔ <name> ⛔\n\n<ip> got banned for <bantime> seconds after <failures> tries.\n\nUnban command:\nfail2ban-client unban <ip>"}'
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = curl -X POST -H Content-Type:application/json <url> --data '{"message": "✅ <name> ✅\n\n<ip> is now unbanned"}'
[Init]
url =

1
legacy/fail2ban/action.d/helpers-common.conf → fail2ban/data/fail2ban/action.d/helpers-common.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
[DEFAULT]
# Usage:

1
legacy/fail2ban/action.d/hostsdeny.conf → fail2ban/data/fail2ban/action.d/hostsdeny.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/ipfilter.conf → fail2ban/data/fail2ban/action.d/ipfilter.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# NetBSD ipfilter (ipf command) ban/unban

1
legacy/fail2ban/action.d/ipfw.conf → fail2ban/data/fail2ban/action.d/ipfw.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Nick Munger

1
legacy/fail2ban/action.d/iptables-allports.conf → fail2ban/data/fail2ban/action.d/iptables-allports.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

13
legacy/fail2ban/action.d/iptables-ipset-proto4.conf → fail2ban/data/fail2ban/action.d/iptables-ipset-proto4.conf
View File

@ -1,3 +1,4 @@
## Version 2023/11/18
# Fail2Ban configuration file
#
# Author: Daniel Black
@ -27,7 +28,7 @@ before = iptables.conf
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipset --create f2b-<name> iphash
actionstart = ipset --create f2b-<name> maxelem <maxelem> iphash
<_ipt_add_rules>
@ -61,6 +62,14 @@ actionban = ipset --test f2b-<name> <ip> || ipset --add f2b-<name> <ip>
#
actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
# Several capabilities used internaly:
# Several capabilities used internally:
rule-jump = -m set --match-set f2b-<name> src -j <blocktype>
[Init]
# Option: maxelem
# Notes: maximal number of elements which can be stored in the ipset
# You may want to increase this for long-duration/high-volume jails
# Values: [ NUM ] Default: 65536
maxelem = 65536

1
legacy/fail2ban/action.d/iptables-ipset-proto6-allports.conf → fail2ban/data/fail2ban/action.d/iptables-ipset-proto6-allports.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Daniel Black

1
legacy/fail2ban/action.d/iptables-ipset-proto6.conf → fail2ban/data/fail2ban/action.d/iptables-ipset-proto6.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Daniel Black

20
legacy/fail2ban/action.d/iptables-ipset.conf → fail2ban/data/fail2ban/action.d/iptables-ipset.conf
View File

@ -1,3 +1,4 @@
## Version 2024/11/07
# Fail2Ban configuration file
#
# Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
@ -24,7 +25,7 @@ before = iptables.conf
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
<_ipt_add_rules>
# Option: actionflush
@ -39,7 +40,7 @@ actionflush = ipset flush <ipmset>
#
actionstop = <_ipt_del_rules>
<actionflush>
ipset destroy <ipmset>
ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -59,13 +60,18 @@ actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
#
actionunban = ipset -exist del <ipmset> <ip>
# Several capabilities used internaly:
# Several capabilities used internally:
rule-jump = -m set --match-set <ipmset> src -j <blocktype>
[Init]
# Option: ipsettype
# Notes: specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
# Values: hash:ip, hash:net, etc... Default: hash:ip
ipsettype = hash:ip
# Option: default-ipsettime
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
@ -76,7 +82,13 @@ default-ipsettime = 0
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# Option: maxelem
# Notes: maximal number of elements which can be stored in the ipset
# You may want to increase this for long-duration/high-volume jails
# Values: [ NUM ] Default: 65536
maxelem = 65536
# expression to calculate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)

1
legacy/fail2ban/action.d/iptables-multiport-log.conf → fail2ban/data/fail2ban/action.d/iptables-multiport-log.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Guido Bozzetto

1
legacy/fail2ban/action.d/iptables-multiport.conf → fail2ban/data/fail2ban/action.d/iptables-multiport.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

3
legacy/fail2ban/action.d/iptables-new.conf → fail2ban/data/fail2ban/action.d/iptables-new.conf
View File

@ -1,3 +1,4 @@
## Version 2020/02/14
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
@ -12,4 +13,4 @@ before = iptables.conf
[Definition]
pre-rule = -m state --state NEW<sp>
pre-rule = -m state --state NEW<sp>

