deploy configuraçao do atendimento.grupopralog.com.br no proxy

correçao do fail2ban que nao agia em cima dos logs
feat: sync timezone to America/Sao_Paulo, add diagnostic scripts to producao/scripts, and update PSDE docs
2026-02-12 12:45:13 -03:00 · 2026-02-08 15:54:09 -03:00 · 2026-02-08 14:24:23 -03:00 · 2026-02-08 13:51:49 -03:00 · 2026-02-08 11:29:10 -03:00 · 2026-02-08 11:05:53 -03:00
654 changed files with 25734 additions and 7764 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,48 +0,0 @@
 # Documentation and config folders
 .gemini/
 .git/
 .github/
 .vscode/
 .idea/
 # Legacy files (not needed in container)
 legacy/
 # Logs and debug files
 *.log
 debug_logs*.txt
 nginx_test*.log
 # Environment files
 .env
 .env.local
 # Git files
 .gitignore
 .gitattributes
 # Documentation
 README.md
 *.md
 !nginx.conf
 # Docker files (avoid recursive includes)
 docker-compose*.yml
 Dockerfile*
 # Temporary and backup files
 *.tmp
 *.bak
 *.swp
 *.swo
 *~
 # OS files
 .DS_Store
 Thumbs.db
 # SSL private keys (should be mounted as volume, not baked in)
 ssl/*.key
 # Disabled configs
 *.disabled
--- a/.gemini/GEMINI.md
+++ b/.gemini/GEMINI.md
@ -1,135 +1,129 @@
-# NGINX Pathfinder Proxy - Documentação Técnica
+# 🤖 Instruções para Agentes Gemini
-## Visão Geral
+**Especialista NGINX/Linux Brasileiro. Gerencia Pathfinder Proxy. Escrita: direta e técnica.**
-Projeto de infraestrutura para Proxy Reverso de Alta Disponibilidade, utilizando Containers Docker para modularidade e fácil manutenção.
+## 🌍 Ambiente
-## Arquitetura de Containers
+- **OS**: Ubuntu 24.04 (Nativo). **IP**: 172.17.0.253.
 - **Login**: itguys | **Senha**: vR7Ag$Pk
 - **Git**: https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder.git.
 - **Stack**: Nginx Mainline (1.29.5) + ModSec (3.0.14) + Fail2Ban (1.0.2).
-O projeto roda sobre 3 serviços orquestrados via `docker-compose.yml`:
+## 🧩 Snippets (`producao/nginx/snippets/`)
-| Serviço | Imagem | Porta Exposta | Função |
+- **acme_challenge**: Desafios Certbot (HTTP-01).
-|---------|--------|---------------|--------|
+- **ads_disallow**: Bloqueia acesso a ads.txt.
-| **modsecurity** | `owasp/modsecurity-crs:nginx-alpine` | `80`, `443` | **Frontend (WAF)**. Recebe todo o tráfego da internet, filtra ataques (SQLi, XSS) e encaminha requisições limpas para o Proxy. |
+- **bandwidth_limit**: Controle de banda e downloads (10MB+ limited to 1MB/s).
-| **nginx-proxy** | `alpine` (Custom Build) | `8080` (Interna) | **Backend Proxy**. Gerencia vhosts, terminação SSL, cache, compressão Brotli e roteamento para as aplicações finais. |
+- **blacklist**: Lista dinâmica de IPs banidos pelo Fail2Ban.
-| **fail2ban** | `crazymax/fail2ban` | - | **Watchdog**. Lê logs compartilhados dos dois containers acima e bane IPs maliciosos diretamente no host (via iptables). |
+- **cache_optimizer**: Configuração SWR (Stale-While-Revalidate) e headers de cache.
 - **cache_proxy_params**: Parâmetros padrão para proxy cache (Lock, Stale).
 - **cache_zones**: Definição de zonas de cache e chaves dinâmicas.
 - **compression**: Stack moderna de compressão (Gzip + Brotli).
 - **fingerprinting**: Cache imutável para assets versionados (Immutable).
 - **humans.txt**: Créditos técnicos e ferramentas.
 - **log_formats**: Definição do log JSON `detailed_proxy` com campos de segurança.
 - **modsecurity**: Ativação do motor WAF e inclusão da Blacklist.
 - **proxy_params**: Headers de proxy, timeouts e ofuscação de backend.
 - **rate_limit**: Zonas de limitação (Global vs Punição).
 - **robots_allow**: Permite indexação total em robots.txt.
 - **robots_disallow**: Bloqueia indexação total em robots.txt.
 - **security.txt**: Standard de reporte de vulnerabilidades (RFC 9116).
 - **security_actions**: Ações de bloqueio baseadas no score (Retorna 444).
 - **security_headers**: Headers de borda 2026 (COOP, COEP, CORP, Permissions).
 - **security_maps**: Motor PSDE (Detecção de Bots, URIs, Métodos e Scoring).
 - **ssl_params**: Stack TLS 1.3, HSTS e HTTP/3 (QUIC).
 - **stub_status**: Métricas de estado do Nginx para monitoramento.
 - **well_known**: Agregador de arquivos padrão (.well-known, robots, humans).
 > **Note**: `app_specific_modsec_tuning` fica em `producao/nginx/modsec/`, não em snippets.
 ## 🔄 Workflow: Novo Site ou Atualização
 **Sempre pergunte e pesquise antes de configurar:**
 ### Perguntas Obrigatórias
 - **Novo Site?** Perguntar: Tipo de site, IP e URL destino.
 - **Atualização?** Perguntar: Atualizar IP? Alterar URL destino?
 ### Regras
 - **Pesquisa Web**: Obrigatório pesquisar ajustes finos específicos para o sistema/engine alvo.
 - **Git**: Alt em `producao/` -> commit e push para branch `producao`.
 - **Proibição**: NUNCA sincronize `.gemini/` ou `antes-do-docker/`.
 - **Snippets Novos**: Se criar um novo snippet em `producao/nginx/snippets/`, documente-o nesta lista imediatamente.
 ---
-## Automação SSL
+## 🚀 Workflow de Deploy Técnico (Automação)
-O sistema possui um mecanismo de **auto-cura** para certificados SSL.
+**NUNCA faça commit direto na branch `producao` sem antes validar a configuração.**
-### Componentes
+O repositório conta com um script de automação híbrido (`producao/scripts/deploy_pathfinder.py`) que deve ser usado para **todo e qualquer deploy**.
 1. **Certbot**: Instalado dentro do container `nginx-proxy`.
 2. **Volumes**:
   - `ssl/`: Onde ficam os arquivos `.crt` e `.key` usados pelo NGINX.
   - `certbot/`: Onde o Certbot guarda os arquivos originais do Let's Encrypt.
 3. **Scripts**:
   - `scripts/inject_acme.sh`: Varre todos os arquivos em `conf.d/` e injeta o snippet de validação ACME (`.well-known`) se não existir.
   - `scripts/renew_ssl.sh`: 
     1. Verifica a data de expiração de cada certificado ativo.
     2. Se faltar **3 dias ou menos**, dispara `certbot renew`.
     3. Copia os novos arquivos gerados para a pasta `ssl/`.
     4. Recarrega o NGINX.
-### Agendamento
+### Passo a Passo para Agentes:
 - **Cron**: Configurado no `pre-flight.sh` para rodar todos os dias às **01:00 AM**.
 - **Startup**: A verificação também roda a cada reinício do container.
---
+1.  **Faça suas alterações** nos arquivos de configuração (`nginx/`).
 2.  **Valide e Deploye** rodando o script abaixo no terminal do Windows:
    ```powershell
    python producao/scripts/deploy_pathfinder.py sync --all
    ```
 3.  **Verifique a Saída**:
    - O script fará o upload, testará a configuração (`nginx -t`) no servidor e fará o reload.
    - Se houver erro, **corrija antes de prosseguir**. O script fará rollback automático no servidor, mas seu código local estará "quebrado".
 4.  **Confirmar**: Somente após o sucesso do comando acima ("Deploy Remoto Concluído com Sucesso!"), faça o commit das alterações.
-## Estrutura de Arquivos
+## 🛠️ Comandos Úteis
-```
+- **Sincronizar Tudo (Nginx + Fail2Ban + GeoIP)**: 
-.
+  `python producao/scripts/deploy_pathfinder.py sync --all`
-├── conf.d/              # Configurações de sites (VHosts)
+- **Deploy de Novo Site**:
-├── snippets/            # Trechos reutilizáveis
+  `python producao/scripts/deploy_pathfinder.py site --deploy dominio.com`
-│   ├── acme_challenge.conf # Snippet para validação Let's Encrypt
+- **Atualizar GeoIP Manualmente**:
-│   ├── internal_networks.conf # IPs permitidos (VPN/Local)
+  `python producao/scripts/deploy_pathfinder.py geoip --update`
 │   └── ...
 ├── scripts/             # Scripts de automação
 │   ├── pre-flight.sh    # Entrypoint (DNS Check + Cron Setup)
 │   ├── inject_acme.sh   # Injetor de config ACME
 │   └── renew_ssl.sh     # Lógica de renovação
 ├── ssl/                 # Certificados em uso
 ├── fail2ban/            # Configs do Fail2ban
 │   ├── jail.d/          # Definição das prisões
 │   └── filter.d/        # Regex de detecção
 ├── .gemini/             # Documentação do projeto
 └── docker-compose.yml   # Orquestração
 ```
---
+## ⚠️ Pontos de Atenção
-## Módulos Especiais
+- **GeoIP**: O script baixa automaticamente os bancos GeoIP se faltarem. Não precisa baixar manualmente.
 - **Paramiko**: O script usa `paramiko` para SSH. Se não estiver instalado, instale com `pip install paramiko`.
 - **Credenciais**: As credenciais de acesso ao servidor estão embutidas no cabeçalho do script. Não as exponha em logs públicos.
-### 1. Brotli & Headers More
+## 🐛 Solução de Problemas e Lições Aprendidas (2026-02-08)
 O container `nginx-proxy` é construído manualmente (`Dockerfile`) para incluir módulos que não vêm por padrão no Alpine:
 - `nginx-mod-http-brotli`
 - `nginx-mod-http-headers-more`
-### 2. ModSecurity (WAF)
+### 1. Conflitos de ModSecurity (Loop em `nginx -t`)
-Rodar o WAF em container separado (`modsecurity`) evita a necessidade de compilar o ModSecurity no NGINX principal.
+- **Sintoma**: O deploy reporta sucesso, mas as alterações não aparecem no servidor. O log remoto mostra `nginx: [emerg] "modsecurity_rules_file" directive is duplicate`.
 - **Causa**: O arquivo `snippets/modsecurity.conf` já define `modsecurity_rules_file`. Se você incluir esse snippet E também definir a diretiva `modsecurity_rules_file` no bloco `server` (ex: `ferreirareal.com.br.conf`), o Nginx falhará.
 - **Solução**: Use apenas `include snippets/modsecurity.conf;` no bloco server. A diretiva `modsecurity_rules_file /etc/nginx/modsec/main.conf;` deve ficar comentada ou removida do vhost.
-**Arquitetura Customizada:**
+### 2. Scripts de Diagnóstico e Recuperação (2026-02-08)
 - **Injeção de Template**: Um arquivo `modsec.conf.template` local é montado durante o boot para contornar limitações de permissão do container oficial. Ele instrui o NGINX a carregar regras customizadas.
 - **Regras Modulares**: Localizadas em `modsec_rules/`, divididas por aplicação (`gitea-rule-exceptions.conf`, `nextcloud...`).
 - **Global**: `global-exceptions.conf` define apenas a whitelist de rede.
 - **Bypass de Emergência**: Se o WAF falhar, altere as portas no `docker-compose.yml` para expor o `nginx-proxy` diretamente.
---
+Foram criados scripts auxiliares em `producao/scripts/` para situações de emergência ou validação profunda. Use-os com cautela:
-## Fluxo de Deploy Atualizado
+- **`restore_nginx.py`**:
    - **Função**: Força o upload do `nginx.conf` local para o servidor e reinicia o serviço.
    - **Uso**: `python producao/scripts/restore_nginx.py`
    - **Quando usar**: Se o `deploy_pathfinder.py` falhar ou se o Nginx não subir por erro de configuração crítica (ex: variáveis faltando).
 - **`fetch_logs.py`**:
    - **Função**: Baixa logs específicos do servidor para análise local.
    - **Uso**: `python producao/scripts/fetch_logs.py`
    - **Quando usar**: Para investigar ataques ou erros sem precisar logar via SSH.
 - **`verify_time_and_logs.py`**:
    - **Função**: Verifica a data do servidor e os últimos logs de acesso.
    - **Uso**: `python producao/scripts/verify_time_and_logs.py`
    - **Quando usar**: Para confirmar se o timezone está correto (-0300) e se o Nginx está gerando logs novos.
-```mermaid
+### 3. Falhas Silenciosas de Rollback
-graph TD
+- **Cuidado**: O script `deploy_pathfinder.py` executa um rollback automático se `nginx -t` falhar.
-    Start[Deploy] --> DetectIP[Detectar IP Público]
+- **O que acontece**: O script restaura o backup anterior e reinicia o Nginx. Isso faz o deploy parecer bem-sucedido (exit code 0), mas seus arquivos novos foram descartados.
-    DetectIP --> Build[Docker Build (NGINX + Certbot)]
+- **Verificação**: **SEMPRE** verifique o timestamp dos arquivos remotos após um deploy crítico para garantir que foram atualizados:
-    Build --> Up[Docker Compose Up]
+    ```python
-    Up --> PreFlight[Pre-Flight Script]
+    # Exemplo de verificação rápida
    client.exec_command("ls -l /etc/nginx/snippets/log_formats.conf")
    ```
-    PreFlight --> DNSCheck[Validar DNS dos Domínios]
+### 3. Encoding Windows vs Linux
-    DNSCheck --> CronSetup[Configurar Cron Job]
+- **Problema**: `UnicodeEncodeError: 'charmap' codec can't encode character...` ao rodar scripts Python no Windows.
-    CronSetup --> SSLCheck[Verificar Validade SSL]
+- **Causa**: O console do Windows padrão (cp1252) não suporta emojis como 🚀 ou ✅.
 - **Regra**: Evite usar emojis ou caracteres especiais em scripts que rodam no lado do cliente (Windows). Use `[OK]`, `[ERROR]`, `[+]` em vez de ícones.
-    SSLCheck -- Vence > 3 dias --> StartNginx[Iniciar NGINX]
+### 4. Organização e Limpeza
-    SSLCheck -- Vence <= 3 dias --> Renew[Rodar renew_ssl.sh]
+- **Área de Diagnóstico**: Use a pasta `logs/` na raiz do projeto (`ngnix-pathfinder-proxy/logs`) para armazenar logs temporários, downloads de debug e "bagunça" necessária durante investigações.
