fix: reload/stop jail 404 + access list simulator

Task 1 — fix Stop/Reload Jail returning 404
  Root cause: reload_jail and reload_all sent an empty config stream
  (["reload", name, [], []]).  In fail2ban's reload protocol the end-of-
  reload phase deletes every jail still in reload_state — i.e. every jail
  that received no configuration commands.  An empty stream means *all*
  affected jails are silently removed from the daemon's runtime, causing
  everything touching those jails afterwards (including stop) to receive
  UnknownJailException → HTTP 404.

  Fixes:
  - reload_jail: send ["start", name] in the config stream; startJail()
    removes the jail from reload_state so the end phase commits instead of
    deletes, and un-idles the jail.
  - reload_all: fetch current jail list first, build a ["start", name]
    entry for every active jail, then send reload --all with that stream.
  - stop_jail: made idempotent — if the jail is already gone (not-found
    error) the operation silently succeeds (200 OK) rather than returning
    404, matching the user expectation that stop = ensure-stopped.
  - Router: removed dead JailNotFoundError handler from stop endpoint.

  391 tests pass (2 new), ruff clean, mypy clean (pre-existing
  config.py error unchanged).

Task 2 — access list simulator
  - Docker/simulate_accesses.sh: writes fake HTTP-scan log lines in
    custom format (bangui-access: http scan from <IP> ...) to
    Docker/logs/access.log so the bangui-access jail detects them.
  - fail2ban/filter.d/bangui-access.conf: failregex matching the above.
  - fail2ban/jail.d/bangui-access.conf: polling jail on access.log,
    same settings as bangui-sim (maxretry=3, bantime=60s).
  - .gitignore: whitelist new bangui-access.conf files.
  - Docker/fail2ban-dev-config/README.md: added "Testing the Access
    List Feature" section with step-by-step instructions and updated
    Configuration Reference + Troubleshooting.

Docker/fail2ban-dev-config/README.md

@@ -67,6 +67,50 @@ Chains steps 1–3 automatically with appropriate sleep intervals.
 
 ---
 
+## Testing the Access List Feature
+
+The **Access List** tab in BanGUI displays each individual matched log line
+stored in fail2ban's database.  A second jail — `bangui-access` — monitors
+`Docker/logs/access.log` for simulated HTTP bot-scan entries.
+
+### 1 — Run the access-scan simulation
+
+```bash
+bash Docker/simulate_accesses.sh
+```
+
+Default: writes **5** HTTP-scan lines for IP `203.0.113.7` to
+`Docker/logs/access.log`.  
+Optional overrides:
+
+```bash
+bash Docker/simulate_accesses.sh <COUNT> <SOURCE_IP> <LOG_FILE>
+# e.g. bash Docker/simulate_accesses.sh 6 198.51.100.5
+```
+
+Log line format:
+
+```
+YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "GET /.env HTTP/1.1" 404
+```
+
+### 2 — Verify the IP was banned
+
+```bash
+bash Docker/check_ban_status.sh
+```
+
+The `bangui-access` jail should appear alongside `bangui-sim`, showing the
+banned IP and matched line count.
+
+### 3 — Unban and re-test
+
+```bash
+bash Docker/check_ban_status.sh --unban 203.0.113.7
+```
+
+---
+
 ## Configuration Reference
 
 | File | Purpose |
@@ -74,6 +118,9 @@ Chains steps 1–3 automatically with appropriate sleep intervals.
 | `fail2ban/filter.d/bangui-sim.conf` | Defines the `failregex` that matches simulation log lines |
 | `fail2ban/jail.d/bangui-sim.conf` | Jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
 | `Docker/logs/auth.log` | Log file written by the simulation script (host path) |
+| `fail2ban/filter.d/bangui-access.conf` | Defines the `failregex` that matches access-scan log lines |
+| `fail2ban/jail.d/bangui-access.conf` | Access jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
+| `Docker/logs/access.log` | Log file written by `simulate_accesses.sh` (host path) |
 
 Inside the container the log file is mounted at `/remotelogs/bangui/auth.log`
 (see `fail2ban/paths-lsio.conf` — `remote_logs_path = /remotelogs`).
@@ -109,13 +156,20 @@ Test the regex manually:
 ```bash
 docker exec bangui-fail2ban-dev \
     fail2ban-regex /remotelogs/bangui/auth.log bangui-sim
+
+docker exec bangui-fail2ban-dev \
+    fail2ban-regex /remotelogs/bangui/access.log bangui-access
 ```
 
 The output should show matched lines. If nothing matches, check that the log
-lines produced by `simulate_failed_logins.sh` match this pattern exactly:
+lines match the corresponding `failregex` pattern:
 
 ```
+# bangui-sim (auth log):
 YYYY-MM-DD HH:MM:SS bangui-auth: authentication failure from <IP>
+
+# bangui-access (access log):
+YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
 ```
 
