Add fail2ban to stop these malicious ips ;-;

docker-compose.yml

@@ -5,6 +5,7 @@ networks:
 volumes:
     dbdata:
     uploads:
+    nginx-logs:
 
 services:
     nginx:
@@ -27,6 +28,7 @@ services:
             - ./certbot/conf:/etc/letsencrypt
             - ./certbot/www:/var/www/certbot
             - uploads:/uploads
+            - nginx-logs:/var/log/nginx
 
     certbot:
         image: certbot/certbot
@@ -123,3 +125,17 @@ services:
             - "2222:2222"
         depends_on:
             - db
+
+    fail2ban:
+        image: crazymax/fail2ban:latest
+        container_name: fail2ban
+        network_mode: host
+        cap_add:
+            - NET_ADMIN
+            - NET_RAW
+        restart: always
+        volumes:
+            - ./fail2ban/jail.d:/data/jail.d
+            - ./fail2ban/filter.d:/data/filter.d
+            - nginx-logs:/var/log/nginx:ro
+            - /var/log/auth.log:/var/log/auth.log:ro

fail2ban/filter.d/nginx-4xx.conf

@@ -0,0 +1,6 @@
+[Definition]
+# Matches excessive 4xx responses (scanners probing for common paths)
+# Log format: $remote_addr "$request" $status rt=$request_time
+failregex = ^<HOST> ".*" 4\d\d rt=
+ignoreregex = "GET /favicon\.ico HTTP
+              "GET /robots\.txt HTTP

fail2ban/filter.d/nginx-login.conf

@@ -0,0 +1,5 @@
+[Definition]
+# Matches failed login attempts (401/403) on POST to /auth/login
+# Log format: $remote_addr "$request" $status rt=$request_time
+failregex = ^<HOST> "POST .*/auth/login HTTP/.*" (401|403) rt=
+ignoreregex =

fail2ban/jail.d/defaults.conf

@@ -0,0 +1,4 @@
+[DEFAULT]
+# Ignore localhost; add your home IP after the comma
+ignoreip = 127.0.0.1/8 ::1
+banaction = iptables-multiport

fail2ban/jail.d/nginx-4xx.conf

@@ -0,0 +1,7 @@
+[nginx-4xx]
+enabled  = true
+filter   = nginx-4xx
+logpath  = /var/log/nginx/access.log
+maxretry = 20
+findtime = 300
+bantime  = 3600

fail2ban/jail.d/nginx-login.conf

@@ -0,0 +1,7 @@
+[nginx-login]
+enabled  = true
+filter   = nginx-login
+logpath  = /var/log/nginx/access.log
+maxretry = 5
+findtime = 600
+bantime  = 3600

fail2ban/jail.d/sshd.conf

@@ -0,0 +1,7 @@
+[sshd]
+enabled  = true
+filter   = sshd
+logpath  = /var/log/auth.log
+maxretry = 5
+findtime = 600
+bantime  = 3600

nginx/Dockerfile

@@ -28,6 +28,9 @@ COPY nginx.conf.template /etc/nginx/nginx.conf.template
 COPY nginx_setup.conf.template /etc/nginx/nginx_setup.conf.template
 COPY nginx_dev.conf.template /etc/nginx/nginx_dev.conf.template
 COPY robots.txt /etc/nginx/html/robots.txt
+# Remove default symlinks so logs write to real files on the shared volume
+RUN unlink /var/log/nginx/access.log && unlink /var/log/nginx/error.log
+
 COPY entrypoint.sh /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]

nginx/entrypoint.sh

@@ -17,6 +17,10 @@ else
     envsubst '${DOMAIN}' < /etc/nginx/nginx_setup.conf.template > /etc/nginx/nginx.conf
 fi
 
+# Ensure log directory and files exist on the shared volume
+mkdir -p /var/log/nginx
+touch /var/log/nginx/access.log /var/log/nginx/error.log
+
 # Ensure uploads directory and files are readable by nginx worker processes
 chmod 755 /uploads 2>/dev/null || true
 chmod -R a+rX /uploads 2>/dev/null || true