-    Renew --> StartNginx
+- **Limpeza**: Após resolver o problema, **limpe** esta pasta para não commitar lixo no repositório. O `.gitignore` deve ignorar essa pasta, mas mantenha o hábito de limpeza.
 ```
 ---
 ## Comandos Operacionais
 **Verificar status dos serviços:**
 ```bash
 docker compose ps
 ```
 **Verificar validade dos SSL (Log):**
 ```bash
 docker compose logs nginx-proxy | grep "SSL"
 ```
 **Forçar renovação SSL manualmente:**
 ```bash
 docker compose exec nginx-proxy /scripts/renew_ssl.sh
 ```
 **Reload Zero-Downtime (Blue-Green Logic):**
 Este comando valida a configuração e executa um reload gracioso (`nginx -s reload`), onde novos workers assumem as novas configurações enquanto os antigos terminam as requisições correntes.
 ```bash
 ./scripts/reload.sh   # Linux
 ./scripts/reload.ps1  # Windows PowerShell
 ```
 **Banir um IP manualmente:**
 ```bash
 docker compose exec fail2ban fail2ban-client set nginx-badbots banip 1.2.3.4
 ```
 **Adicionar novo site:**
 1. Criar `conf.d/novo-site.conf`
 2. `docker compose restart nginx-proxy`
 3. O script de startup irá validar o DNS e injetar o suporte ACME automaticamente.
--- a/.gemini/TODO.md
+++ b/.gemini/TODO.md
@ -1,40 +0,0 @@
 # Tarefas Pendentes e Melhorias Futuras
 ## 1. Gestão Dinâmica de DNS
 **Origem:** Migração de `legacy/hosts`
 - **Problema:** O método atual usa `extra_hosts` no `docker-compose.yml`, que é estático e exige recriação do container para alterações.
 - **Objetivo:** Mudar o modo de registro e atualização de DNS para ser mais dinâmico ou simples.
 - **Ideias:** DNS containerizado (Bind/CoreDNS) ou Service Discovery.
 ## 2. Revisão de Regras ModSecurity
 **Origem:** Migração de `legacy/nginx/modsecurity/*.conf` (Regras Antigas)
 - **Status:** ✅ Concluído.
 - **Resolução:** Regras refatoradas para estrutura modular (`modsec_rules/`). WAF ativo e configurado via template injection para Gitea, Nextcloud, Exchange, Zabbix e outros.
 - **Ação:** Monitorar logs (`modsec_audit.log`) para ajustes finos futuros.
 ## 3. Atualizações Zero-Downtime (Sem Queda)
 **Objetivo:** Criar um método para atualizar configurações de sites sem que clientes externos percam a conexão.
 - **Status:** ✅ Concluído.
 - **Solução Implementada:** Script `./scripts/reload.sh` que executa `nginx -t` e `nginx -s reload` (Reload Suave/Process-Level Blue-Green).
 - **Como usar:** Execute `./scripts/reload.sh` após alterar qualquer `.conf`.
 ## 4. Conexão Direta na Interface do Host
 **Objetivo:** Configurar o proxy para rotear tráfego tanto internamente (entre containers Docker) quanto externamente (para serviços fora do Docker).
 - **Status:** 🧪 Implementado - Aguardando Teste no Host
 - **Solução Implementada:**
  - Adicionado `host.docker.internal:host-gateway` no `docker-compose.yml` para ambos containers
  - Criado `snippets/docker_resolver.conf` para resolução DNS dinâmica de containers
  - Criado `conf.d/test-connectivity.conf` (temporário) com endpoints de teste
  - Atualizado diagrama de arquitetura no `README.md`
 - **Testes Necessários (no host de deploy):**
  ```bash
  # Rebuild e restart
  docker compose build --no-cache nginx-proxy
  docker compose down && docker compose up -d
  # Testar conectividade
  docker compose exec nginx-proxy ping -c 2 10.10.253.254
  docker compose exec nginx-proxy ping -c 2 10.10.253.128
  ```
 - **Após Validação:** Deletar `conf.d/test-connectivity.conf` e marcar como ✅ Concluído.
--- a/.gemini/workflows/hardening_guidelines.md
+++ b/.gemini/workflows/hardening_guidelines.md
@ -0,0 +1,51 @@
 ---
 description: Guia detalhado para garantir a segurança máxima (Hardening) em sites e no sistema Pathfinder Proxy.
 ---
 # Workflow: Hardening de Segurança Pathfinder
 Este workflow orienta o agente na aplicação das proteções mais rígidas para o ecossistema Nginx + ModSecurity + Fail2Ban.
 ### 1. Uso de Snippets de Segurança Existentes
 Sempre utilize os snippets em `producao/nginx/snippets/` como base:
 - **`ssl_params.conf`**: Configuração base de TLS e HTTP/3.
 - **`security_headers.conf`**: Headers de borda modernos (Referrer, COOP, COEP).
 - **`modsecurity.conf`**: Ativação do WAF e integração com a `blacklist.conf`.
 - **`security_maps.conf`**: Inteligência de Scoring (PSDE).
 - **`security_actions.conf`**: Decisão final de bloqueio (444).
 - **`well_known.conf`**: Agregador de arquivos de raiz (robots, security, humans).
 - **`rate_limit.conf`**: Limites de tráfego e zonas de punição.
 ### 2. Criação de Novos Snippets
 Se as proteções atuais não forem suficientes para um sistema específico:
 - **Crie um novo snippet** em `producao/nginx/snippets/` com nome descritivo.
 - **Siga o padrão**: Use comentários claros e mantenha a modularidade.
 - **Documentação Obrigatória**: Se criar um snippet novo, você **DEVE** adicionar sua descrição na seção `🛠️ Snippets` do arquivo `GEMINI.md` imediatamente.
 ### 3. Reforço da Camada SSL/TLS (Snippet `ssl_params`)
 - **Protocolos**: Garanta o uso exclusivo de TLS 1.2 e TLS 1.3. Desative versões legadas.
 - **HSTS**: Verifique se o header `Strict-Transport-Security` está ativo com pelo menos 1 ano (`31536000s`) e inclui subdomínios.
 - **OCSP Stapling**: Certifique-se de que a validação de certificado é feita no servidor para reduzir latência e aumentar a privacidade.
 - **HTTP/3**: Sempre anuncie os headers de QUIC (`Alt-Svc`) para navegadores compatíveis.
 ### 4. Implementação de Headers de Proteção de Borda
 - **Anti-Clickjacking**: Use `X-Frame-Options: SAMEORIGIN` em todos os VHosts, a menos que o site precise ser emoldurado por domínios específicos.
 - **Anti-Sniffing**: O header `X-Content-Type-Options: nosniff` deve ser obrigatório para evitar que o navegador execute arquivos com tipos MIME incorretos.
 - **Segurança de Conteúdo (CSP)**: Analise os recursos (Scripts, Imagens, Estilos) e crie uma política que restrinja fontes externas não confiáveis.
 - **Permissions-Policy**: Desative acessos desnecessários a hardware (Câmera, Microfone, Geolocalização) diretamente no nível de header.
 ### 5. Orquestração ModSecurity + PSDE
 - **Motor Ativo**: O ModSecurity deve estar em modo de bloqueio (`SecRuleEngine On`) para todas as rotas sensíveis.
 - **Sincronização com PSDE**: A lógica descrita no `security_maps.conf` deve atuar como a primeira linha de defesa (Fast-fail) para bots e URIs suspeitas.
 - **Tratamento de Falsos Positivos**: Em caso de bloqueio indevido, a correção deve ser feita via remoção seletiva de regras por ID nos respectivos VHosts.
 ### 6. Blindagem contra Robôs e Scrapers (Snippet `well_known`)
 - **Arquivos de Raiz (Well-Known)**: Utilize o snippet `well_known.conf` que já consolida as melhores práticas de identificação e bloqueio.
    - **`robots_disallow.conf`**: Já configurado para retornar `Disallow: /`, instruindo robôs legítimos a não indexarem o site.
    - **`security.txt.conf`**: Define o contato padrão de segurança (`mailto:suporte@itguys.com.br`).
    - **`ads_disallow.conf`**: Bloqueia vendedores de anúncios não autorizados.
 - **Bloqueio de IA e Má-Fé**: O sistema já possui no `security_maps.conf` uma lista extensa de assinaturas de IAs (GPTBot, ClaudeBot, Gemini-Ai, etc.) e Scrapers que ignoram o `robots.txt`. O agente deve apenas garantir que este mapeamento esteja ativo via `security_actions.conf`.
 ### 7. Gestão de Blacklist e Fail2Ban
 - **Ação do Firewall**: O Nginx deve incluir o snippet `blacklist.conf` dentro do bloco do ModSecurity.
 - **Isolamento de Erros**: Configurações de VHost que geram excesso de erros 403/404 devem ser monitoradas agressivamente pelo Fail2Ban.
--- a/.gemini/workflows/performance_tuning.md
+++ b/.gemini/workflows/performance_tuning.md
@ -0,0 +1,78 @@
 ---
 description: Guia passo a passo para otimizar buffers, timeouts e cache no Nginx baseado no tipo de carga de trabalho.
 ---
 # 🚀 Workflow: Performance Tuning (Pathfinder Proxy)
 Este workflow guia o ajuste fino do Nginx para extrair a máxima performance, garantindo que o tempo de resposta (`request_time`) e a carga da CPU sejam minimizados.
 ### 1. Base Tecnológica (Obrigatório)
 Todo site no Pathfinder deve começar com a fundação de compressão e parâmetros base:
 ```nginx
 # No bloco 'http' ou 'server'
 include snippets/compression.conf;     # Gzip + Brotli (Google)
 include snippets/proxy_params.conf;    # Real-IP + Headers + Buffers Base
 ```
 ### 2. Aplicação de Presets por Carga de Trabalho
 #### ⚡ Preset: APIs e Node.js
 O `proxy_params.conf` já traz timeouts de 60s. Para APIs de tempo real, você deve **sobrescrever** para timeouts mais agressivos:
 ```nginx
 location /api/ {
    include snippets/proxy_params.conf;
    # Sobrescrita para baixa latência
    proxy_read_timeout 30s;
    proxy_buffering off;
    # Suporte a WebSockets (Necessário para Traccar/Socket.io)
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
 }
 ```
 #### 📂 Preset: Downloads e Assets Estáticos
 Otimize usando o motor SWR (Stale-While-Revalidate):
 ```nginx
 location /static/ {
    include snippets/cache_optimizer.conf; # Ativa SWR + X-Cache-Status
    # Performance de Sistema
    sendfile on;
    tcp_nopush on;
    # Cache no Browser (1 ano para assets com hash)
    expires 365d;
    add_header Cache-Control "public, no-transform";
 }
 ```
 #### 🎬 Preset: Streaming (Vídeo/Áudio)
 Para streaming, precisamos de buffers maiores que o padrão do `proxy_params.conf`:
 ```nginx
 location /stream/ {
    include snippets/proxy_params.conf;
    # Suporte a Range Requests (Seek no vídeo)
    proxy_cache_key "$host$request_uri$http_range";
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    # Tuning de Buffer Exclusivo
    proxy_buffers 32 16k;
    proxy_buffer_size 64k;
    proxy_read_timeout 600s;
 }
 ```
 ### 3. Caching Inteligente (Pseudo-CDN)
 Use o snippet `cache_zones.conf` para definir onde o cache reside e o `cache_proxy_params.conf` para comportamento padrão de cache.
 ### 4. Verificação de Performance
 Utilize o formato de log **detailed_proxy** (definido em `snippets/log_formats.conf`) para depurar gargalos:
 ```bash
 # Monitorar tempo de resposta do backend em tempo real
 tail -f /var/log/nginx/access_json.log | jq '. | {url: .uri, status: .status, upstream_time: .upstream_response_time, cache: .upstream_cache_status}'
 ```
--- a/.gitignore
+++ b/.gitignore
@ -1,34 +1,12 @@
-# Logs and debug files
+# Runtime Data
-*.log
+logs/
-debug_logs*.txt
+ssl/
-nginx_test*.log
+certbot/
 # Environment files
 .env
 .env.local
 # Docker
-docker-compose.override.yml
+docker-compose.yml
-
+Dockerfile
-# SSL certificates (sensitive - should be managed separately)
+*.sh
-ssl/*.key
+.env
-ssl/*.crt
+.gemini/
-ssl/*.pem
+logs/
 # Editor files
 .vscode/
 .idea/
 *.swp
 *.swo
 *~
 # OS files
 .DS_Store
 Thumbs.db
 # Temporary files
 *.tmp
 *.bak
 # Disabled configs
 *.disabled
--- a/19
+++ b/19
@ -1,19 +0,0 @@
 FROM alpine:latest
 # Install NGINX and tools
 RUN apk add --no-cache nginx nginx-mod-http-brotli nginx-mod-http-headers-more bind-tools openssl curl certbot git
 # Copy custom config
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY conf.d/ /etc/nginx/conf.d/
 # Copy snippets
 COPY snippets/ /etc/nginx/snippets/
 # Copy scripts
 COPY scripts/ /scripts/
 RUN chmod +x /scripts/*.sh
 # Entrypoint
 ENTRYPOINT ["/scripts/pre-flight.sh"]
 CMD ["nginx", "-g", "daemon off;"]
--- a/Dockerfile.fail2ban
+++ b/Dockerfile.fail2ban
@ -1,4 +0,0 @@
 FROM crazymax/fail2ban:latest
 # Copy fail2ban configurations
 COPY fail2ban/ /data/
--- a/Dockerfile.modsec
+++ b/Dockerfile.modsec
@ -1,12 +0,0 @@
 FROM owasp/modsecurity-crs:nginx-alpine
 # Copy custom configuration template
 COPY modsec.conf.template /etc/nginx/templates/modsecurity.d/modsecurity.conf.template
 # Copy custom rules
 COPY modsec_rules/ /etc/nginx/custom_rules/
 # Copy custom Nginx Configs (Frontend)
 # Remove default.conf to avoid conflicts and ensure our config takes precedence
 RUN rm -f /etc/nginx/conf.d/default.conf
 COPY modsec_conf/ /etc/nginx/conf.d/
--- a/README.md
+++ b/README.md
@ -1,238 +1,189 @@
-# NGINX Pathfinder Proxy
+# 🛡️ Nginx Pathfinder Proxy
-Solução moderna de Proxy Reverso containerizado, construída com NGINX, ModSecurity WAF e automação de SSL.
+Este repositório é o núcleo de inteligência e configuração do **Pathfinder Proxy**, instalado nativamente em **Ubuntu 24.04**. Ele combina performance extrema (HTTP/3, Brotli) com um motor de segurança multicamadas (PSDE + WAF + Fail2Ban).
 ## 🚀 Funcionalidades
 ### 🛡️ Segurança em Primeiro Lugar
 - **ModSecurity WAF**: Conjunto de Regras OWASP (CRS) integrado rodando como proxy sidecar/frontend.
 - **Fail2ban**: Serviço "cão de guarda" que bane IPs com comportamento suspeito (bots ruins, excesso de erros 4xx/5xx).