8
legacy/fail2ban/action.d/iptables-xt_recent-echo.conf → fail2ban/data/fail2ban/action.d/iptables-xt_recent-echo.conf
View File

@ -1,3 +1,4 @@
## Version 2025/04/16
# Fail2Ban configuration file
#
# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
@ -12,8 +13,9 @@ before = iptables.conf
[Definition]
_ipt_chain_rule = -m recent --update --seconds 3600 --name <iptname> -j <blocktype>
_ipt_for_proto-iter =
_ipt_for_proto-done =
_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
_ipt-iter =
_ipt-done =
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
@ -60,7 +62,7 @@ actionstop = echo / > /proc/net/xt_recent/<iptname>
# Notes.: command executed as invariant check (error by ban)
# Values: CMD
#
actioncheck = { <iptables> -C <chain> %(_ipt_chain_rule)s; } && test -e /proc/net/xt_recent/<iptname>
actioncheck = { %(_ipt_check_rule)s >/dev/null 2>&1; } && test -e /proc/net/xt_recent/<iptname>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the

32
legacy/fail2ban/action.d/iptables.conf → fail2ban/data/fail2ban/action.d/iptables.conf
View File

@ -1,3 +1,4 @@
## Version 2025/04/16
# Fail2Ban configuration file
#
# Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black,
@ -62,25 +63,25 @@ pre-rule =
rule-jump = -j <_ipt_rule_target>
# Several capabilities used internaly:
# Several capabilities used internally:
_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
_ipt_for_proto-done = done
_ipt-iter = for chain in $(echo '<chain>' | sed 's/,/ /g'); do for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
_ipt-done = done; done
_ipt_add_rules = <_ipt_for_proto-iter>
{ %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
<_ipt_for_proto-done>
_ipt_add_rules = <_ipt-iter>
{ %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I $chain %(_ipt_chain_rule)s; }
<_ipt-done>
_ipt_del_rules = <_ipt_for_proto-iter>
<iptables> -D <chain> %(_ipt_chain_rule)s
<_ipt_for_proto-done>
_ipt_del_rules = <_ipt-iter>
<iptables> -D $chain %(_ipt_chain_rule)s
<_ipt-done>
_ipt_check_rules = <_ipt_for_proto-iter>
_ipt_check_rules = <_ipt-iter>
%(_ipt_check_rule)s
<_ipt_for_proto-done>
<_ipt-done>
_ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
_ipt_check_rule = <iptables> -C $chain %(_ipt_chain_rule)s
_ipt_rule_target = f2b-<name>
[ipt_oneport]
@ -99,8 +100,9 @@ _chain_rule = -p $proto <rule-jump>
[Init]
# Option: chain
# Notes specifies the iptables chain to which the Fail2Ban rules should be
# added
# Notes specifies the iptables chains to which the Fail2Ban rules should be
# added. May be a single chain (e.g. INPUT) or a comma separated list
# (e.g. INPUT, FORWARD)
# Values: STRING Default: INPUT
chain = INPUT
@ -135,7 +137,7 @@ returntype = RETURN
# Option: lockingopt
# Notes.: Option was introduced to iptables to prevent multiple instances from
# running concurrently and causing irratic behavior. -w was introduced
# running concurrently and causing erratic behavior. -w was introduced
# in iptables 1.4.20, so might be absent on older systems
# See https://github.com/fail2ban/fail2ban/issues/1122
# Values: STRING

7
legacy/fail2ban/action.d/ipthreat.conf → fail2ban/data/fail2ban/action.d/ipthreat.conf
View File

@ -1,3 +1,4 @@
## Version 2023/11/22
# IPThreat configuration file
#
# Added to fail2ban by Jeff Johnson (jjxtra)
@ -15,7 +16,7 @@
# Reporting an IP is a serious action. Make sure that it is legit.
# Consider using this action only for:
# * IP that has been banned more than once
# * High max retry to avoid user mis-typing password
# * High max retry to avoid user mistyping password
# * Filters that are unlikely to be human error
#
# Example:
@ -47,7 +48,7 @@
# BadBot 256 Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
# Compromised 512 The ip has been taken over by malware or botnet
# Phishing 1024 The ip is involved in phishing or spoofing
# Iot 2048 The ip has targetted an iot (Internet of Things) device
# Iot 2048 The ip has targeted an iot (Internet of Things) device
# PortScan 4096 Port scan
# See https://ipthreat.net/bulkreportformat for more information
# ```
@ -104,4 +105,4 @@ ipthreat_apikey =
ipthreat_system = <name>
# By default the ip threat flags is 8 (brute force), but you can override this per jail if desired
ipthreat_flags = 8
ipthreat_flags = 8

