adamf/web_server
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

Add fail2ban to stop these malicious ips ;-;
Some checks failed
Deploy with Docker Compose / deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Adam French
2026-03-09 14:18:01 +00:00
parent 8e50537333
commit 61366e4039
9 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docker-compose.yml
View File

@@ -5,6 +5,7 @@ networks:
volumes:
dbdata:
uploads:
nginx-logs:
services:
nginx:
@@ -27,6 +28,7 @@ services:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
- uploads:/uploads
- nginx-logs:/var/log/nginx
certbot:
image: certbot/certbot
@@ -123,3 +125,17 @@ services:
- "2222:2222"
depends_on:
- db
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
restart: always
volumes:
- ./fail2ban/jail.d:/data/jail.d
- ./fail2ban/filter.d:/data/filter.d
- nginx-logs:/var/log/nginx:ro
- /var/log/auth.log:/var/log/auth.log:ro

6
fail2ban/filter.d/nginx-4xx.conf Normal file
View File

@@ -0,0 +1,6 @@
[Definition]
# Matches excessive 4xx responses (scanners probing for common paths)
# Log format: $remote_addr "$request" $status rt=$request_time
failregex = ^<HOST> ".*" 4\d\d rt=
ignoreregex = "GET /favicon\.ico HTTP
"GET /robots\.txt HTTP

5
fail2ban/filter.d/nginx-login.conf Normal file
View File

@@ -0,0 +1,5 @@
[Definition]
# Matches failed login attempts (401/403) on POST to /auth/login
# Log format: $remote_addr "$request" $status rt=$request_time
failregex = ^<HOST> "POST .*/auth/login HTTP/.*" (401|403) rt=
ignoreregex =

4
fail2ban/jail.d/defaults.conf Normal file
View File

@@ -0,0 +1,4 @@
[DEFAULT]
# Ignore localhost; add your home IP after the comma
ignoreip = 127.0.0.1/8 ::1
banaction = iptables-multiport

7
fail2ban/jail.d/nginx-4xx.conf Normal file
View File

@@ -0,0 +1,7 @@
[nginx-4xx]
enabled = true
filter = nginx-4xx
logpath = /var/log/nginx/access.log
maxretry = 20
findtime = 300
bantime = 3600

7
fail2ban/jail.d/nginx-login.conf Normal file
View File

@@ -0,0 +1,7 @@
[nginx-login]
enabled = true
filter = nginx-login
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 600
bantime = 3600

7
fail2ban/jail.d/sshd.conf Normal file
View File

@@ -0,0 +1,7 @@
[sshd]
enabled = true
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600

3
nginx/Dockerfile
View File

@@ -28,6 +28,9 @@ COPY nginx.conf.template /etc/nginx/nginx.conf.template
COPY nginx_setup.conf.template /etc/nginx/nginx_setup.conf.template
COPY nginx_dev.conf.template /etc/nginx/nginx_dev.conf.template
COPY robots.txt /etc/nginx/html/robots.txt
# Remove default symlinks so logs write to real files on the shared volume
RUN unlink /var/log/nginx/access.log && unlink /var/log/nginx/error.log
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

4
nginx/entrypoint.sh
View File

@@ -17,6 +17,10 @@ else
envsubst '${DOMAIN}' < /etc/nginx/nginx_setup.conf.template > /etc/nginx/nginx.conf
fi
# Ensure log directory and files exist on the shared volume
mkdir -p /var/log/nginx
touch /var/log/nginx/access.log /var/log/nginx/error.log
# Ensure uploads directory and files are readable by nginx worker processes
chmod 755 /uploads 2>/dev/null || true
chmod -R a+rX /uploads 2>/dev/null || true