 - **Mapas de Segurança**: Bloqueio automatizado de User-Agents maliciosos e restrições de rede interna.
 ### ⚡ Performance
 - **HTTP/3 (QUIC)**: Habilitado para conexões modernas de baixa latência.
 - **Compressão Brotli**: Melhores taxas de compressão que o Gzip padrão.
 - **Headers More**: Manipulação avançada de cabeçalhos para respostas limpas.
 ### 🔒 SSL Automatizado
 - **Renovação Zero-Touch**: O Certbot integrado verifica a validade diariamente.
 - **Auto-Renovação**: Renova automaticamente certificados próximos do vencimento (<= 3 dias).
 - **Injeção Inteligente**: Injeta automaticamente os snippets de desafio ACME nas configurações dos sites.
 ---
-## 🛠️ Como Trabalhar neste Repositório
+## 🏗️ Estrutura de Pastas e Componentes
 A configuração é modular para permitir manutenção rápida e alta disponibilidade.
 - `nginx.conf`: O "cérebro" global. Configura workers, logs JSON e carrega os módulos dinâmicos.
 - `conf.d/`: Contém as definições de cada site (**VHosts**).
 - `snippets/`: Componentes reutilizáveis (SSL, Proxy, Cache, WAF, Headers).
 - `modsec/`: Configuração do ModSecurity, regras **OWASP CRS v4** e tunings específicos.
 - `dynamic/`: Arquivos modificados em tempo real (ex: `blacklist.conf` pelo Fail2Ban).
 - `scripts/`: Scripts de automação e diagnóstico (`deploy_pathfinder.py`, `restore_nginx.py`, `fetch_logs.py`).
 ---
 ## 🧩 Guia de Snippets (Uso Obrigatório)
 Para garantir o **Padrão Ouro**, todo site deve incluir os snippets básicos:
 1. `include snippets/ssl_params.conf;`: Ativa TLS 1.3, HSTS e anuncia **HTTP/3 (QUIC)**.
 2. `include snippets/proxy_params.conf;`: Headers padrão e ofuscação de tecnologia de backend (`Server`, `X-Powered-By`).
 3. `include snippets/security_headers.conf;`: **Headers de 2026** (COOP, COEP, CORP) para proteção de isolamento do navegador.
 4. `include snippets/modsecurity.conf;`: Ativa o WAF e a Blacklist dinâmica.
 5. `include snippets/security_actions.conf;`: Toma a decisão final de bloquear (`444`) se o motor PSDE detectar risco alto.
 6. `include snippets/cache_optimizer.conf;`: Otimiza a entrega de estáticos com cache inteligente (SWR).
 ### 📚 Catálogo Completo de Snippets
 Abaixo, a lista completa de componentes modulares disponíveis em `nginx/snippets/`:
 #### 🔒 Segurança & WAF
 - **`modsecurity.conf`**: Ativa o WAF (OWASP CRS v4) e carrega a blacklist.
 - **`security_headers.conf`**: Headers de borda 2026 (COOP, COEP, CORP, Permissions-Policy).
 - **`security_actions.conf`**: Executa o bloqueio (Return 444) baseado no score do PSDE.
 - **`security_maps.conf`**: Motor de decisão (PSDE), detecção de bots, scorings e variáveis de risco.
 - **`blacklist.conf`**: Lista dinâmica de IPs banidos (gerenciado pelo Fail2Ban).
 - **`ads_disallow.conf`**: Bloqueia acesso a `ads.txt`.
 - **`robots_disallow.conf`**: Bloqueia indexação total (para ambientes de homologação/privados).
 - **`robots_allow.conf`**: Permite indexação total.
 #### 🚀 Performance & Cache
 - **`cache_optimizer.conf`**: Otimização fina de SWR (Stale-While-Revalidate) e headers de cache.
 - **`cache_proxy_params.conf`**: Configurações padrão de lock e validade de cache para upstream.
 - **`cache_zones.conf`**: Definição das zonas de memória compartilhada e chaves de cache.
 - **`compression.conf`**: Stack de compressão moderna (Brotli + Gzip) com níveis otimizados.
 - **`fingerprinting.conf`**: Cache imutável (1 ano) para assets versionados com hash no nome.
 #### 🚦 Controle de Tráfego
 - **`rate_limit.conf`**: Zonas de limitação de requisições (Global vs Punição por Score).
 - **`bandwidth_limit.conf`**: Limita a velocidade de download após X MB transferidos.
 - **`proxy_params.conf`**: Headers de encaminhamento (Real-IP, Forwarded) e ofuscação de backend.
 - **`ssl_params.conf`**: Configuração TLS 1.3, HSTS e HTTP/3 (QUIC).
 - **`acme_challenge.conf`**: Endpoint para renovação de certificados SSL (Certbot).
 #### 📊 Monitoramento & Identidade
 - **`log_formats.conf`**: Define o formato JSON `detailed_proxy` rico em metadados de segurança.
 - **`stub_status.conf`**: Endpoint de métricas internas do Nginx (para Zabbix/Prometheus).
 - **`humans.txt.conf`**: Rota para arquivos de créditos técnicos.
 - **`security.txt.conf`**: Rota padrão (RFC 9116) para reporte de segurança.
 - **`well_known.conf`**: Agregador que inclui robots, humans e security.txt de uma vez.
 ---
 ## 🛡️ Camada de WAF (ModSecurity 3.0.14)
 O Pathfinder Proxy utiliza o **ModSecurity v3** compilado sob medida para o Nginx Mainline.
 - **Versão Nginx**: 1.29.5 Mainline (Oficial).
 - **Versão ModSec**: 3.0.14.
 - **Regras**: OWASP Core Rule Set (CRS) v4 (Instalação Minimalista).
 - **Anti-Brute Force**: Proteção integrada contra força bruta em páginas de login via ModSecurity Collections (Phase 1).
 - **API Support**: Métodos **PUT, PATCH e DELETE** liberados por padrão para suporte a sistemas modernos.
 - **Tuning**: Arquivo `modsec/app_specific_modsec_tuning.conf` centraliza exceções granulares (Zabbix, Gitea, UniFi, Veeam).
 ---
 ## 🧠 Motor de Segurança PSDE "Elite" (8-Vector Matrix)
 Diferente de firewalls comuns, o Pathfinder utiliza uma **Matriz de Pontuação Combinatória** no `security_maps.conf` que analisa 8 vetores simultâneos:
 1.  **🛡️ Bot:** Bloqueio de 600+ user-agents maliciosos.
 2.  **🌐 URI:** Acesso a arquivos sensíveis e assinaturas de CVEs recentes.
 3.  **⚙️ Method:** Métodos HTTP perigosos (TRACE, DEBUG) em rotas críticas.
 4.  **🔥 Payload:** Inspeção profunda de `$args` (SQLi, XSS, RCE, Log4j).
 5.  **🌍 Geo:** Risco por país (CN, RU, KP, IR) via **GeoIP2**.
 6.  **🚦 Protocol:** Violações como User-Agents vazios ou falsificados.
 7.  **🔗 Referer:** 400+ domínios de spam e phishing bloqueados instantaneamente.
 8.  **🤯 Header:** Detecção de anomalias em cabeçalhos customizados (ex: React2Shell CVE-2025-55182).
 ### 📈 Lógica de Decisão
 - **Nivel 3 (ATAQUE_CRITICO)**: Payloads maliciosos, Referer Spam, Headers Corrompidos ou combinação de 3+ vetores.
 - **Nivel 2 (RISCO_ALTO)**: Combinação de 2 vetores de risco (ex: Bot + Geo-Risco).
 - **Nivel 1 (SUSPEITO)**: Detecção de sinais individuais.
 ---
 ## 🛠️ Workflow Operacional: Ativando um Novo Site
 Siga este procedimento para colocar um novo sistema no ar com segurança máxima:
 ### 1. Preparação no Repositório (Local)
 1. Crie o arquivo `nginx/conf.d/nome-do-site.conf` seguindo o **Padrão Ouro**.
 2. **Atenção:** Aponte os caminhos de certificado para `/etc/letsencrypt/live/nome-do-site/`.
 3. Faça o commit e push para a branch `producao`.
 ### 2. Sincronização no Servidor (SSH)
 1. Entre no servidor e vá para o diretório de scripts: `cd /etc/nginx/scripts/`.
 2. Execute o deploy seguro: `sudo python3 deploy_pathfinder.py`.
   - **Nota:** Este script faz backup automático e rollback se a configuração estiver errada.
 ---
 ## 🛠️ Automação de Deploy (Pathfinder Automator V2 - Hybrid)
 O Pathfinder conta com o orquestrador `scripts/deploy_pathfinder.py`, que agora funciona em modo **Híbrido (Windows Client -> Linux Server)**. Você roda o script na sua máquina local e ele faz todo o trabalho sujo.
 ### Pré-requisitos
- Docker & Docker Compose instalados
+- Python 3 instalado no Windows.
- Acesso à internet (para baixar imagens e validar SSL)
+- Biblioteca Paramiko: `pip install paramiko`
-### 1. Implantar o Servidor (Deploy)
+### Comandos Principais
-Para iniciar toda a infraestrutura:
+- **`python producao/scripts/deploy_pathfinder.py sync --all`**: 
  - Empacota suas configs locais.
  - Conecta no servidor via SSH.
  - Atualiza bancos GeoIP automaticamente.
  - Sincroniza configurações e recarrega o Nginx.
  - **Faz Rollback Automático** se o `nginx -t` falhar.
 - **`python producao/scripts/deploy_pathfinder.py site --deploy <domínio>`**:
  - Sobe um novo VHost + Certificado SSL + Teste de DNS.
 - **`python producao/scripts/deploy_pathfinder.py geoip --update`**:
  - Força a atualização dos bancos de dados GeoIP2 (Mirror GitHub).
 ### 🛡️ Segurança de Operação
 - **Backup & Rollback Atômico**: Cada alteração gera um `.bak`. Se `nginx -t` falhar, o script desfaz a alteração imediatamente.
 - **Auditoria Syslog**: Todas as ações são registradas no syslog do servidor.
 - **Validação Local**: O script retorna `Exit Code 1` no Windows se falhar no Linux, ideal para CI/CD.
 - **DNS Safeguard**: O deploy de SSL só ocorre se o DNS já estiver apontando para o IP do servidor, evitando bloqueios no Let's Encrypt.
 ---
 ## 🔐 Gestão de SSL (Let's Encrypt)
 O Pathfinder Proxy usa o desafio **HTTP-01** via snippet `acme_challenge.conf`. Isso permite emitir certificados sem parar o Nginx.
 ### Emissão do Primeiro Certificado
 Rode os comandos abaixo (substitua o domínio):
 1. **Criar pasta de desafios (se não existir):**
   ```bash
   sudo mkdir -p /var/lib/letsencrypt && sudo chown www-data:www-data /var/lib/letsencrypt
   ```
 2. **Gerar o certificado:**
   ```bash
   sudo certbot certonly --webroot -w /var/lib/letsencrypt/ -d meusite.com.br -d www.meusite.com.br
   ```
 > [!TIP]
 > **Atenção aos Caminhos:** Se o Certbot gerar uma pasta com final `-0001`, certifique-se de que o arquivo `.conf` do seu site em `/etc/nginx/conf.d/` aponta para o caminho exato gerado por ele. Você pode conferir os caminhos ativos com `sudo certbot certificates`.
 ---
 ## 🚀 Manutenção e Logs
 ### Recompilar WAF e Performance (Se necessário)
 Se o Nginx for atualizado ou se precisar habilitar o Brotli, o módulo precisará ser recompilado usando o script:
 `sudo ./scripts/setup_pathfinder.sh`
 ### Validação
 Sempre teste a configuração antes do reload:
 ```bash
-./deploy.sh
+sudo nginx -t
-```
+sudo systemctl reload nginx
 *Este script detecta seu IP público, configura o ambiente e sobe os containers.*
 ### 2. Adicionar um Novo Site
 Todas as configurações de sites ficam na pasta `conf.d/`.
 1. **Crie o arquivo de configuração**:
   Crie um arquivo `.conf` em `conf.d/` (ex: `meusite.com.br.conf`). Use um dos arquivos existentes como modelo.
   **Modelo Básico (com SSL):**
   ```nginx
   # Backend (para onde vai o tráfego)
   upstream meu_backend {
       server 192.168.1.10:8080;
   }
   # Redirecionamento HTTP -> HTTPS
   server {
       listen 80;
       server_name meusite.com.br;
       include /etc/nginx/snippets/acme_challenge.conf; # Importante para SSL
       return 301 https://$host$request_uri;
   }
   # Bloco HTTPS
   server {
       listen 443 ssl;
       http2 on;
       server_name meusite.com.br;
       ssl_certificate /etc/nginx/ssl/meusite.com.br.crt;
       ssl_certificate_key /etc/nginx/ssl/meusite.com.br.key;
       include /etc/nginx/snippets/ssl_params.conf;
       location / {
           proxy_pass http://meu_backend;
           include /etc/nginx/includes/proxy_backend.conf;
       }
   }
   ```
 2. **Aplique as alterações**:
   ```bash
   docker compose restart nginx-proxy
   ```
   *No reinício, o script de pre-flight validará o DNS e injetará configurações de SSL necessárias.*
 ### 3. Modificar Configurações Globais
 As configurações globais são modularizadas na pasta `snippets/`.
 - **Rate Limiting**: Edite `snippets/rate_limit.conf` para ajustar os limites de requisições por segundo.
 - **Bloqueio de Bots**: Edite `snippets/security_maps.conf` para adicionar novos User-Agents à lista negra.
 - **Cache**: Edite `snippets/cache_zones.conf` para definir novas zonas ou tempos de cache.
 ### 3.1. Modificar Regras do WAF (ModSecurity)
 O WAF agora utiliza uma estrutura modular de regras localizada na pasta `modsec_rules/`.
 - **Arquivos Específicos**: Regras para Gitea, Nextcloud, Exchange, Zabbix, etc. ficam em seus respectivos arquivos `.conf`.
 - **Global**: `global-exceptions.conf` contém apenas whitelists de rede interna.
 - **Aplicação**: Após editar qualquer regra, reinicie o container do WAF para aplicar:
  ```bash
  docker compose restart modsecurity
  ```
 > **Nota Técnica**: O arquivo `modsec.conf.template` na raiz é injetado no container durante o boot para contornar problemas de permissão e garantir o carregamento das regras customizadas.
 ### 4. Gerenciar Certificados SSL
 O sistema gerencia isso automaticamente, mas você pode intervir manualmente se necessário.