1
legacy/fail2ban/action.d/mail-buffered.conf → fail2ban/data/fail2ban/action.d/mail-buffered.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/mail-whois-common.conf → fail2ban/data/fail2ban/action.d/mail-whois-common.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Common settings for mail actions

1
legacy/fail2ban/action.d/mail-whois-lines.conf → fail2ban/data/fail2ban/action.d/mail-whois-lines.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/mail-whois.conf → fail2ban/data/fail2ban/action.d/mail-whois.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/mail.conf → fail2ban/data/fail2ban/action.d/mail.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

85
fail2ban/data/fail2ban/action.d/mikrotik.conf Normal file
View File

@ -0,0 +1,85 @@
## Version 2023/03/08
# Fail2Ban configuration file
#
# Mikrotik routerOS action to add/remove address-list entries
#
# Author: Duncan Bellamy <dunk@denkimushi.com>
# based on forum.mikrotik.com post by pakjebakmeel
#
# in the instructions:
# (10.0.0.1 is ip of mikrotik router)
# (10.0.0.2 is ip of fail2ban machine)
#
# on fail2ban machine:
# sudo mkdir /var/lib/fail2ban/ssh
# sudo chmod 700 /var/lib/fail2ban/ssh
# sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa
# sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/
# ssh admin@10.0.0.1
#
# on mikrotik router:
# /user add name=miki-f2b group=write address=10.0.0.2 password=""
# /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b
# /quit
#
# on fail2ban machine:
# (check password login fails)
# ssh miki-f2b@10.0.0.1
# (check private key works)
# sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1
#
# Then create rules on mikrorik router that use address
# list(s) maintained by fail2ban eg in the forward chain
# drop from address list, or in the forward chain drop
# from address list to server
#
# example extract from jail.local overriding some defaults
# action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"]
#
# ignoreip = 127.0.0.1/8 192.168.0.0/24
# mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa
# muser = myuser
# mhost = 192.168.0.1
# mlist = BAD LIST
[Definition]
actionstart =
actionstop = %(actionflush)s
actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]"
actioncheck =
actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address=<ip> comment=%(comment)s"
actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]"
command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s
# Option: user
# Notes.: username to use when connecting to routerOS
user =
# Option: port
# Notes.: port to use when connecting to routerOS
port = 22
# Option: keyfile
# Notes.: ssh private key to use for connecting to routerOS
keyfile =
# Option: host
# Notes.: hostname or ip of router
host =
# Option: list
# Notes.: name of "address-list" to use on router
list = Fail2Ban
# Option: startcomment
# Notes.: used as a prefix to all comments, and used to match for flushing rules
startcomment = f2b-<name>
# Option: comment
# Notes.: comment to use on routerOS (must be unique as used for ip address removal)
comment = %(startcomment)s-<ip>
[Init]
name="%(__name__)s"

1
legacy/fail2ban/action.d/mynetwatchman.conf → fail2ban/data/fail2ban/action.d/mynetwatchman.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>

3
legacy/fail2ban/action.d/netscaler.conf → fail2ban/data/fail2ban/action.d/netscaler.conf
View File

@ -1,3 +1,4 @@
## Version 2023/11/18
# Fail2ban Citrix Netscaler Action
# by Juliano Jeziorny
# juliano@jeziorny.eu
@ -5,7 +6,7 @@
# The script will add offender IPs to a dataset on netscaler, the dataset can then be used to block the IPs at a cs/vserver or global level
# This dataset is then used to block IPs using responder policies on the netscaler.
#
# The script assumes using HTTPS with unsecure certificate to access the netscaler,
# The script assumes using HTTPS with insecure certificate to access the netscaler,
# if you have a valid certificate installed remove the -k from the curl lines, or if you want http change it accordingly (and remove the -k)
#
# This action depends on curl

