fix: reload/stop jail 404 + access list simulator
Task 1 — fix Stop/Reload Jail returning 404
Root cause: reload_jail and reload_all sent an empty config stream
(["reload", name, [], []]). In fail2ban's reload protocol the end-of-
reload phase deletes every jail still in reload_state — i.e. every jail
that received no configuration commands. An empty stream means *all*
affected jails are silently removed from the daemon's runtime, causing
everything touching those jails afterwards (including stop) to receive
UnknownJailException → HTTP 404.
Fixes:
- reload_jail: send ["start", name] in the config stream; startJail()
removes the jail from reload_state so the end phase commits instead of
deletes, and un-idles the jail.
- reload_all: fetch current jail list first, build a ["start", name]
entry for every active jail, then send reload --all with that stream.
- stop_jail: made idempotent — if the jail is already gone (not-found
error) the operation silently succeeds (200 OK) rather than returning
404, matching the user expectation that stop = ensure-stopped.
- Router: removed dead JailNotFoundError handler from stop endpoint.
391 tests pass (2 new), ruff clean, mypy clean (pre-existing
config.py error unchanged).
Task 2 — access list simulator
- Docker/simulate_accesses.sh: writes fake HTTP-scan log lines in
custom format (bangui-access: http scan from <IP> ...) to
Docker/logs/access.log so the bangui-access jail detects them.
- fail2ban/filter.d/bangui-access.conf: failregex matching the above.
- fail2ban/jail.d/bangui-access.conf: polling jail on access.log,
same settings as bangui-sim (maxretry=3, bantime=60s).
- .gitignore: whitelist new bangui-access.conf files.
- Docker/fail2ban-dev-config/README.md: added "Testing the Access
List Feature" section with step-by-step instructions and updated
Configuration Reference + Troubleshooting.
This commit is contained in:
@@ -67,6 +67,50 @@ Chains steps 1–3 automatically with appropriate sleep intervals.
|
||||
|
||||
---
|
||||
|
||||
## Testing the Access List Feature
|
||||
|
||||
The **Access List** tab in BanGUI displays each individual matched log line
|
||||
stored in fail2ban's database. A second jail — `bangui-access` — monitors
|
||||
`Docker/logs/access.log` for simulated HTTP bot-scan entries.
|
||||
|
||||
### 1 — Run the access-scan simulation
|
||||
|
||||
```bash
|
||||
bash Docker/simulate_accesses.sh
|
||||
```
|
||||
|
||||
Default: writes **5** HTTP-scan lines for IP `203.0.113.7` to
|
||||
`Docker/logs/access.log`.
|
||||
Optional overrides:
|
||||
|
||||
```bash
|
||||
bash Docker/simulate_accesses.sh <COUNT> <SOURCE_IP> <LOG_FILE>
|
||||
# e.g. bash Docker/simulate_accesses.sh 6 198.51.100.5
|
||||
```
|
||||
|
||||
Log line format:
|
||||
|
||||
```
|
||||
YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "GET /.env HTTP/1.1" 404
|
||||
```
|
||||
|
||||
### 2 — Verify the IP was banned
|
||||
|
||||
```bash
|
||||
bash Docker/check_ban_status.sh
|
||||
```
|
||||
|
||||
The `bangui-access` jail should appear alongside `bangui-sim`, showing the
|
||||
banned IP and matched line count.
|
||||
|
||||
### 3 — Unban and re-test
|
||||
|
||||
```bash
|
||||
bash Docker/check_ban_status.sh --unban 203.0.113.7
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Configuration Reference
|
||||
|
||||
| File | Purpose |
|
||||
@@ -74,6 +118,9 @@ Chains steps 1–3 automatically with appropriate sleep intervals.
|
||||
| `fail2ban/filter.d/bangui-sim.conf` | Defines the `failregex` that matches simulation log lines |
|
||||
| `fail2ban/jail.d/bangui-sim.conf` | Jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
|
||||
| `Docker/logs/auth.log` | Log file written by the simulation script (host path) |
|
||||
| `fail2ban/filter.d/bangui-access.conf` | Defines the `failregex` that matches access-scan log lines |
|
||||
| `fail2ban/jail.d/bangui-access.conf` | Access jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
|
||||
| `Docker/logs/access.log` | Log file written by `simulate_accesses.sh` (host path) |
|
||||
|
||||
Inside the container the log file is mounted at `/remotelogs/bangui/auth.log`
|
||||
(see `fail2ban/paths-lsio.conf` — `remote_logs_path = /remotelogs`).
|
||||
@@ -109,13 +156,20 @@ Test the regex manually:
|
||||
```bash
|
||||
docker exec bangui-fail2ban-dev \
|
||||
fail2ban-regex /remotelogs/bangui/auth.log bangui-sim
|
||||
|
||||
docker exec bangui-fail2ban-dev \
|
||||
fail2ban-regex /remotelogs/bangui/access.log bangui-access
|
||||
```
|
||||
|
||||
The output should show matched lines. If nothing matches, check that the log
|
||||
lines produced by `simulate_failed_logins.sh` match this pattern exactly:
|
||||
lines match the corresponding `failregex` pattern:
|
||||
|
||||
```
|
||||
# bangui-sim (auth log):
|
||||
YYYY-MM-DD HH:MM:SS bangui-auth: authentication failure from <IP>
|
||||
|
||||
# bangui-access (access log):
|
||||
YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
|
||||
```
|
||||
|
||||
### iptables / permission errors
|
||||
|
||||
Reference in New Issue
Block a user