 - **Verificar Validade**:
  Verifique os logs do startup para ver o status de todos os domínios:
  ```bash
  docker compose logs nginx-proxy | grep "SSL"
  ```
 - **Forçar Renovação**:
  Se precisar renovar um certificado imediatamente:
  ```bash
  docker compose exec nginx-proxy /scripts/renew_ssl.sh
  ```
 - **Reload sem Downtime (Recomendado)**:
  Para aplicar alterações de configuração (vhosts, SSL) sem derrubar conexões ativas:
  ```bash
  ./scripts/reload.sh
  ```
 ### 5. Monitorar e Debugar
 - **Verificar Status dos Containers**:
  ```bash
  docker compose ps
  ```
 - **Ver Logs em Tempo Real**:
  ```bash
  docker compose logs -f
  ```
 - **Verificar se o WAF (ModSecurity) bloqueou algo**:
  ```bash
  docker compose logs modsecurity | grep "Access denied"
  ```
 - **Verificar Banimentos do Fail2ban**:
  ```bash
  docker compose exec fail2ban fail2ban-client status nginx-badbots
  ```
 ---
 ## 🏗️ Visão Geral da Stack
 ```mermaid
 graph TD
    subgraph Internet
        Client[Cliente Externo]
    end
    subgraph Host["Host Docker (Portainer)"]
        subgraph PathfinderStack["Stack: Pathfinder-Proxy<br/>Rede: 172.112.0.0/16"]
            WAF["ModSecurity WAF<br/>172.112.0.3<br/>:80, :443"]
            NGINX["nginx-proxy<br/>172.112.0.2<br/>:8080 interno"]
            F2B["fail2ban<br/>network: host"]
        end
        subgraph HostNetwork["Rede Física do Host"]
            HostIP["host.docker.internal<br/>(gateway)"]
        end
        subgraph OtherStacks["Outras Stacks Docker"]
            Container1["Container A<br/>172.111.0.x"]
            Container2["Container B<br/>172.113.0.x"]
        end
    end
    subgraph ExternalServers["Servidores Externos"]
        Server254["10.10.253.254"]
        Server128["10.10.253.128<br/>Gitea"]
    end
    Client -->|":80/:443"| WAF
    WAF -->|"proxy_pass :8080"| NGINX
    F2B -.->|"lê logs"| WAF
    F2B -.->|"lê logs"| NGINX
    NGINX -->|"extra_hosts<br/>host-gateway"| HostIP
    NGINX -.->|"bridge network"| Container1
    NGINX -.->|"bridge network"| Container2
    HostIP -->|"roteamento"| Server254
    HostIP -->|"roteamento"| Server128
    style WAF fill:#e74c3c,stroke:#c0392b,color:#fff
    style NGINX fill:#3498db,stroke:#2980b9,color:#fff
    style F2B fill:#27ae60,stroke:#1e8449,color:#fff
    style Server128 fill:#9b59b6,stroke:#8e44ad,color:#fff
    style Server254 fill:#9b59b6,stroke:#8e44ad,color:#fff
    style HostIP fill:#f39c12,stroke:#d68910,color:#fff
    style Container1 fill:#1abc9c,stroke:#16a085,color:#fff
    style Container2 fill:#1abc9c,stroke:#16a085,color:#fff
 ```
---
+### Auditoria e Diagnósticos
 O Pathfinder agora reporta a **razão exata** do bloqueio nos logs JSON:
 `tail -f /var/log/nginx/access_json.log | jq -r '"[\(.risk_category)] -> \(.risk_reason) | \(.request)"'`
-## 📋 Sistemas e Servidores Configurados
+- **`risk_category`**: TAG curta para máquinas (LIMPO, SUSPEITO, RISCO_ALTO, ATAQUE_CRITICO).
-
+- **`risk_reason`**: Motivo humano detalhado (ex: "COMBINACAO: Bot conhecido em local sensivel").
 Lista de todos os sistemas roteados pelo proxy, organizados por tipo de infraestrutura.
 | Domínio | IP/Backend | Docker | VM | LXC | Descrição |
 |---------|------------|:------:|:--:|:---:|-----------|
 | `git.itguys.com.br` | 10.10.253.128 | ❌ | ❌ | ✅ | Gitea - Servidor Git |
 | `zammad.itguys.com.br` | 172.16.254.59 | ❌ | ❌ | ✅ | Zammad - Helpdesk |
 | `monitoramento.itguys.com.br` | 172.16.254.x | ❌ | ❌ | ✅ | Zabbix/Grafana |
 | `mimir.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Mimir - Métricas |
 | `windmill.grupopralog.com.br` | 172.16.253.103:8000 | ❌ | ❌ | ✅ | Windmill - Automação |
 | `katalog.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Katalog |
 | `verbocloud.itguys.com.br` | 172.16.253.13:11580 | ❌ | ❌ | ✅ | Nextcloud AIO |
 | `cloud.grupopralog.com.br` | 172.16.253.12 | ❌ | ❌ | ✅ | Nextcloud Pralog |
 | `srvoffice001.itguys.com.br` | 172.16.253.101 | ❌ | ✅ | ❌ | Exchange Server |
 | `business.itguys.com.br` | 172.16.121.13 | ❌ | ✅ | ❌ | Exchange OWA |
 | `vcenter.itguys.com.br` | 172.16.254.110:443 | ❌ | ✅ | ❌ | VMware vCenter |
 | `unifi.itguys.com.br` | 172.16.254.123:8443 | ❌ | ✅ | ❌ | UniFi Controller |
 | `workspace.itguys.com.br` | 172.16.121.2 | ❌ | ✅ | ❌ | Workspace Windows |
 | `vscode.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | VS Code Server |
 | `telefonia.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Central Telefônica |
 | `proxy.itguys.com.br` | localhost | ✅ | ❌ | ❌ | Este proxy |
 | `itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Principal |
 | `pralog.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Pralog |
 | `anatram.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Anatram |
 | `ferreirareal.com.br` | 172.16.x.x | ✅ | ❌ | ❌ | Site Ferreira Real |
 | `petytransportes.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Pety Transportes |
 | `solucionei.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Solucionei |
 | `rhema.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Rhema |
 | `integra.grupopralog.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Integração Pralog |
 | `ns1.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Primário |
 | `ns2.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Secundário |
 | `dns-primario.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Admin |
 > [!NOTE]
 > **Legenda:** Docker = Container Docker | VM = Máquina Virtual (VMware/Hyper-V) | LXC = Linux Container (Proxmox)
 > 
 > IPs marcados como `172.16.x.x` precisam ser verificados nos arquivos de configuração individuais.
 ---
 *Mantido por IT Guys*
--- a/certbot/conf/options-ssl-nginx.conf
+++ b/certbot/conf/options-ssl-nginx.conf
@ -1,7 +0,0 @@
 ssl_session_cache shared:le_nginx_SSL:1m;
 ssl_session_timeout 1440m;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers off;
 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
--- a/certbot/conf/ssl-dhparams.pem
+++ b/certbot/conf/ssl-dhparams.pem
@ -1,8 +0,0 @@
 -----BEGIN DH PARAMETERS-----
 MIIBDAKCAQEA7aEz2xmnoIbgtStbhLjO2kIgHb+mXbTBJi2aXSnMlih9Q2WWfEOY
 TrSw98BLop6l/6FS9XqCNAaB06AQLYIrXx1V3MtT1x9JcHfwbgKacDsEf+B+yYXS
 Avv8G6j6t4k0s7ovg9tVEpRr1n8YCDj1bWv1iiQjfotmzeex6NNE9rX31GvRpRhP
 jY+I9JDU0xG7GA16dNYYkq7kNPF7f1HmpFZOPiqox+IoMxZPlMZsKfRxmWpNPbgy
 Pmzbrf7i3Wj9gjjGbPSvJ5dnaz4XGqUxAXemAXhjQ9TLVEig2NNo8LeYp/1r22+H
 Wls/ddseH7N2lOr3M4oHsaUo4vsKG/SAfwIBAgICAOE=
 -----END DH PARAMETERS-----
--- a/conf.d/gps.oestepan.com.br.conf
+++ b/conf.d/gps.oestepan.com.br.conf
@ -1,88 +0,0 @@
 # ==============================================================================
 # ARQUIVO: /etc/nginx/sites-available/gps.oestepan.com.br.conf
 # AUTOR:   Gemini (Especialista NGINX)
 # DATA:    27/01/2026
 #
 # CONTEXTO:
 # Proxy Reverso para Traccar GPS (OESTEPAN).
 # ModSecurity (WAF) termina o SSL e envia tráfego descriptografado para a porta 8080.
 # ==============================================================================
 upstream traccar_backend {
    server host.docker.internal:8083;
    keepalive 32;
 }
 # ------------------------------------------------------------------------------
 # BLOCO PRINCIPAL: Porta 8080 (Tráfego vindo do ModSecurity)
 # ------------------------------------------------------------------------------
 server {
    listen 8080;
    listen [::]:8080;
    server_name gps.oestepan.com.br;
    include /etc/nginx/snippets/acme_challenge.conf;
    limit_req zone=global_limit burst=20 nodelay;
    # ============================================================================
    # LOGS
    # ============================================================================
    client_max_body_size 50M;
    access_log /var/log/nginx/gps.oestepan.com.br.access.log detailed_proxy;
    error_log /var/log/nginx/gps.oestepan.com.br.error.log warn;
    # ============================================================================
    # ROTAS (Sem SSL pois o WAF já terminou a encriptação)
    # ============================================================================
    # 1. WebSocket
    location /api/socket {
        proxy_pass http://traccar_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
    }
    # 2. Rota Principal
    location / {
        proxy_pass http://traccar_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_read_timeout 90s;
    }
 }
 # ------------------------------------------------------------------------------
 # BLOCO DUMMY: Apenas para que o script renew_ssl.sh encontre os caminhos do SSL
 # ------------------------------------------------------------------------------
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name gps.oestepan.com.br;
    # Important: These paths MUST be in /etc/nginx/ssl/ (shared volume)
    # so ModSecurity can access them. renew_ssl.sh will copy the certs here.
    ssl_certificate /etc/nginx/ssl/gps.oestepan.com.br.fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/gps.oestepan.com.br.privkey.pem;
    # Retorna 444 (No Response) se alguém tentar conectar direto (bypass WAF)
    location / {
        return 444;
    }
 }
--- a/conf.d/internal_networks.conf
+++ b/conf.d/internal_networks.conf
@ -1,12 +0,0 @@
 # Internal Networks Configuration
 # Define internal network ranges for access control
 # Allow access from internal networks
 allow 10.10.0.0/16;
 allow 10.11.0.0/16;
 allow 10.12.0.0/16;
 allow 172.16.0.0/16;
 allow 127.0.0.1;
 # Deny all others (uncomment if needed)
 # deny all;
--- a/deploy.sh
+++ b/deploy.sh
@ -1,22 +0,0 @@
 #!/bin/bash
 set -e
 echo "Detecting Public IP..."
 CURRENT_IP=$(curl -s https://ifconfig.me)
 if [ -z "$CURRENT_IP" ]; then
    echo "Error: Could not detect Public IP."
    exit 1
 fi
 echo "Public IP detected: $CURRENT_IP"
 echo "HOST_PUBLIC_IP=$CURRENT_IP" > .env
 echo "Building and testing..."
 docker compose build
 docker compose run --rm nginx-proxy nginx -t
 echo "Deploying..."
 docker compose up -d
 echo "Done! Proxy is running."
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,94 +0,0 @@
 services:
  # ============================================
  # ModSecurity WAF (Frente do NGINX)
  # ============================================
  modsecurity:
    build:
      context: .
      dockerfile: Dockerfile.modsec
    container_name: modsecurity-waf
    restart: always
    ports:
      - "80:80"
      - "443:443"
    environment:
      # - BACKEND=http://nginx-proxy:8080 # Replaced by static config mount
      - PARANOIA=1
      - ANOMALY_INBOUND=5
      - ANOMALY_OUTBOUND=4
    volumes:
      - ssl_data:/etc/nginx/ssl:ro
      - modsec_logs:/var/log/modsecurity
    depends_on:
      - nginx-proxy
    extra_hosts:
      - "host.docker.internal:host-gateway"
      - "srvproxy001.itguys.com.br:172.16.254.1"
      - "srvproxy001:172.16.254.1"
      - "zammad.itguys.com.br:172.16.254.59"
      - "zammad:172.16.254.59"
      - "cloud.grupopralog.com.br:172.16.253.12"
      - "business.itguys.com.br:172.16.121.13"
      - "verbocloud.itguys.com.br:172.16.253.13"
      - "srvoffice001.itguys.com.br:172.16.253.101"
      - "srvoffice001:172.16.253.101"
  # ============================================
  # NGINX Proxy (Backend do ModSecurity)
  # ============================================
  nginx-proxy:
    build: .
    container_name: nginx-proxy
    restart: always
    expose:
      - "8080"
    environment:
      - HOST_PUBLIC_IP=${HOST_PUBLIC_IP}
    volumes:
      - ssl_data:/etc/nginx/ssl
      - nginx_cache:/var/cache/nginx
      - nginx_logs:/var/log/nginx
      - certbot_data_conf:/etc/letsencrypt
      - certbot_data_www:/var/www/certbot
      - repo_data:/opt/repo
    extra_hosts:
      - "host.docker.internal:host-gateway"
      - "server-254:10.10.253.254"
      - "srvproxy001.itguys.com.br:172.16.254.1"
      - "srvproxy001:172.16.254.1"
      - "zammad.itguys.com.br:172.16.254.59"
      - "zammad:172.16.254.59"
      - "cloud.grupopralog.com.br:172.16.253.12"
      - "business.itguys.com.br:172.16.121.13"
      - "verbocloud.itguys.com.br:172.16.253.13"
      - "srvoffice001.itguys.com.br:172.16.253.101"
      - "srvoffice001:172.16.253.101"
  # ============================================
  # Fail2ban (Lê logs e bane IPs)
  # ============================================
  fail2ban:
    build:
      context: .
      dockerfile: Dockerfile.fail2ban
    container_name: fail2ban
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - nginx_logs:/var/log/nginx:ro
      - modsec_logs:/var/log/modsecurity:ro
 volumes:
  nginx_cache:
  nginx_logs:
  modsec_logs:
  ssl_data:
  certbot_data_conf:
  certbot_data_www:
  repo_data:
--- a/fail2ban/data/fail2ban/README.md
+++ b/fail2ban/data/fail2ban/README.md
@ -0,0 +1,305 @@
 # Configuration README
 !! NOTICE !!
 When using [linuxserver/fail2ban](https://github.com/linuxserver/docker-fail2ban), the `*.conf` files in this directory and its subdirectories will be replaced every time the container restarts. The files are meant to be easily viewed so that you can reference them.
 If you would like to customize anything, create a `*.local` file with the same name as the `*.conf` file and apply your customizations. You do not need to copy the entire `*.conf` file to `*.local`, you only need to include things you want to change.
 For example, to adjust `jail.conf`, create `jail.local` and apply your customizations there.