1
legacy/fail2ban/action.d/nftables-allports.conf → fail2ban/data/fail2ban/action.d/nftables-allports.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

3
legacy/fail2ban/action.d/nftables-multiport.conf → fail2ban/data/fail2ban/action.d/nftables-multiport.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
@ -14,4 +15,4 @@ before = nftables.conf
[Definition]
type = multiport
type = multiport

12
legacy/fail2ban/action.d/nftables.conf → fail2ban/data/fail2ban/action.d/nftables.conf
View File

@ -1,3 +1,4 @@
## Version 2025/08/08
# Fail2Ban configuration file
#
# Author: Daniel Black
@ -44,7 +45,7 @@ match = <rule_match-<type>>
#
rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
# optional interator over protocol's:
# optional iterator over protocol's:
_nft_for_proto-custom-iter =
_nft_for_proto-custom-done =
_nft_for_proto-allports-iter =
@ -55,7 +56,7 @@ _nft_for_proto-multiport-done = done
_nft_list = <nftables> -a list chain <table_family> <table> <chain>
_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\;<addr_options> \}
<_nft_for_proto-<type>-iter>
<nftables> add rule <table_family> <table> <chain> %(rule_stat)s
<_nft_for_proto-<type>-done>
@ -97,7 +98,7 @@ actionstop = %(_nft_del_set)s
<_nft_shutdown_table>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Notes.: command executed once in error case by other command (during the check/restore sane environment process)
# Values: CMD
#
actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'
@ -197,6 +198,11 @@ addr_set = addr-set-<name>
# Values: [ ip | ip6 ]
addr_family = ip
# Option: addr_options
# Notes: Additional options for the addr-set, by default allows to store CIDR or address ranges.
# Can be set to empty value to create simple addresses set.
addr_options = <sp>flags interval\;
[Init?family=inet6]
addr_family = ip6
addr_type = ipv6_addr

1
legacy/fail2ban/action.d/nginx-block-map.conf → fail2ban/data/fail2ban/action.d/nginx-block-map.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file for black-listing via nginx
#
# Author: Serg G. Brester (aka sebres)

27
fail2ban/data/fail2ban/action.d/nginx-pathfinder-action.conf Normal file
View File

@ -0,0 +1,27 @@
# /etc/fail2ban/action.d/nginx-pathfinder-action.conf
#
# Ação Híbrida Pathfinder Proxy (2026).
# 1. Bloqueia o IP no Firewall (UFW).
# 2. Insere o IP no snippet 'blacklist.conf' do Nginx para bloqueio de aplicação.
# *****************************************************************************
[Definition]
# Comando executado ao iniciar a jail
actionstart = touch /etc/nginx/snippets/blacklist.conf
# Comando de banimento: Firewall + Nginx Blacklist
# Usamos 'prepend' no UFW para garantir que o bloqueio venha antes de qualquer permissão.
actionban = ufw prepend deny from <ip> to any
printf "deny <ip>;\n" >> /etc/nginx/snippets/blacklist.conf
nginx -s reload
# Comando de desbanimento: Remove do Firewall e do arquivo Nginx
# O sed remove a linha exata 'deny IP;' do snippet.
actionunban = ufw delete deny from <ip> to any
sed -i "/deny <ip>;/d" /etc/nginx/snippets/blacklist.conf
nginx -s reload
[Init]
# Nome da jail para logs de auditoria
name = nginx-pathfinder

1
legacy/fail2ban/action.d/npf.conf → fail2ban/data/fail2ban/action.d/npf.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# NetBSD npf ban/unban

1
legacy/fail2ban/action.d/nsupdate.conf → fail2ban/data/fail2ban/action.d/nsupdate.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Andrew St. Jean

