fix: reload/stop jail 404 + access list simulator

Task 1 — fix Stop/Reload Jail returning 404 Root cause: reload_jail and reload_all sent an empty config stream (["reload", name, [], []]). In fail2ban's reload protocol the end-of- reload phase deletes every jail still in reload_state — i.e. every jail that received no configuration commands. An empty stream means *all* affected jails are silently removed from the daemon's runtime, causing everything touching those jails afterwards (including stop) to receive UnknownJailException → HTTP 404. Fixes: - reload_jail: send ["start", name] in the config stream; startJail() removes the jail from reload_state so the end phase commits instead of deletes, and un-idles the jail. - reload_all: fetch current jail list first, build a ["start", name] entry for every active jail, then send reload --all with that stream. - stop_jail: made idempotent — if the jail is already gone (not-found error) the operation silently succeeds (200 OK) rather than returning 404, matching the user expectation that stop = ensure-stopped. - Router: removed dead JailNotFoundError handler from stop endpoint. 391 tests pass (2 new), ruff clean, mypy clean (pre-existing config.py error unchanged). Task 2 — access list simulator - Docker/simulate_accesses.sh: writes fake HTTP-scan log lines in custom format (bangui-access: http scan from <IP> ...) to Docker/logs/access.log so the bangui-access jail detects them. - fail2ban/filter.d/bangui-access.conf: failregex matching the above. - fail2ban/jail.d/bangui-access.conf: polling jail on access.log, same settings as bangui-sim (maxretry=3, bantime=60s). - .gitignore: whitelist new bangui-access.conf files. - Docker/fail2ban-dev-config/README.md: added "Testing the Access List Feature" section with step-by-step instructions and updated Configuration Reference + Troubleshooting.
2026-03-06 19:49:31 +01:00
parent 73c1300d9f
commit 08b8f3872a
10 changed files with 239 additions and 965 deletions
--- a/Docker/fail2ban-dev-config/fail2ban/filter.d/bangui-access.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/filter.d/bangui-access.conf
@@ -0,0 +1,13 @@
+# ──────────────────────────────────────────────────────────────
+#  BanGUI — Simulated HTTP access scan failure filter
+#
+#  Matches lines written by Docker/simulate_accesses.sh.
+#  Format:
+#    YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
+# ──────────────────────────────────────────────────────────────
+
+[Definition]
+
+failregex = ^.* bangui-access: http scan from <HOST> ".*" [45]\d\d\s*$
+
+ignoreregex =
--- a/Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf
@@ -0,0 +1,20 @@
+# ──────────────────────────────────────────────────────────────
+#  BanGUI — Simulated HTTP access scan jail
+#
+#  Watches Docker/logs/access.log (mounted at /remotelogs/bangui)
+#  for lines produced by Docker/simulate_accesses.sh.
+# ──────────────────────────────────────────────────────────────
+
+[bangui-access]
+
+enabled    = true
+filter     = bangui-access
+logpath    = /remotelogs/bangui/access.log
+backend    = polling
+maxretry   = 3
+findtime   = 120
+bantime    = 60
+banaction  = iptables-allports
+
+# Never ban localhost, the Docker bridge network, or the host machine.
+ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12