 ## File Parsing Order
 Fail2ban will combine action configurations in the following order:
 ```text
 action.d/*.conf (in alphabetical order)
 action.d/*.local (in alphabetical order)
 ```
 Fail2ban will combine filter configurations in the following order:
 ```text
 filter.d/*.conf (in alphabetical order)
 filter.d/*.local (in alphabetical order)
 ```
 Fail2ban will combine jail configurations in the following order:
 ```text
 jail.conf
 jail.d/*.conf (in alphabetical order)
 jail.local
 jail.d/*.local (in alphabetical order)
 ```
 ## Chains
 Chains affect how access is restricted. There are two primary ways to restrict access.
 ### `DOCKER-USER`
 The `DOCKER-USER` chain is used to restrict access to applications running in Docker containers. This will restrict access to all containers, not just the one that the jail is configured for.
 ### `INPUT`
 The `INPUT` chain is used to restrict access to applications running on the host. This will restrict access to the host network stack. The host network stack may not be inclusive of all Docker network stacks, thus the `DOCKER-USER` chain is used separately for applications running in Docker containers.
 ### `FORWARD` (for legacy versions of Docker)
 The `FORWARD` chain may be used on systems running older versions of Docker where the `DOCKER-USER` chain is not available.
 ## `jail.local` Examples
 These are examples of what you can do in your `jail.local`. There is no universally correct way to setup `jail.local` as it depends on your needs.
 You can enable any of the pre-made jails by reviewing the files in `jail.d/` and adding a few lines to your `jail.local` to enable the jail.
 ### Basic Example
 This example shows how to enable jails for sshd on the host, and SWAG (nginx) running in a container. It also includes some general recommendations and optional lines commented out.
 In order for bans to work correctly, the `INPUT` chain should be used for applications running on the host, and the `DOCKER-USER` chain should be used for applications running in containers.
 In this basic example:
 - `sshd` expects ssh to be running on the host (not in a container), so the `INPUT` chain is used
 - `nginx-http-auth` expects nginx to be running in a container (ex: SWAG), so the `DOCKER-USER` chain is used
 ```ini
 [DEFAULT]
 # Prevents banning LAN subnets
 ignoreip    = 127.0.0.1/8 ::1
              10.0.0.0/8
              172.16.0.0/12
              192.168.0.0/16
 # The ban action "iptables-multiport" (default) should work for most
 # The ban action "iptables-allports" can be used if multiport causes issues
 #banaction = %(banaction_allports)s
 [sshd]
 # configuration inherits from jail.conf
 enabled = true
 chain   = INPUT
 action  = %(known/action)s
 [nginx-http-auth]
 # configuration inherits from jail.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
 [nginx-badbots]
 # configuration inherits from jail.d/nginx-badbots.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
 [nginx-botsearch]
 # configuration inherits from jail.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
 [nginx-deny]
 # configuration inherits from jail.d/nginx-deny.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
 [nginx-unauthorized]
 # configuration inherits from jail.d/nginx-unauthorized.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
 ```
 ### Incremental Banning
 This example only includes the configurations for incremental banning. You can add these lines to the `[DEFAULT]` section of your existing config.
 With these configurations, after an IP is unbanned, if it gets banned again the ban time will increase exponentially.
 ```ini
 [DEFAULT]
 # "bantime.increment" allows to use database for searching of previously banned ip's to increase a
 # default ban time
 bantime.increment = true
 # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
 bantime.maxtime = 5w
 # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier
 bantime.factor = 24
 # "bantime" is the number of seconds that a host is banned.
 bantime = 1h
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime = 24h
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 ```
 ### unRAID
 Add these lines to your `jail.local` to enable jails for unRAID's sshd and Web GUI.
 The `port` line for the Web GUI is optional, but if you use unRAID's My Servers plugin to enable public access you should add the port you use (replace `YOUR-UNRAID-MY-SERVERS-WAN-PORT`)
 Both of these jails protect unRAID at the host level using the `INPUT` chain.
 ```ini
 [unraid-sshd]
 # configuration inherits from jail.d/unraid-sshd.conf
 enabled = true
 chain   = INPUT
 action  = %(known/action)s
 [unraid-webgui]
 # configuration inherits from jail.d/unraid-webgui.conf
 enabled = true
 chain   = INPUT
 port    = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
 action  = %(known/action)s
 ```
 ### Unifi-Controller
 Add these lines to enable the jail for Unifi-Controller.
 ```ini
 [unifi-controller-auth]
 # configuration inherits from jail.d/unifi-controller-auth.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
 ```
 ### Additional Actions
 The default `action` will use `iptables` to perform bans. You may also apply bans using other services such as CloudFlare, report bans to services such as AbuseIPDB, or setup notifications for with services such as Apprise or Discord Webhooks.
 ```ini
 [DEFAULT]
 # Apply additional actions to all bans with all jails
 action  = %(action_)s
          apprise-api[host="127.0.0.1", tag="fail2ban"]
          cloudflare[cfuser="YOUR-EMAIL", cftoken="YOUR-TOKEN"]
          discord-webhook[webhook="https://discord.com/api/webhooks/######/######"]
 abuseipdb_apikey = YOUR-API-KEY
 [sshd]
 # Apply additional actions only to bans for the sshd jail
 action  = %(known/action)s
          abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,22"]
 [unifi-controller-auth]
 # Apply additional actions only to bans for the unifi-controller-auth jail
 action  = %(known/action)s
          abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
 ```
 ### Full Example
 ```ini
 [DEFAULT]
 # "bantime.increment" allows to use database for searching of previously banned ip's to increase a
 # default ban time
 bantime.increment = true
 # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
 bantime.maxtime = 5w
 # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier
 bantime.factor = 24
 # "bantime" is the number of seconds that a host is banned.
 bantime = 1h
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime = 24h
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 # Prevents banning LAN subnets
 ignoreip    = 127.0.0.1/8 ::1
              10.0.0.0/8
              172.16.0.0/12
              192.168.0.0/16
 # The ban action "iptables-multiport" (default) should work for most
 # The ban action "iptables-allports" can be used if multiport causes issues
 #banaction = %(banaction_allports)s
 # Read https://github.com/sebres/PoC/blob/master/FW.IDS-DROP-vs-REJECT/README.md before changing block type
 # The block type "REJECT --reject-with icmp-port-unreachable" (default behavior) should respond to, but then instantly reject connection attempts
 # The block type "DROP" should not respond to connection attempts, resulting in a timeout
 #banaction = iptables-multiport[blocktype=DROP]
 # Add additional actions
 action  = %(action_)s
          apprise-api[host="127.0.0.1", tag="fail2ban"]
          cloudflare[cfuser="YOUR-EMAIL", cftoken="YOUR-TOKEN"]
 abuseipdb_apikey = YOUR-API-KEY
 [unraid-sshd]
 # configuration inherits from jail.d/unraid-sshd.conf
 enabled = true
 chain   = INPUT
 action  = %(known/action)s
          abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,22"]
 [unraid-webgui]
 # configuration inherits from jail.d/unraid-webgui.conf
 enabled = true
 chain   = INPUT
 port    = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
 action  = %(known/action)s
          abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
 [unifi-controller-auth]
 # configuration inherits from jail.d/unifi-controller-auth.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
          abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
 [vaultwarden-auth]
 # configuration inherits from jail.d/vaultwarden-auth.conf
 enabled = true
 chain   = DOCKER-USER
 action  = %(known/action)s
          abuseipdb[abuseipdb_apikey="%(abuseipdb_apikey)s", abuseipdb_category="18,21"]
 ```
 ## Customizing jails
 You can customize additional aspects about a jail by modifying your `jail.local` file.
 ```ini
 [unifi-controller-auth]
 # configuration inherits from jail.d/unifi-controller-auth.conf
 enabled = true
 # If you are using non-standard ports for your unifi-controller, you can specify the ports you use
 port    = 8081,8442
 # If your log file is mounted to a non-standard location inside the container, you can specify the path that the container will see your log file
 logpath = /path/to/unificontroller/server.log
 # If you are running the unifi-controller on your host (not in a docker container) you can change the chain to INPUT
 #chain   = INPUT
 # If you are running the unifi-controller in a docker container you can change the chain to DOCKER-USER
 #chain   = DOCKER-USER
 ```
--- a/fail2ban/data/fail2ban/action.d/abuseipdb.conf
+++ b/fail2ban/data/fail2ban/action.d/abuseipdb.conf
@ -1,3 +1,4 @@
 ## Version 2024/05/20
 # Fail2ban configuration file
 #
 # Action to report IP address to abuseipdb.com
@ -80,7 +81,7 @@ actioncheck =
 #          use my (Shaun's) helper PHP script by commenting out the first #actionban
 #          line below, uncommenting the second one, and pointing the URL at
 #          wherever you install the helper script. For the PHP helper script, see
-#          <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
+#          <https://github.com/parseword/fail2ban-abuseipdb/>
 #
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
--- a/fail2ban/data/fail2ban/action.d/apf.conf
+++ b/fail2ban/data/fail2ban/action.d/apf.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 # https://www.rfxn.com/projects/advanced-policy-firewall/
 #
--- a/fail2ban/data/fail2ban/action.d/apprise-api.conf
+++ b/fail2ban/data/fail2ban/action.d/apprise-api.conf
@ -0,0 +1,60 @@
 ## Version 2022/08/06
 # Fail2Ban action configuration for apprise-api
 # Author: Roxedus https://github.com/Roxedus
 # Modified by: nemchik https://github.com/nemchik
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = curl -X POST -d '{"tag": "<tag>", "type": "info", "body": "The jail <name> as been started successfully."}' \
          -H "Content-Type: application/json" \
          <url>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = curl -X POST -d '{"tag": "<tag>", "type": "info", "body": "The jail <name> has been stopped."}' \
          -H "Content-Type: application/json" \
          <url>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = curl -X POST -d '{"tag": "<tag>", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
          -H "Content-Type: application/json" \
          <url>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = curl -X POST -d '{"tag": "<tag>", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
          -H "Content-Type: application/json" \
          <url>
 [Init]
 proto = http
 host = apprise
 port = 8000
 key = apprise
 url = <proto>://<host>:<port>/notify/<key>
 #tag = fail2ban
 tag = all
--- a/fail2ban/data/fail2ban/action.d/apprise.conf
+++ b/fail2ban/data/fail2ban/action.d/apprise.conf
@ -1,3 +1,4 @@
 ## Version 2024/09/02
 # Fail2Ban configuration file
 #
 # Author: Chris Caron <lead2gold@gmail.com>
@ -10,7 +11,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
+actionstart = printf %%b "The jail <name> has been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
--- a/fail2ban/data/fail2ban/action.d/blocklist_de.conf
+++ b/fail2ban/data/fail2ban/action.d/blocklist_de.conf
@ -1,3 +1,4 @@
 ## Version 2019/06/29
 # Fail2Ban configuration file
 #
 # Author: Steven Hiscocks
@ -30,6 +31,9 @@
 [Definition]
 # bypass reporting of restored (already reported) tickets:
 norestored = 1
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
--- a/fail2ban/data/fail2ban/action.d/bsd-ipfw.conf
+++ b/fail2ban/data/fail2ban/action.d/bsd-ipfw.conf
@ -1,3 +1,4 @@
 ## Version 2023/11/18
 # Fail2Ban configuration file
 #
 # Author: Nick Munger
@ -80,7 +81,7 @@ block = ip
 # Option:  blocktype
 # Notes.:  How to block the traffic. Use a action from man 5 ipfw
 #          Common values: deny, unreach port, reset
-#          ACTION defination at the top of man ipfw for allowed values.
+#          ACTION definition at the top of man ipfw for allowed values.
 # Values:  STRING
 #
 blocktype = unreach port
--- a/fail2ban/data/fail2ban/action.d/cloudflare-token.conf
+++ b/fail2ban/data/fail2ban/action.d/cloudflare-token.conf
@ -1,3 +1,4 @@
 ## Version 2025/03/01
 #
 # Author: Logic-32
 #
@ -50,7 +51,8 @@ actionban = curl -s -X POST "<_cf_api_url>" \
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
+actionunban = id=$(curl -s -G -X GET "<_cf_api_url>" \
              --data-urlencode "mode=<cfmode>" --data-urlencode "notes=<notes>" --data-urlencode "configuration.target=<cftarget>" --data-urlencode "configuration.value=<ip>" \
              <_cf_api_prms> \
                  | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
                  | tr -d ' "' \
@ -67,7 +69,7 @@ _cf_api_prms = -H "Authorization: Bearer <cftoken>" -H "Content-Type: applicatio
 # Declare your Cloudflare Authorization Bearer Token in the [DEFAULT] section of your jail.local file.
-# The Cloudflare <ZONE_ID> of hte domain you want to manage.
+# The Cloudflare <ZONE_ID> of the domain you want to manage.
 #
 # cfzone =
--- a/fail2ban/data/fail2ban/action.d/cloudflare.conf
+++ b/fail2ban/data/fail2ban/action.d/cloudflare.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 #