91
fail2ban/data/fail2ban/action.d/opnsense.conf Normal file
View File

@ -0,0 +1,91 @@
## Version 2023/02/16
#
# Fail2Ban action configuration for OPNsense
# Author: https://linuxserver.io/
#
# Please ensure jail.local permission are secure (640) as it contains your OPNsense API key
#
# OPNsense API Key/Secret guide: https://docs.opnsense.org/development/how-tos/api.html
#
# This action maintains an OPNsense HOST group alias.
#
# Configure OPNsense with:
# A correctly named empty HOST group alias.
# An associated firewall rule.
#
# In most instances the OPNsense rule will likely take the form of a INBOUND WAN DROP but specifics are left to user discretion.
#
# WARNING: This action allows connections to default OPNsense installs deployed with self signed TLS certificates.
# If required disable this by setting `allow_insecure = false` in your `jail.local`
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
#actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
#actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
#actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/add/<alias>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/delete/<alias>
# Internal variable handler for `allow_insecure`
_allow_insecure = $(if [ '<allow_insecure>' = true ]; then echo ' -k '; else echo ''; fi;)
[Init]
# Option: alias
# Notes.: The OPNsense host group name to add the Fail2ban IP to.
# Values: [ STRING ]
#
alias =
# Option: firewall
# Notes.: Your OPNsense IP or DNS name.
# Values: [ STRING ]
#
firewall =
# Option: key
# Notes.: Your OPNsense user key.
# Values: [ STRING ]
#
key =
# Option: secret
# Notes.: Your OPNsense user secret.
# Values: [ STRING ]
#
secret =
# Option: allow_insecure
# Notes.: Allow connections to default OPNsense installs deployed with self signed TLS certificates.
# Values: [ BOOLEAN ]
#
allow_insecure = true

1
legacy/fail2ban/action.d/osx-afctl.conf → fail2ban/data/fail2ban/action.d/osx-afctl.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
#
# Anonymous author

1
legacy/fail2ban/action.d/osx-ipfw.conf → fail2ban/data/fail2ban/action.d/osx-ipfw.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Nick Munger

7
legacy/fail2ban/action.d/pf.conf → fail2ban/data/fail2ban/action.d/pf.conf
View File

@ -1,9 +1,11 @@
## Version 2023/12/10
# Fail2Ban configuration file
#
# OpenBSD pf ban/unban
#
# Author: Nick Hilliard <nick@foobar.org>
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
# Modified by: Balazs Mateffy adding allproto option so all traffic gets blocked from the malicious source
#
#
@ -26,9 +28,11 @@
# }
# to your main pf ruleset, where "namei" are the names of the jails
# which invoke this action
# to block all protocols use the pf[protocol=all] option
actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
protocol="<protocol>"; if [ "$protocol" != "all" ]; then protocol="proto $protocol"; else protocol=all; fi
echo "<block> $protocol from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
# Option: start_on_demand - to start action on demand
# Example: `action=pf[actionstart_on_demand=true]`
@ -98,6 +102,7 @@ tablename = f2b
#
# The action you want pf to take.
# Probably, you want "block quick", but adjust as needed.
# If you want to log all blocked use "blog log quick"
block = block quick
# Option: protocol

61
fail2ban/data/fail2ban/action.d/pushover.conf Normal file
View File

@ -0,0 +1,61 @@
## Version 2022/08/15
#
# Fail2Ban action configuration for Pushover
# Author: https://linuxserver.io/
#
# Please ensure jail.local permission are secure as it will contain your Pushover API key
#
# This action requires the setup of a Pushover Application/API Token. This will require an account at https://pushover.net/
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# Comment out this action as necessary
actionstart = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Jail <name> has been started successfully." https://api.pushover.net/1/messages
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
# Comment out this action as necessary
actionstop = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Jail <name> has been stopped." https://api.pushover.net/1/messages
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Banned IP: <ip> Lines containing IP: `grep '<ip>' <logpath>`" https://api.pushover.net/1/messages
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Unbanned IP: <ip> Lines containing IP: `grep '<ip>' <logpath>`" https://api.pushover.net/1/messages
[Init]
# Option: token
# Notes.: The Pushover API Token/Key setup for Fail2Ban.
# Values: [ STRING ]
#
token =
# Option: user
# Notes.: Your Pushover User Key.
# Values: [ STRING ]
#
user =

1
legacy/fail2ban/action.d/route.conf → fail2ban/data/fail2ban/action.d/route.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Michael Gebetsroither

1
legacy/fail2ban/action.d/sendmail-buffered.conf → fail2ban/data/fail2ban/action.d/sendmail-buffered.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/sendmail-common.conf → fail2ban/data/fail2ban/action.d/sendmail-common.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Common settings for sendmail actions

1
legacy/fail2ban/action.d/sendmail-geoip-lines.conf → fail2ban/data/fail2ban/action.d/sendmail-geoip-lines.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Viktor Szépe