 ### iptables / permission errors

Docker/fail2ban-dev-config/fail2ban/filter.d/bangui-access.conf

@@ -0,0 +1,13 @@
+# ──────────────────────────────────────────────────────────────
+#  BanGUI — Simulated HTTP access scan failure filter
+#
+#  Matches lines written by Docker/simulate_accesses.sh.
+#  Format:
+#    YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
+# ──────────────────────────────────────────────────────────────
+
+[Definition]
+
+failregex = ^.* bangui-access: http scan from <HOST> ".*" [45]\d\d\s*$
+
+ignoreregex =

Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf

@@ -0,0 +1,20 @@
+# ──────────────────────────────────────────────────────────────
+#  BanGUI — Simulated HTTP access scan jail
+#
+#  Watches Docker/logs/access.log (mounted at /remotelogs/bangui)
+#  for lines produced by Docker/simulate_accesses.sh.
+# ──────────────────────────────────────────────────────────────
+
+[bangui-access]
+
+enabled    = true
+filter     = bangui-access
+logpath    = /remotelogs/bangui/access.log
+backend    = polling
+maxretry   = 3
+findtime   = 120
+bantime    = 60
+banaction  = iptables-allports
+
+# Never ban localhost, the Docker bridge network, or the host machine.
+ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12

Docker/simulate_accesses.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# ──────────────────────────────────────────────────────────────
+#  simulate_accesses.sh
+#
+#  Writes synthetic HTTP-scan log lines to a file that matches
+#  the bangui-access fail2ban filter.  Use this to populate the
+#  Access List tab in BanGUI without a real web server.
+#
+#  Usage:
+#    bash Docker/simulate_accesses.sh [COUNT] [SOURCE_IP] [LOG_FILE]
+#
+#  Defaults:
+#    COUNT    : 5
+#    SOURCE_IP: 203.0.113.7
+#    LOG_FILE : Docker/logs/access.log   (relative to repo root)
+#
+#  Log line format (must match bangui-access failregex exactly):
+#    YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
+#
+#  fail2ban bans the IP after maxretry (default 3) matching lines.
+# ──────────────────────────────────────────────────────────────
+
+set -euo pipefail
+
+# ── Defaults ──────────────────────────────────────────────────
+readonly DEFAULT_COUNT=5
+readonly DEFAULT_IP="203.0.113.7"
+
+# Resolve script location so defaults work regardless of cwd.
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly DEFAULT_LOG_FILE="${SCRIPT_DIR}/logs/access.log"
+
+# ── Arguments ─────────────────────────────────────────────────
+COUNT="${1:-${DEFAULT_COUNT}}"
+SOURCE_IP="${2:-${DEFAULT_IP}}"
+LOG_FILE="${3:-${DEFAULT_LOG_FILE}}"
+
+# ── Validate COUNT is a positive integer ──────────────────────
+if ! [[ "${COUNT}" =~ ^[1-9][0-9]*$ ]]; then
+    echo "ERROR: COUNT must be a positive integer, got: '${COUNT}'" >&2
+    exit 1
+fi
+
+# ── Common bot-scan paths ─────────────────────────────────────
+PATHS=(
+    "GET /.env HTTP/1.1"
+    "GET /wp-login.php HTTP/1.1"
+    "GET /admin HTTP/1.1"
+    "POST /wp-login.php HTTP/1.1"
+    "GET /.git/config HTTP/1.1"
+    "GET /phpinfo.php HTTP/1.1"
+    "GET /wp-config.php HTTP/1.1"
+    "GET /phpmyadmin HTTP/1.1"
+)
+readonly PATHS
+
+NUM_PATHS="${#PATHS[@]}"
+
+# ── Ensure log directory exists ───────────────────────────────
+LOG_DIR="$(dirname "${LOG_FILE}")"
+mkdir -p "${LOG_DIR}"
+
+# ── Write scan lines ──────────────────────────────────────────
+echo "Writing ${COUNT} HTTP-scan line(s) for ${SOURCE_IP} to ${LOG_FILE} ..."
+
+for ((i = 1; i <= COUNT; i++)); do
+    TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"
+    # Cycle through the scan paths so each run looks varied.
+    PATH_ENTRY="${PATHS[$(( (i - 1) % NUM_PATHS ))]}"
+    printf '%s bangui-access: http scan from %s "%s" 404\n' \
+        "${TIMESTAMP}" "${SOURCE_IP}" "${PATH_ENTRY}" >> "${LOG_FILE}"
+    sleep 0.5
+done
+
+# ── Summary ───────────────────────────────────────────────────
+echo "Done."
+echo "  Lines written : ${COUNT}"
+echo "  Source IP     : ${SOURCE_IP}"
+echo "  Log file      : ${LOG_FILE}"
+echo ""
+echo "  fail2ban bans after maxretry=3 matching lines."
+echo "  Check ban status with: bash Docker/check_ban_status.sh"