 # Author: Mike Rushton
 #
--- a/fail2ban/data/fail2ban/action.d/complain.conf
+++ b/fail2ban/data/fail2ban/action.d/complain.conf
@ -1,3 +1,4 @@
 ## Version 2023/11/22
 # Fail2Ban configuration file
 #
 # Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
@ -16,7 +17,7 @@
 #
 # Please do not use this action unless you are certain that fail2ban
 # does not result in "false positives" for your deployment.  False
-# positive reports could serve a mis-favor to the original cause by
+# positive reports could serve a misfavor to the original cause by
 # flooding corresponding contact addresses, and complicating the work
 # of administration personnel responsible for handling (verified) legit
 # complains.
--- a/fail2ban/data/fail2ban/action.d/discord-webhook.conf
+++ b/fail2ban/data/fail2ban/action.d/discord-webhook.conf
@ -0,0 +1,44 @@
 ## Version 2022/08/06
 # Author: Gilbn from https://technicalramblings.com
 # Adapted Source: https://gist.github.com/sander1/075736a42db2c66bc6ce0fab159ca683
 # Create the Discord Webhook in: Server settings -> Webhooks -> Create Webhooks
 [Definition]
 # Notify on Startup
 actionstart = curl -X POST "<webhook>" \
            -H "Content-Type: application/json" \
            -d '{"username":"<botname>", "content":":white_check_mark: The **[<name>]** jail has started"}'
 # Notify on Shutdown
 actionstop = curl -X POST "<webhook>" \
            -H "Content-Type: application/json" \
            -d '{"username":"<botname>", "content":":no_entry: The **[<name>]** jail has been stopped"}'
 #
 actioncheck =
 # Notify on Banned 
 actionban = curl -X POST "<webhook>" \
            -H "Content-Type: application/json" \
            -d '{"username":"<botname>", "content":"<discord_userid> :bell: **[<name>]** :hammer:**BANNED**:hammer: IP: [<ip>](<url_check_ip><ip>) for **<bantime>** seconds after **<failures>** failure(s). If you want to unban the IP run: `fail2ban-client unban <ip>`"}'
 # Notify on Unbanned
 actionunban = curl -X POST "<webhook>" \
            -H "Content-Type: application/json" \
            -d '{"username":"<botname>", "content":":bell: **[<name>]** **UNBANNED** IP: [<ip>](<url_check_ip><ip>)"}'
 [Init]
 # Discord Webhook URL
 webhook = https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # Discord Bot Username
 botname = Fail2Ban
 # User ID to ping
 # ex: discord_userid = "<@!1234567890>"
 discord_userid = 
 # URL prefix for an IP checking website
 # abuseipdb is used by default since there is also an action to report an IP to their API
 url_check_ip = https://www.abuseipdb.com/check/
--- a/fail2ban/data/fail2ban/action.d/dshield.conf
+++ b/fail2ban/data/fail2ban/action.d/dshield.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Russell Odom <russ@gloomytrousers.co.uk>
--- a/fail2ban/data/fail2ban/action.d/dummy.conf
+++ b/fail2ban/data/fail2ban/action.d/dummy.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-allports.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-allports.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Donald Yandt 
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-common.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-common.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Donald Yandt
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-ipset.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-ipset.conf
@ -1,3 +1,4 @@
 ## Version 2024/11/07
 # Fail2Ban action file for firewall-cmd/ipset
 #
 # This requires:
@ -18,36 +19,36 @@ before = firewallcmd-common.conf
 [Definition]
-actionstart = <ipstype_<ipsettype>/actionstart>
+actionstart = <ipsbackend_<ipsetbackend>/actionstart>
              firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
-actionflush = <ipstype_<ipsettype>/actionflush>
+actionflush = <ipsbackend_<ipsetbackend>/actionflush>
 actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
             <actionflush>
-             <ipstype_<ipsettype>/actionstop>
+             <ipsbackend_<ipsetbackend>/actionstop>
-actionban = <ipstype_<ipsettype>/actionban>
+actionban = <ipsbackend_<ipsetbackend>/actionban>
 # actionprolong = %(actionban)s
-actionunban = <ipstype_<ipsettype>/actionunban>
+actionunban = <ipsbackend_<ipsetbackend>/actionunban>
-[ipstype_ipset]
+[ipsbackend_ipset]
-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
 actionflush = ipset flush <ipmset>
-actionstop = ipset destroy <ipmset>
+actionstop = ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
 actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
 actionunban = ipset -exist del <ipmset> <ip>
-[ipstype_firewalld]
+[ipsbackend_firewalld]
-actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
+actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=<ipsettype> --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
 # TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
 actionflush = 
@ -60,6 +61,11 @@ actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
 [Init]
 # Option: ipsettype
 # Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
 # Values: hash:ip, hash:net, etc... Default: hash:ip
 ipsettype = hash:ip
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
@ -77,15 +83,21 @@ default-ipsettime = 0
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
-# expresion to caclulate timeout from bantime, example:
+# Option: maxelem
 # Notes:  maximal number of elements which can be stored in the ipset
 #         You may want to increase this for long-duration/high-volume jails
 # Values: [ NUM ] Default: 65536
 maxelem = 65536
 # expression to calculate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-# Option: ipsettype
+# Option: ipsetbackend
-# Notes.: defines type of ipset used for match-set (firewalld or ipset)
+# Notes.: defines the backend of ipset used for match-set (firewalld or ipset)
 # Values: firewalld or ipset
 # Default: ipset
-ipsettype = ipset
+ipsetbackend = ipset
 # Option: actiontype
 # Notes.: defines additions to the blocking rule
@ -118,4 +130,4 @@ firewalld_familyopt = --option=family=inet6
 # DEV NOTES:
 #
 # Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
-# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
+# firewallcmd-new / iptables-ipset-proto6 combined for maximum goodness
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-multiport.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-multiport.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Donald Yandt 
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-new.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-new.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Because of the --remove-rules in stop this action requires firewalld-0.3.8+
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-rich-logging.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-rich-logging.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Authors: Donald Yandt, Sergey G. Brester
--- a/fail2ban/data/fail2ban/action.d/firewallcmd-rich-rules.conf
+++ b/fail2ban/data/fail2ban/action.d/firewallcmd-rich-rules.conf
@ -1,3 +1,4 @@
 ## Version 2024/08/07
 # Fail2Ban configuration file
 #
 # Author: Donald Yandt 
@ -35,7 +36,7 @@ actioncheck =
 #
 # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp 
-fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
+fwcmd_rich_rule = rule family=\"<family>\" source address=\"<ip>\" port port=\"$p\" protocol=\"<protocol>\" %(rich-suffix)s
 actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
--- a/fail2ban/data/fail2ban/action.d/gotify.conf
+++ b/fail2ban/data/fail2ban/action.d/gotify.conf
@ -0,0 +1,52 @@
 ## Version 2022/12/18
 # Fail2Ban configuration file
 #
 # Author: Quietsy
 #
 # Add the following to jail.local (uncommented) to apply the gotify action to all bans with all jails
 # Change the url to have a valid gotify address and a valid token
 #
 # [DEFAULT]
 # action  = %(action_)s
 #           gotify[url="https://gotify.domain.com/message?token=lkghlkhjo8y9"]
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = curl --data '{"message": "Started <name>"}' -X POST -H Content-Type:application/json <url>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = curl --data '{"message": "Stopped <name>"}' -X POST -H Content-Type:application/json <url>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = curl -X POST -H Content-Type:application/json <url> \
 	--data '{"message": "⛔ <name> ⛔\n\n<ip> got banned for <bantime> seconds after <failures> tries.\n\nUnban command:\nfail2ban-client unban <ip>"}'
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = curl -X POST -H Content-Type:application/json <url> --data '{"message": "✅ <name> ✅\n\n<ip> is now unbanned"}'
 [Init]
 url =
--- a/fail2ban/data/fail2ban/action.d/helpers-common.conf
+++ b/fail2ban/data/fail2ban/action.d/helpers-common.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 [DEFAULT]
 # Usage:
--- a/fail2ban/data/fail2ban/action.d/hostsdeny.conf
+++ b/fail2ban/data/fail2ban/action.d/hostsdeny.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/ipfilter.conf
+++ b/fail2ban/data/fail2ban/action.d/ipfilter.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # NetBSD ipfilter (ipf command) ban/unban
--- a/fail2ban/data/fail2ban/action.d/ipfw.conf
+++ b/fail2ban/data/fail2ban/action.d/ipfw.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Nick Munger
--- a/fail2ban/data/fail2ban/action.d/iptables-allports.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-allports.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/iptables-ipset-proto4.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-ipset-proto4.conf
@ -1,3 +1,4 @@
 ## Version 2023/11/18
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
@ -27,7 +28,7 @@ before = iptables.conf
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = ipset --create f2b-<name> iphash
+actionstart = ipset --create f2b-<name> maxelem <maxelem> iphash
              <_ipt_add_rules>
@ -61,6 +62,14 @@ actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
 #
 actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
-# Several capabilities used internaly:
+# Several capabilities used internally:
 rule-jump = -m set --match-set f2b-<name> src -j <blocktype>
 [Init]
 # Option: maxelem
 # Notes:  maximal number of elements which can be stored in the ipset
 #         You may want to increase this for long-duration/high-volume jails
 # Values: [ NUM ] Default: 65536
 maxelem = 65536
--- a/fail2ban/data/fail2ban/action.d/iptables-ipset-proto6-allports.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-ipset-proto6-allports.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
--- a/fail2ban/data/fail2ban/action.d/iptables-ipset-proto6.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-ipset-proto6.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
--- a/fail2ban/data/fail2ban/action.d/iptables-ipset.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-ipset.conf
@ -1,3 +1,4 @@
 ## Version 2024/11/07
 # Fail2Ban configuration file
 #
 # Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
@ -24,7 +25,7 @@ before = iptables.conf
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
              <_ipt_add_rules>
 # Option:  actionflush
@ -39,7 +40,7 @@ actionflush = ipset flush <ipmset>
 #
 actionstop = <_ipt_del_rules>
             <actionflush>
-             ipset destroy <ipmset>
+             ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -59,13 +60,18 @@ actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
 #
 actionunban = ipset -exist del <ipmset> <ip>
-# Several capabilities used internaly:
+# Several capabilities used internally:
 rule-jump = -m set --match-set <ipmset> src -j <blocktype>
 [Init]
 # Option: ipsettype
 # Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
 # Values: hash:ip, hash:net, etc... Default: hash:ip
 ipsettype = hash:ip
 # Option: default-ipsettime
 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
@ -76,7 +82,13 @@ default-ipsettime = 0
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
-# expresion to caclulate timeout from bantime, example:
+# Option: maxelem
 # Notes:  maximal number of elements which can be stored in the ipset
 #         You may want to increase this for long-duration/high-volume jails
 # Values: [ NUM ] Default: 65536
 maxelem = 65536
 # expression to calculate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
--- a/fail2ban/data/fail2ban/action.d/iptables-multiport-log.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-multiport-log.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Guido Bozzetto
--- a/fail2ban/data/fail2ban/action.d/iptables-multiport.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-multiport.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/iptables-new.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-new.conf
@ -1,3 +1,4 @@
 ## Version 2020/02/14
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/iptables-xt_recent-echo.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables-xt_recent-echo.conf
@ -1,3 +1,4 @@
 ## Version 2025/04/16
 # Fail2Ban configuration file
 #
 # Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
@ -12,8 +13,9 @@ before = iptables.conf
 [Definition]
 _ipt_chain_rule = -m recent --update --seconds 3600 --name <iptname> -j <blocktype>
-_ipt_for_proto-iter =
+_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
-_ipt_for_proto-done =
+_ipt-iter =
 _ipt-done =
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
@ -60,7 +62,7 @@ actionstop = echo / > /proc/net/xt_recent/<iptname>
 # Notes.:  command executed as invariant check (error by ban)
 # Values:  CMD
 #
-actioncheck = { <iptables> -C <chain> %(_ipt_chain_rule)s; } && test -e /proc/net/xt_recent/<iptname>
+actioncheck = { %(_ipt_check_rule)s >/dev/null 2>&1; } && test -e /proc/net/xt_recent/<iptname>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
--- a/fail2ban/data/fail2ban/action.d/iptables.conf
+++ b/fail2ban/data/fail2ban/action.d/iptables.conf
@ -1,3 +1,4 @@
 ## Version 2025/04/16
 # Fail2Ban configuration file
 #
 # Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black, 
@ -62,25 +63,25 @@ pre-rule =
 rule-jump = -j <_ipt_rule_target>
-# Several capabilities used internaly:
+# Several capabilities used internally:
-_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
+_ipt-iter = for chain in $(echo '<chain>' | sed 's/,/ /g'); do for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
-_ipt_for_proto-done = done
+_ipt-done = done; done
-_ipt_add_rules = <_ipt_for_proto-iter>
+_ipt_add_rules = <_ipt-iter>
-              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
+              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I $chain %(_ipt_chain_rule)s; }
-              <_ipt_for_proto-done>
+              <_ipt-done>
-_ipt_del_rules = <_ipt_for_proto-iter>
+_ipt_del_rules = <_ipt-iter>
-              <iptables> -D <chain> %(_ipt_chain_rule)s
+              <iptables> -D $chain %(_ipt_chain_rule)s
-              <_ipt_for_proto-done>
+              <_ipt-done>
-_ipt_check_rules = <_ipt_for_proto-iter>
+_ipt_check_rules = <_ipt-iter>
              %(_ipt_check_rule)s
-              <_ipt_for_proto-done>
+              <_ipt-done>
 _ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
-_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
+_ipt_check_rule = <iptables> -C $chain %(_ipt_chain_rule)s
 _ipt_rule_target = f2b-<name>
 [ipt_oneport]
@ -99,8 +100,9 @@ _chain_rule = -p $proto <rule-jump>
 [Init]
 # Option:  chain
-# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+# Notes    specifies the iptables chains to which the Fail2Ban rules should be
-#          added
+#          added. May be a single chain (e.g. INPUT) or a comma separated list
 #          (e.g. INPUT, FORWARD)
 # Values:  STRING  Default: INPUT
 chain = INPUT
@ -135,7 +137,7 @@ returntype = RETURN
 # Option:  lockingopt
 # Notes.:  Option was introduced to iptables to prevent multiple instances from
-#          running concurrently and causing irratic behavior.  -w was introduced
+#          running concurrently and causing erratic behavior.  -w was introduced