1
legacy/fail2ban/action.d/sendmail-whois-ipjailmatches.conf → fail2ban/data/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/sendmail-whois-ipmatches.conf → fail2ban/data/fail2ban/action.d/sendmail-whois-ipmatches.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/sendmail-whois-lines.conf → fail2ban/data/fail2ban/action.d/sendmail-whois-lines.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/sendmail-whois-matches.conf → fail2ban/data/fail2ban/action.d/sendmail-whois-matches.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/sendmail-whois.conf → fail2ban/data/fail2ban/action.d/sendmail-whois.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/sendmail.conf → fail2ban/data/fail2ban/action.d/sendmail.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

18
legacy/fail2ban/action.d/shorewall-ipset-proto6.conf → fail2ban/data/fail2ban/action.d/shorewall-ipset-proto6.conf
View File

@ -1,3 +1,4 @@
## Version 2024/06/09
# Fail2Ban configuration file
#
# Author: Eduardo Diaz
@ -51,7 +52,7 @@
# Values: CMD
#
actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime>;
then ipset -quiet -exist create f2b-<name> <ipsettype> timeout <default-ipsettime> maxelem <maxelem>;
fi
# Option: actionstop
@ -88,6 +89,19 @@ default-ipsettime = 0
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# expression to calculate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
[Init]
# Option: ipsettype
# Notes: specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
# Values: hash:ip, hash:net, etc... Default: hash:ip
ipsettype = hash:ip
# Option: maxelem
# Notes: maximal number of elements which can be stored in the ipset
# You may want to increase this for long-duration/high-volume jails
# Values: [ NUM ] Default: 65536
maxelem = 65536

1
legacy/fail2ban/action.d/shorewall.conf → fail2ban/data/fail2ban/action.d/shorewall.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Author: Cyril Jaquier

1
legacy/fail2ban/action.d/symbiosis-blacklist-allports.conf → fail2ban/data/fail2ban/action.d/symbiosis-blacklist-allports.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file for Bytemark Symbiosis firewall
#
# Author: Yaroslav Halchenko

3
legacy/fail2ban/action.d/ufw.conf → fail2ban/data/fail2ban/action.d/ufw.conf
View File

@ -1,3 +1,4 @@
## Version 2025/03/01
# Fail2Ban action configuration file for ufw
#
# You are required to run "ufw enable" before this will have any effect.
@ -44,7 +45,7 @@ _kill_conntrack = conntrack -D -s "<ip>"
# Option: kill
# Notes.: can be used to specify custom killing feature, by default depending on option kill-mode
# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[<ip>]"']
# Examples: banaction = ufw[kill='ss -K "dst = [<ip>] && ( sport = :http || sport = :https )"']
# banaction = ufw[kill='cutter "<ip>"']
kill = <_kill_<kill-mode>>

1
legacy/fail2ban/action.d/xarf-login-attack.conf → fail2ban/data/fail2ban/action.d/xarf-login-attack.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban action for sending xarf Login-Attack messages to IP owner
#
# IMPORTANT:

11
legacy/fail2ban/fail2ban.conf → fail2ban/data/fail2ban/fail2ban.conf
View File

@ -1,3 +1,4 @@
## Version 2022/12/15
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
@ -32,7 +33,8 @@ loglevel = INFO
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log
# lsio value
logtarget = /config/log/fail2ban/fail2ban.log
# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
@ -63,11 +65,12 @@ pidfile = /var/run/fail2ban/fail2ban.pid
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
# A value of ":memory:" means database is only stored in memory
# A value of ":memory:" means database is only stored in memory
# and data is lost when fail2ban is stopped.
# A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
# lsio value
dbfile = /config/fail2ban/fail2ban.sqlite3
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
@ -75,7 +78,7 @@ dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d
# Options: dbmaxmatches
# Notes.: Number of matches stored in database per ticket (resolvable via
# Notes.: Number of matches stored in database per ticket (resolvable via
# tags <ipmatches>/<ipjailmatches> in actions)
# Values: [ INT ] Default: 10
dbmaxmatches = 10

BIN
fail2ban/db/fail2ban.sqlite3 → fail2ban/data/fail2ban/fail2ban.sqlite3
View File

Binary file not shown.

1
legacy/fail2ban/filter.d/3proxy.conf → fail2ban/data/fail2ban/filter.d/3proxy.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban filter for 3proxy
#
#

17
fail2ban/data/fail2ban/filter.d/airsonic-auth.conf Normal file
View File

@ -0,0 +1,17 @@
## Version 2022/08/06
# Fail2Ban filter configuration for airsonic
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*: Login failed from \[<HOST>\]$
ignoreregex =
datepattern = {^LN-BEG}
# DEV NOTES:
#
# Author: anoma

3
legacy/fail2ban/filter.d/apache-auth.conf → fail2ban/data/fail2ban/filter.d/apache-auth.conf
View File

@ -1,3 +1,4 @@
## Version 2023/11/18
# Fail2Ban apache-auth filter
#
@ -64,7 +65,7 @@ ignoreregex =
# ^user .*: one-time-nonce mismatch - sending new nonce\s*$
# ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
#
# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
# Because url/referer are foreign input, short form of regex used if long enough to identify failure.
#
# Author: Cyril Jaquier
# Major edits by Daniel Black and Ben Rubson.

1
legacy/fail2ban/filter.d/apache-badbots.conf → fail2ban/data/fail2ban/filter.d/apache-badbots.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban configuration file
#
# Regexp to catch known spambots and software alike. Please verify

1
legacy/fail2ban/filter.d/apache-botsearch.conf → fail2ban/data/fail2ban/filter.d/apache-botsearch.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban filter to match web requests for selected URLs that don't exist
#
# This filter is aimed at blocking specific URLs that don't exist. This

3
legacy/fail2ban/filter.d/apache-common.conf → fail2ban/data/fail2ban/filter.d/apache-common.conf
View File

@ -1,3 +1,4 @@
## Version 2024/03/15
# Generic configuration items (to be used as interpolations) in other
# apache filters.
@ -29,7 +30,7 @@ apache-prefix = <apache-prefix-<logging>>
apache-pref-ignore =
_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[(?:client|remote) <HOST>(:\d{1,5})?\]
datepattern = {^LN-BEG}

1
legacy/fail2ban/filter.d/apache-fakegooglebot.conf → fail2ban/data/fail2ban/filter.d/apache-fakegooglebot.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban filter for fake Googlebot User Agents
[Definition]

1
legacy/fail2ban/filter.d/apache-modsecurity.conf → fail2ban/data/fail2ban/filter.d/apache-modsecurity.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban apache-modsec filter
#

1
legacy/fail2ban/filter.d/apache-nohome.conf → fail2ban/data/fail2ban/filter.d/apache-nohome.conf
View File

@ -1,3 +1,4 @@
## Version 2022/08/06
# Fail2Ban filter to web requests for home directories on Apache servers
#
# Regex to match failures to find a home directory on a server, which

8
legacy/fail2ban/filter.d/apache-noscript.conf → fail2ban/data/fail2ban/filter.d/apache-noscript.conf
View File

@ -1,3 +1,4 @@
## Version 2025/03/28
# Fail2Ban filter to block web requests for scripts (on non scripted websites)
#
# This matches many types of scripts that don't exist. This could generate a
@ -19,11 +20,10 @@ before = apache-common.conf
script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)
prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$
prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?=(?:[Ff]ile|[Ss]cript|[Gg]ot error|stderr from) )<F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:does not exist|not found or unable to stat): <script>\b
^'<script>\S*' not found or unable to stat
^error '[Pp]rimary script unknown(?:\\n)?'
failregex = ^(?:(?:[Ff]ile does not exist|[Ss]cript not found or unable to stat): <script>\b|[Gg]ot error '[Pp]rimary script unknown\b)
^(?:stderr from |script (?P<_q>'))<script>\S*(?(_q)'|) (?:script )?(?:does not exist|not found or unable to stat)
ignoreregex =

3
legacy/fail2ban/filter.d/apache-overflows.conf → fail2ban/data/fail2ban/filter.d/apache-overflows.conf
View File

@ -1,3 +1,4 @@
## Version 2024/06/28
# Fail2Ban filter to block web requests on a long or suspicious nature
#
@ -8,7 +9,7 @@ before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (?:(?:AH001[23][456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
failregex = ^%(_apache_error_client)s (?:(?:AH(?:001[23][456]|10244): )?[Ii]nvalid (method|URI)\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
ignoreregex =

Some files were not shown because too many files have changed in this diff Show More