 #          in iptables 1.4.20, so might be absent on older systems
 #          See https://github.com/fail2ban/fail2ban/issues/1122
 # Values:  STRING
--- a/fail2ban/data/fail2ban/action.d/ipthreat.conf
+++ b/fail2ban/data/fail2ban/action.d/ipthreat.conf
@ -1,3 +1,4 @@
 ## Version 2023/11/22
 # IPThreat configuration file
 #
 # Added to fail2ban by Jeff Johnson (jjxtra)
@ -15,7 +16,7 @@
 # Reporting an IP is a serious action. Make sure that it is legit.
 # Consider using this action only for:
 #   * IP that has been banned more than once
-#   * High max retry to avoid user mis-typing password
+#   * High max retry to avoid user mistyping password
 #   * Filters that are unlikely to be human error
 #
 # Example:
@ -47,7 +48,7 @@
 # BadBot         256     Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
 # Compromised    512     The ip has been taken over by malware or botnet
 # Phishing       1024    The ip is involved in phishing or spoofing
-# Iot            2048    The ip has targetted an iot (Internet of Things) device
+# Iot            2048    The ip has targeted an iot (Internet of Things) device
 # PortScan       4096    Port scan
 # See https://ipthreat.net/bulkreportformat for more information
 # ```
--- a/fail2ban/data/fail2ban/action.d/mail-buffered.conf
+++ b/fail2ban/data/fail2ban/action.d/mail-buffered.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/mail-whois-common.conf
+++ b/fail2ban/data/fail2ban/action.d/mail-whois-common.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Common settings for mail actions
--- a/fail2ban/data/fail2ban/action.d/mail-whois-lines.conf
+++ b/fail2ban/data/fail2ban/action.d/mail-whois-lines.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/mail-whois.conf
+++ b/fail2ban/data/fail2ban/action.d/mail-whois.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/mail.conf
+++ b/fail2ban/data/fail2ban/action.d/mail.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/mikrotik.conf
+++ b/fail2ban/data/fail2ban/action.d/mikrotik.conf
@ -0,0 +1,85 @@
 ## Version 2023/03/08
 # Fail2Ban configuration file
 #
 # Mikrotik routerOS action to add/remove address-list entries
 #
 # Author: Duncan Bellamy <dunk@denkimushi.com>
 # based on forum.mikrotik.com post by pakjebakmeel
 #
 # in the instructions:
 # (10.0.0.1 is ip of mikrotik router)
 # (10.0.0.2 is ip of fail2ban machine)
 #
 # on fail2ban machine:
 # sudo mkdir /var/lib/fail2ban/ssh
 # sudo chmod 700 /var/lib/fail2ban/ssh
 # sudo ssh-keygen -N "" -f /var/lib/fail2ban/ssh/fail2ban_id_rsa
 # sudo scp /var/lib/fail2ban/ssh/fail2ban_id_rsa.pub admin@10.0.0.1:/
 # ssh admin@10.0.0.1
 #
 # on mikrotik router:
 # /user add name=miki-f2b group=write address=10.0.0.2 password=""
 # /user ssh-keys import public-key-file=fail2ban_id_rsa.pub user=miki-f2b
 # /quit
 #
 # on fail2ban machine:
 # (check password login fails)
 # ssh miki-f2b@10.0.0.1
 # (check private key works)
 # sudo ssh -i /var/lib/fail2ban/ssh/fail2ban_id_rsa miki-f2b@10.0.0.1
 #
 # Then create rules on mikrorik router that use address
 # list(s) maintained by fail2ban eg in the forward chain
 # drop from address list, or in the forward chain drop
 # from address list to server
 #
 # example extract from jail.local overriding some defaults
 # action = mikrotik[keyfile="%(mkeyfile)s", user="%(muser)s", host="%(mhost)s", list="%(mlist)s"]
 #
 # ignoreip = 127.0.0.1/8 192.168.0.0/24
 # mkeyfile = /etc/fail2ban/ssh/mykey_id_rsa
 # muser = myuser
 # mhost = 192.168.0.1
 # mlist = BAD LIST
 [Definition]
 actionstart =
 actionstop = %(actionflush)s
 actionflush = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment~\"%(startcomment)s-*\"]"
 actioncheck =
 actionban = %(command)s "/ip firewall address-list add list=\"%(list)s\" address=<ip> comment=%(comment)s"
 actionunban = %(command)s "/ip firewall address-list remove [find list=\"%(list)s\" comment=%(comment)s]"
 command = ssh -l %(user)s -p%(port)s -i %(keyfile)s %(host)s
 # Option: user
 # Notes.: username to use when connecting to routerOS
 user =
 # Option: port
 # Notes.: port to use when connecting to routerOS
 port = 22
 # Option: keyfile
 # Notes.: ssh private key to use for connecting to routerOS
 keyfile =
 # Option: host
 # Notes.: hostname or ip of router
 host =
 # Option: list
 # Notes.: name of "address-list" to use on router
 list = Fail2Ban
 # Option: startcomment
 # Notes.: used as a prefix to all comments, and used to match for flushing rules
 startcomment = f2b-<name>
 # Option: comment
 # Notes.: comment to use on routerOS (must be unique as used for ip address removal)
 comment = %(startcomment)s-<ip>
 [Init]
 name="%(__name__)s"
--- a/fail2ban/data/fail2ban/action.d/mynetwatchman.conf
+++ b/fail2ban/data/fail2ban/action.d/mynetwatchman.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Russell Odom <russ@gloomytrousers.co.uk>
--- a/fail2ban/data/fail2ban/action.d/netscaler.conf
+++ b/fail2ban/data/fail2ban/action.d/netscaler.conf
@ -1,3 +1,4 @@
 ## Version 2023/11/18
 # Fail2ban Citrix Netscaler Action
 # by Juliano Jeziorny
 # juliano@jeziorny.eu
@ -5,7 +6,7 @@
 # The script will add offender IPs to a dataset on netscaler, the dataset can then be used to block the IPs at a cs/vserver or global level
 # This dataset is then used to block IPs using responder policies on the netscaler.
 # 
-# The script assumes using HTTPS with unsecure certificate to access the netscaler, 
+# The script assumes using HTTPS with insecure certificate to access the netscaler, 
 # if you have a valid certificate installed remove the -k from the curl lines, or if you want http change it accordingly (and remove the -k)
 # 
 # This action depends on curl
--- a/fail2ban/data/fail2ban/action.d/nftables-allports.conf
+++ b/fail2ban/data/fail2ban/action.d/nftables-allports.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/nftables-multiport.conf
+++ b/fail2ban/data/fail2ban/action.d/nftables-multiport.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/nftables.conf
+++ b/fail2ban/data/fail2ban/action.d/nftables.conf
@ -1,3 +1,4 @@
 ## Version 2025/08/08
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
@ -44,7 +45,7 @@ match = <rule_match-<type>>
 #
 rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
-# optional interator over protocol's:
+# optional iterator over protocol's:
 _nft_for_proto-custom-iter =
 _nft_for_proto-custom-done =
 _nft_for_proto-allports-iter =
@ -55,7 +56,7 @@ _nft_for_proto-multiport-done = done
 _nft_list = <nftables> -a list chain <table_family> <table> <chain>
 _nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
-_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
+_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\;<addr_options> \}
              <_nft_for_proto-<type>-iter>
              <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
              <_nft_for_proto-<type>-done>
@ -97,7 +98,7 @@ actionstop = %(_nft_del_set)s
             <_nft_shutdown_table>
 # Option:  actioncheck
-# Notes.:  command executed once before each actionban command
+# Notes.:  command executed once in error case by other command (during the check/restore sane environment process)
 # Values:  CMD
 #
 actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'
@ -197,6 +198,11 @@ addr_set = addr-set-<name>
 # Values: [ ip | ip6 ]
 addr_family = ip
 # Option: addr_options
 # Notes: Additional options for the addr-set, by default allows to store CIDR or address ranges.
 #        Can be set to empty value to create simple addresses set.
 addr_options = <sp>flags interval\;
 [Init?family=inet6]
 addr_family = ip6
 addr_type = ipv6_addr
--- a/fail2ban/data/fail2ban/action.d/nginx-block-map.conf
+++ b/fail2ban/data/fail2ban/action.d/nginx-block-map.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file for black-listing via nginx
 #
 # Author: Serg G. Brester (aka sebres)
--- a/fail2ban/data/fail2ban/action.d/nginx-pathfinder-action.conf
+++ b/fail2ban/data/fail2ban/action.d/nginx-pathfinder-action.conf
@ -0,0 +1,27 @@
 # /etc/fail2ban/action.d/nginx-pathfinder-action.conf
 #
 # Ação Híbrida Pathfinder Proxy (2026).
 # 1. Bloqueia o IP no Firewall (UFW).
 # 2. Insere o IP no snippet 'blacklist.conf' do Nginx para bloqueio de aplicação.
 # *****************************************************************************
 [Definition]
 # Comando executado ao iniciar a jail
 actionstart = touch /etc/nginx/snippets/blacklist.conf
 # Comando de banimento: Firewall + Nginx Blacklist
 # Usamos 'prepend' no UFW para garantir que o bloqueio venha antes de qualquer permissão.
 actionban = ufw prepend deny from <ip> to any
            printf "deny <ip>;\n" >> /etc/nginx/snippets/blacklist.conf
            nginx -s reload
 # Comando de desbanimento: Remove do Firewall e do arquivo Nginx
 # O sed remove a linha exata 'deny IP;' do snippet.
 actionunban = ufw delete deny from <ip> to any
              sed -i "/deny <ip>;/d" /etc/nginx/snippets/blacklist.conf
              nginx -s reload
 [Init]
 # Nome da jail para logs de auditoria
 name = nginx-pathfinder
--- a/fail2ban/data/fail2ban/action.d/npf.conf
+++ b/fail2ban/data/fail2ban/action.d/npf.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # NetBSD npf ban/unban
--- a/fail2ban/data/fail2ban/action.d/nsupdate.conf
+++ b/fail2ban/data/fail2ban/action.d/nsupdate.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Andrew St. Jean
--- a/fail2ban/data/fail2ban/action.d/opnsense.conf
+++ b/fail2ban/data/fail2ban/action.d/opnsense.conf
@ -0,0 +1,91 @@
 ## Version 2023/02/16
 #
 # Fail2Ban action configuration for OPNsense
 # Author: https://linuxserver.io/
 #
 # Please ensure jail.local permission are secure (640) as it contains your OPNsense API key
 #
 # OPNsense API Key/Secret guide: https://docs.opnsense.org/development/how-tos/api.html
 #
 # This action maintains an OPNsense HOST group alias.
 #
 # Configure OPNsense with:
 # 							A correctly named empty HOST group alias.
 # 							An associated firewall rule.
 #
 # In most instances the OPNsense rule will likely take the form of a INBOUND WAN DROP but specifics are left to user discretion.
 #
 # WARNING:	This action allows connections to default OPNsense installs deployed with self signed TLS certificates.
 # 			If required disable this by setting `allow_insecure = false` in your `jail.local`
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 #actionstart = 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 #actionstop = 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 #actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/add/<alias>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/delete/<alias>
 # Internal variable handler for `allow_insecure`
 _allow_insecure = $(if [ '<allow_insecure>' = true ]; then echo ' -k '; else echo ''; fi;)
 [Init]
 # Option:  alias
 # Notes.:  The OPNsense host group name to add the Fail2ban IP to.
 # Values:  [ STRING ]
 #
 alias =
 # Option:  firewall
 # Notes.:  Your OPNsense IP or DNS name.
 # Values:  [ STRING ]
 #
 firewall =
 # Option:  key
 # Notes.:  Your OPNsense user key.
 # Values:  [ STRING ]
 #
 key = 
 # Option:  secret
 # Notes.:  Your OPNsense user secret.
 # Values:  [ STRING ]
 #
 secret =
 # Option:  allow_insecure
 # Notes.:  Allow connections to default OPNsense installs deployed with self signed TLS certificates.
 # Values:  [ BOOLEAN ]
 #
 allow_insecure = true
--- a/fail2ban/data/fail2ban/action.d/osx-afctl.conf
+++ b/fail2ban/data/fail2ban/action.d/osx-afctl.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
 #
 # Anonymous author
--- a/fail2ban/data/fail2ban/action.d/osx-ipfw.conf
+++ b/fail2ban/data/fail2ban/action.d/osx-ipfw.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Nick Munger
--- a/fail2ban/data/fail2ban/action.d/pf.conf
+++ b/fail2ban/data/fail2ban/action.d/pf.conf
@ -1,9 +1,11 @@
 ## Version 2023/12/10
 # Fail2Ban configuration file
 #
 # OpenBSD pf ban/unban
 #
 # Author: Nick Hilliard <nick@foobar.org>
 # Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
 # Modified by: Balazs Mateffy adding allproto option so all traffic gets blocked from the malicious source
 #
 #
@ -26,9 +28,11 @@
 #     }
 # to your main pf ruleset, where "namei" are the names of the jails
 # which invoke this action
 # to block all protocols use the pf[protocol=all] option
 actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
              port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
-              echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
+              protocol="<protocol>"; if [ "$protocol" != "all" ]; then protocol="proto $protocol"; else protocol=all; fi
              echo "<block> $protocol from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
 # Option:  start_on_demand - to start action on demand
 # Example: `action=pf[actionstart_on_demand=true]`
@ -98,6 +102,7 @@ tablename = f2b
 #
 # The action you want pf to take.
 # Probably, you want "block quick", but adjust as needed.
 # If you want to log all blocked use "blog log quick"
 block = block quick
 # Option:  protocol
--- a/fail2ban/data/fail2ban/action.d/pushover.conf
+++ b/fail2ban/data/fail2ban/action.d/pushover.conf
@ -0,0 +1,61 @@
 ## Version 2022/08/15
 #
 # Fail2Ban action configuration for Pushover
 # Author: https://linuxserver.io/
 #
 # Please ensure jail.local permission are secure as it will contain your Pushover API key
 #
 # This action requires the setup of a Pushover Application/API Token. This will require an account at https://pushover.net/
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 # Comment out this action as necessary
 actionstart = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Jail <name> has been started successfully." https://api.pushover.net/1/messages
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 # Comment out this action as necessary
 actionstop = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Jail <name> has been stopped." https://api.pushover.net/1/messages
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Banned IP: <ip> Lines containing IP: `grep '<ip>' <logpath>`" https://api.pushover.net/1/messages
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = curl -s -F "token=<token>" -F "user=<user>" -F "title=[Fail2Ban] <name>" -F "message=Unbanned IP: <ip> Lines containing IP: `grep '<ip>' <logpath>`" https://api.pushover.net/1/messages
 [Init]
 # Option:  token
 # Notes.:  The Pushover API Token/Key setup for Fail2Ban.
 # Values:  [ STRING ]
 #
 token =
 # Option:  user
 # Notes.:  Your Pushover User Key.
 # Values:  [ STRING ]
 #
 user =
--- a/fail2ban/data/fail2ban/action.d/route.conf
+++ b/fail2ban/data/fail2ban/action.d/route.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Michael Gebetsroither
--- a/fail2ban/data/fail2ban/action.d/sendmail-buffered.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-buffered.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/sendmail-common.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-common.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Common settings for sendmail actions
--- a/fail2ban/data/fail2ban/action.d/sendmail-geoip-lines.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-geoip-lines.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Viktor Szépe
--- a/fail2ban/data/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/sendmail-whois-ipmatches.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-whois-ipmatches.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/sendmail-whois-lines.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-whois-lines.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/sendmail-whois-matches.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-whois-matches.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/sendmail-whois.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail-whois.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/sendmail.conf
+++ b/fail2ban/data/fail2ban/action.d/sendmail.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/shorewall-ipset-proto6.conf
+++ b/fail2ban/data/fail2ban/action.d/shorewall-ipset-proto6.conf
@ -1,3 +1,4 @@
 ## Version 2024/06/09
 # Fail2Ban configuration file
 #
 # Author: Eduardo Diaz
@ -51,7 +52,7 @@
 # Values:  CMD
 #
 actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
-              then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime>;
+              then ipset -quiet -exist create f2b-<name> <ipsettype> timeout <default-ipsettime> maxelem <maxelem>;
              fi
 # Option:  actionstop
@ -88,6 +89,19 @@ default-ipsettime = 0
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
-# expresion to caclulate timeout from bantime, example:
+# expression to calculate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 [Init]
 # Option: ipsettype
 # Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
 # Values: hash:ip, hash:net, etc... Default: hash:ip
 ipsettype = hash:ip
 # Option: maxelem
 # Notes:  maximal number of elements which can be stored in the ipset
 #         You may want to increase this for long-duration/high-volume jails
 # Values: [ NUM ] Default: 65536
 maxelem = 65536
--- a/fail2ban/data/fail2ban/action.d/shorewall.conf
+++ b/fail2ban/data/fail2ban/action.d/shorewall.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
--- a/fail2ban/data/fail2ban/action.d/symbiosis-blacklist-allports.conf
+++ b/fail2ban/data/fail2ban/action.d/symbiosis-blacklist-allports.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file for Bytemark Symbiosis firewall
 #
 # Author: Yaroslav Halchenko
--- a/fail2ban/data/fail2ban/action.d/ufw.conf
+++ b/fail2ban/data/fail2ban/action.d/ufw.conf
@ -1,3 +1,4 @@
 ## Version 2025/03/01
 # Fail2Ban action configuration file for ufw
 #
 # You are required to run "ufw enable" before this will have any effect.
@ -44,7 +45,7 @@ _kill_conntrack = conntrack -D -s "<ip>"
 # Option: kill
 # Notes.: can be used to specify custom killing feature, by default depending on option kill-mode
-# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[<ip>]"']
+# Examples: banaction = ufw[kill='ss -K "dst = [<ip>] && ( sport = :http || sport = :https )"']
 #           banaction = ufw[kill='cutter "<ip>"']
 kill = <_kill_<kill-mode>>
--- a/fail2ban/data/fail2ban/action.d/xarf-login-attack.conf
+++ b/fail2ban/data/fail2ban/action.d/xarf-login-attack.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban action for sending xarf Login-Attack messages to IP owner
 #
 # IMPORTANT:
--- a/fail2ban/data/fail2ban/fail2ban.conf
+++ b/fail2ban/data/fail2ban/fail2ban.conf
@ -1,3 +1,4 @@
 ## Version 2022/12/15
 # Fail2Ban main configuration file
 #
 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
@ -32,7 +33,8 @@ loglevel = INFO
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
 # Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
 #
-logtarget = /var/log/fail2ban.log
+# lsio value
 logtarget = /config/log/fail2ban/fail2ban.log
 # Option: syslogsocket
 # Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
@ -67,7 +69,8 @@ pidfile = /var/run/fail2ban/fail2ban.pid
 #         and data is lost when fail2ban is stopped.
 #         A value of "None" disables the database.
 # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
-dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+# lsio value
 dbfile = /config/fail2ban/fail2ban.sqlite3
 # Options: dbpurgeage
 # Notes.: Sets age at which bans should be purged from the database
--- a/fail2ban/data/fail2ban/fail2ban.sqlite3
+++ b/fail2ban/data/fail2ban/fail2ban.sqlite3
--- a/fail2ban/data/fail2ban/filter.d/3proxy.conf
+++ b/fail2ban/data/fail2ban/filter.d/3proxy.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban filter for 3proxy
 #
 #
--- a/fail2ban/data/fail2ban/filter.d/airsonic-auth.conf
+++ b/fail2ban/data/fail2ban/filter.d/airsonic-auth.conf
@ -0,0 +1,17 @@
 ## Version 2022/08/06
 # Fail2Ban filter configuration for airsonic
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex = ^.*: Login failed from \[<HOST>\]$
 ignoreregex =
 datepattern = {^LN-BEG}
 # DEV NOTES:
 #
 # Author: anoma
--- a/fail2ban/data/fail2ban/filter.d/apache-auth.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-auth.conf
@ -1,3 +1,4 @@
 ## Version 2023/11/18
 # Fail2Ban apache-auth filter
 #
@ -64,7 +65,7 @@ ignoreregex =
 #     ^user .*: one-time-nonce mismatch - sending new nonce\s*$
 #     ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
 #
-# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
+# Because url/referer are foreign input, short form of regex used if long enough to identify failure.
 # 
 # Author: Cyril Jaquier
 # Major edits by Daniel Black and Ben Rubson.
--- a/fail2ban/data/fail2ban/filter.d/apache-badbots.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-badbots.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban configuration file
 #
 # Regexp to catch known spambots and software alike. Please verify
--- a/fail2ban/data/fail2ban/filter.d/apache-botsearch.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-botsearch.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban filter to match web requests for selected URLs that don't exist
 #
 # This filter is aimed at blocking specific URLs that don't exist. This
--- a/fail2ban/data/fail2ban/filter.d/apache-common.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-common.conf
@ -1,3 +1,4 @@
 ## Version 2024/03/15
 # Generic configuration items (to be used as interpolations) in other
 # apache filters.
@ -29,7 +30,7 @@ apache-prefix = <apache-prefix-<logging>>
 apache-pref-ignore =
-_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[(?:client|remote) <HOST>(:\d{1,5})?\]
 datepattern = {^LN-BEG}
--- a/fail2ban/data/fail2ban/filter.d/apache-fakegooglebot.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-fakegooglebot.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban filter for fake Googlebot User Agents
 [Definition]
--- a/fail2ban/data/fail2ban/filter.d/apache-modsecurity.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-modsecurity.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban apache-modsec filter
 #
--- a/fail2ban/data/fail2ban/filter.d/apache-nohome.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-nohome.conf
@ -1,3 +1,4 @@
 ## Version 2022/08/06
 # Fail2Ban filter to web requests for home directories on Apache servers
 #
 # Regex to match failures to find a home directory on a server, which
--- a/fail2ban/data/fail2ban/filter.d/apache-noscript.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-noscript.conf
@ -1,3 +1,4 @@
 ## Version 2025/03/28
 # Fail2Ban filter to block web requests for scripts (on non scripted websites)
 #
 # This matches many types of scripts that don't exist. This could generate a
@ -19,11 +20,10 @@ before = apache-common.conf
 script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)
-prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?=(?:[Ff]ile|[Ss]cript|[Gg]ot error|stderr from) )<F-CONTENT>.+</F-CONTENT>$
-failregex = ^(?:does not exist|not found or unable to stat): <script>\b
+failregex = ^(?:(?:[Ff]ile does not exist|[Ss]cript not found or unable to stat): <script>\b|[Gg]ot error '[Pp]rimary script unknown\b)
-            ^'<script>\S*' not found or unable to stat
+            ^(?:stderr from |script (?P<_q>'))<script>\S*(?(_q)'|) (?:script )?(?:does not exist|not found or unable to stat)
            ^error '[Pp]rimary script unknown(?:\\n)?'
 ignoreregex = 
--- a/fail2ban/data/fail2ban/filter.d/apache-overflows.conf
+++ b/fail2ban/data/fail2ban/filter.d/apache-overflows.conf
@ -1,3 +1,4 @@
 ## Version 2024/06/28
 # Fail2Ban filter to block web requests on a long or suspicious nature
 #
@ -8,7 +9,7 @@ before = apache-common.conf
 [Definition]
-failregex = ^%(_apache_error_client)s (?:(?:AH001[23][456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
+failregex = ^%(_apache_error_client)s (?:(?:AH(?:001[23][456]|10244): )?[Ii]nvalid (method|URI)\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
 ignoreregex =
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
João Pedro Toledo Goncalves	e4a4714ee5	deploy configuraçao do atendimento.grupopralog.com.br no proxy correçao do fail2ban que nao agia em cima dos logs	2026-02-12 12:45:13 -03:00
João Pedro Toledo Goncalves	a5788fc66d	feat: sync timezone to America/Sao_Paulo, add diagnostic scripts to producao/scripts, and update PSDE docs	2026-02-08 15:54:09 -03:00
João Pedro Toledo Goncalves	be7b271357	fix: restore legacy GEMINI docs, fix modsec loop, encoding issues	2026-02-08 14:24:23 -03:00
João Pedro Toledo Goncalves	982423c3ff	feat: re-enable geoip logging and variable mapping	2026-02-08 13:51:49 -03:00
João Pedro Toledo Goncalves	0317b5217a	securyti maps	2026-02-08 11:29:10 -03:00
João Pedro Toledo Goncalves	dba24f08bc	feat: hybrid deployment script with geoip auto-update and improved docs	2026-02-08 11:05:53 -03:00
João Pedro Toledo Goncalves	b0b9485b1a	Hardening: Integrate CVE 2025-2026 defenses (React2Shell, MadeYouReset, SolarWinds, Fortinet)	2026-02-07 14:21:51 -03:00
João Pedro Toledo Goncalves	7af7fa0ec7	Update README with Pathfinder V2 operational workflow and security features	2026-02-07 13:53:27 -03:00
João Pedro Toledo Goncalves	42a9ea5582	Integrate OWASP CRS v4 and Anti-Brute Force Security Rules	2026-02-07 13:48:47 -03:00
João Pedro Toledo Goncalves	93d0324426	docs(README): finalize 7-vector WAF documentation and combinatorial matrix details	2026-02-07 12:46:56 -03:00
João Pedro Toledo Goncalves	ec536dfe9a	feat(security): implement 7-vector combinatorial WAF matrix, 2024-2025 CVE protections, GeoIP integration and descriptive JSON logging	2026-02-07 12:45:51 -03:00
João Pedro Toledo Goncalves	f81ac3aa73	tudo certo	2026-02-07 02:14:17 -03:00
João Pedro Toledo Goncalves	254ecb09f7	docs: update snippets catalog and ignore .gemini	2026-02-07 02:12:40 -03:00
João Pedro Toledo Goncalves	fa29d48ed1	Merge branch 'producao' of https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder into producao	2026-02-07 01:57:37 -03:00
João Pedro Toledo Goncalves	58be68baaf	updates e estabilizaçao	2026-02-07 01:57:35 -03:00
João Pedro Toledo Goncalves	aa219f8510	Merge branch 'producao' of https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder into producao	2026-02-07 01:56:37 -03:00
João Pedro Toledo Goncalves	2a1646c726	feat(nginx): Recompilacao com Stream, AIO threads e correcao de logs	2026-02-07 01:55:53 -03:00
João Pedro Toledo Goncalves	78c3c82a69	feat(elite): expansao da stack elite 2026 - modulos, performance, forense e upgrade zero-downtime	2026-02-07 00:20:07 -03:00
João Pedro Toledo Goncalves	e932ca8f7d	feat(waf): implementado modsecurity 3.0.14, plugins crs v4 e tunings específicos por app	2026-02-06 22:18:42 -03:00
João Pedro Toledo Goncalves	5ada628ac4	docs: refina instruções de emissão SSL e caminhos	2026-02-06 18:21:13 -03:00
João Pedro Toledo Goncalves	d64f3c527f	fix(ssl): atualiza caminhos do certificado LetsEncrypt com sufixo -0001	2026-02-06 18:20:16 -03:00
João Pedro Toledo Goncalves	9c9c747a4b	docs: detalha workflow de ativação de sites e SSL	2026-02-06 18:07:29 -03:00
João Pedro Toledo Goncalves	326a3711f0	docs: atualiza README.md com guias de instalação nativa e padrões ouro	2026-02-06 18:05:39 -03:00
João Pedro Toledo Goncalves	0d395f42c5	docs: consolidate READMEs and update for configuration-only model	2026-02-06 16:44:41 -03:00
João Pedro Toledo Goncalves	af977eb2cb	chore: pivot repository to configuration-only (removed docker artifacts and sensitive data)	2026-02-06 16:41:59 -03:00
João Pedro Toledo Goncalves	454cd564a1	fix: restore missing ssl certificates from history	2026-02-06 16:28:35 -03:00
João Pedro Toledo Goncalves	7e5ce88adb	fix: add ssl certificates to ferreirareal config and confirm test-backend removal	2026-02-06 16:24:40 -03:00
João Pedro Toledo Goncalves	7aea780cb1	.	2026-02-06 15:52:35 -03:00
João Pedro Toledo Goncalves	58b5fbd3e2	.	2026-02-06 15:48:47 -03:00
João Pedro Toledo Goncalves	56a9c5e91a	fix: isolate dynamic config (blacklist) to separate volume and bake static configs to prevent mount errors	2026-02-06 14:45:03 -03:00
João Pedro Toledo Goncalves	21a9c393c5	fix: bake nginx config into image and remove bind mount to prevent portainer directory error	2026-02-06 14:13:14 -03:00
João Pedro Toledo Goncalves	368cda2b76	feat: split logs into human-readable (stdout) and json (file) for better observability	2026-02-06 13:17:20 -03:00
João Pedro Toledo Goncalves	9e7decd6de	refactor: restructure sites-ativos into nginx and logs folders for cleaner docker volume mapping	2026-02-06 13:14:05 -03:00
João Pedro Toledo Goncalves	354759743f	feat: consolidate sites-ativos into production branch for single-source deployment	2026-02-06 13:08:51 -03:00
João Pedro Toledo Goncalves	0048b1a70b	fix: resolve nginx infinite loop, crlf issues and missing modules	2026-02-05 15:53:26 -03:00
João Pedro Toledo Goncalves	34bb52d60d	.	2026-02-05 15:41:27 -03:00
João Pedro Toledo Goncalves	3eafb5891b	chore: ignore default fail2ban jails	2026-02-05 14:43:00 -03:00
João Pedro Toledo Goncalves	61a4fce622	feat(fail2ban): cleanup unused jails and add nginx-unified config	2026-02-05 14:37:47 -03:00
João Pedro Toledo Goncalves	74b1f3892d	fix(docker): migrate to alpine 3.18, fix modsecurity and brotli build	2026-02-05 14:29:58 -03:00
João Pedro Toledo Goncalves	f0abf2932f	fix: Ajusta failregex para padrão numérico do Nginx JSON	2026-02-04 19:52:13 -03:00
João Pedro Toledo Goncalves	441b69658c	docs: Adiciona análise de sizing e segurança de cache	2026-02-04 19:42:47 -03:00
João Pedro Toledo Goncalves	44c0220cba	docs: Atualiza README com detalhes da nova infraestrutura	2026-02-04 19:20:34 -03:00
João Pedro Toledo Goncalves	609c92f484	feat: Implementa Nginx High-End com HTTP/3 e ModSecurity	2026-02-04 19:18:22 -03:00
João Pedro Toledo Goncalves	d8c6607b3a	fix: adiciona certbot-nginx para suportar comando --nginx	2026-01-30 11:43:31 -03:00
João Pedro Toledo Goncalves	9f18a4598a	fix: escape password special characters in Dockerfile	2026-01-29 14:51:22 -03:00
João Pedro Toledo Goncalves	216630a219	feat: adiciona usuario itguys com acesso root e sudo no .bashrc	2026-01-29 09:25:36 -03:00
João Pedro Toledo Goncalves	6ee169464c	fix: mount volume to directory instead of file to avoid OCI error	2026-01-29 09:22:52 -03:00
João Pedro Toledo Goncalves	368855f2b0	fix: troca bind mounts por volumes e ajuste busca git sites-ativos	2026-01-29 09:18:36 -03:00
João Pedro Toledo Goncalves	54f8a4283b	feat: custom shell, SSH porta 122 e network_mode host	2026-01-29 09:13:14 -03:00
João Pedro Toledo Goncalves	c3b9316fd2	remoçao do .gemini	2026-01-29 09:03:08 -03:00
João Pedro Toledo Goncalves	7e20ba5c87	Cleanup: Remove configs (conf.d, snippets) from production branch (moved to sites-ativos)	2026-01-27 14:35:44 -03:00
João Pedro Toledo Goncalves	4cb6b85f29	Fix: Remove snippets bind-mount to prevent empty directory shadowing	2026-01-27 14:17:52 -03:00
João Pedro Toledo Goncalves	fd770b61a2	Fix: Add nano and remove nginx.conf host-mount for Portainer compatibility	2026-01-27 14:14:33 -03:00
João Pedro Toledo Goncalves	975d6ab90b	Refactor: Simplify infrastructure to single Nginx container (Legacy Removed)	2026-01-27 14:03:04 -03:00