fix: reload/stop jail 404 + access list simulator
Task 1 — fix Stop/Reload Jail returning 404
Root cause: reload_jail and reload_all sent an empty config stream
(["reload", name, [], []]). In fail2ban's reload protocol the end-of-
reload phase deletes every jail still in reload_state — i.e. every jail
that received no configuration commands. An empty stream means *all*
affected jails are silently removed from the daemon's runtime, causing
everything touching those jails afterwards (including stop) to receive
UnknownJailException → HTTP 404.
Fixes:
- reload_jail: send ["start", name] in the config stream; startJail()
removes the jail from reload_state so the end phase commits instead of
deletes, and un-idles the jail.
- reload_all: fetch current jail list first, build a ["start", name]
entry for every active jail, then send reload --all with that stream.
- stop_jail: made idempotent — if the jail is already gone (not-found
error) the operation silently succeeds (200 OK) rather than returning
404, matching the user expectation that stop = ensure-stopped.
- Router: removed dead JailNotFoundError handler from stop endpoint.
391 tests pass (2 new), ruff clean, mypy clean (pre-existing
config.py error unchanged).
Task 2 — access list simulator
- Docker/simulate_accesses.sh: writes fake HTTP-scan log lines in
custom format (bangui-access: http scan from <IP> ...) to
Docker/logs/access.log so the bangui-access jail detects them.
- fail2ban/filter.d/bangui-access.conf: failregex matching the above.
- fail2ban/jail.d/bangui-access.conf: polling jail on access.log,
same settings as bangui-sim (maxretry=3, bantime=60s).
- .gitignore: whitelist new bangui-access.conf files.
- Docker/fail2ban-dev-config/README.md: added "Testing the Access
List Feature" section with step-by-step instructions and updated
Configuration Reference + Troubleshooting.
This commit is contained in:
82
Docker/simulate_accesses.sh
Normal file
82
Docker/simulate_accesses.sh
Normal file
@@ -0,0 +1,82 @@
|
||||
#!/usr/bin/env bash
|
||||
# ──────────────────────────────────────────────────────────────
|
||||
# simulate_accesses.sh
|
||||
#
|
||||
# Writes synthetic HTTP-scan log lines to a file that matches
|
||||
# the bangui-access fail2ban filter. Use this to populate the
|
||||
# Access List tab in BanGUI without a real web server.
|
||||
#
|
||||
# Usage:
|
||||
# bash Docker/simulate_accesses.sh [COUNT] [SOURCE_IP] [LOG_FILE]
|
||||
#
|
||||
# Defaults:
|
||||
# COUNT : 5
|
||||
# SOURCE_IP: 203.0.113.7
|
||||
# LOG_FILE : Docker/logs/access.log (relative to repo root)
|
||||
#
|
||||
# Log line format (must match bangui-access failregex exactly):
|
||||
# YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
|
||||
#
|
||||
# fail2ban bans the IP after maxretry (default 3) matching lines.
|
||||
# ──────────────────────────────────────────────────────────────
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# ── Defaults ──────────────────────────────────────────────────
|
||||
readonly DEFAULT_COUNT=5
|
||||
readonly DEFAULT_IP="203.0.113.7"
|
||||
|
||||
# Resolve script location so defaults work regardless of cwd.
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
readonly DEFAULT_LOG_FILE="${SCRIPT_DIR}/logs/access.log"
|
||||
|
||||
# ── Arguments ─────────────────────────────────────────────────
|
||||
COUNT="${1:-${DEFAULT_COUNT}}"
|
||||
SOURCE_IP="${2:-${DEFAULT_IP}}"
|
||||
LOG_FILE="${3:-${DEFAULT_LOG_FILE}}"
|
||||
|
||||
# ── Validate COUNT is a positive integer ──────────────────────
|
||||
if ! [[ "${COUNT}" =~ ^[1-9][0-9]*$ ]]; then
|
||||
echo "ERROR: COUNT must be a positive integer, got: '${COUNT}'" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ── Common bot-scan paths ─────────────────────────────────────
|
||||
PATHS=(
|
||||
"GET /.env HTTP/1.1"
|
||||
"GET /wp-login.php HTTP/1.1"
|
||||
"GET /admin HTTP/1.1"
|
||||
"POST /wp-login.php HTTP/1.1"
|
||||
"GET /.git/config HTTP/1.1"
|
||||
"GET /phpinfo.php HTTP/1.1"
|
||||
"GET /wp-config.php HTTP/1.1"
|
||||
"GET /phpmyadmin HTTP/1.1"
|
||||
)
|
||||
readonly PATHS
|
||||
|
||||
NUM_PATHS="${#PATHS[@]}"
|
||||
|
||||
# ── Ensure log directory exists ───────────────────────────────
|
||||
LOG_DIR="$(dirname "${LOG_FILE}")"
|
||||
mkdir -p "${LOG_DIR}"
|
||||
|
||||
# ── Write scan lines ──────────────────────────────────────────
|
||||
echo "Writing ${COUNT} HTTP-scan line(s) for ${SOURCE_IP} to ${LOG_FILE} ..."
|
||||
|
||||
for ((i = 1; i <= COUNT; i++)); do
|
||||
TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"
|
||||
# Cycle through the scan paths so each run looks varied.
|
||||
PATH_ENTRY="${PATHS[$(( (i - 1) % NUM_PATHS ))]}"
|
||||
printf '%s bangui-access: http scan from %s "%s" 404\n' \
|
||||
"${TIMESTAMP}" "${SOURCE_IP}" "${PATH_ENTRY}" >> "${LOG_FILE}"
|
||||
sleep 0.5
|
||||
done
|
||||
|
||||
# ── Summary ───────────────────────────────────────────────────
|
||||
echo "Done."
|
||||
echo " Lines written : ${COUNT}"
|
||||
echo " Source IP : ${SOURCE_IP}"
|
||||
echo " Log file : ${LOG_FILE}"
|
||||
echo ""
|
||||
echo " fail2ban bans after maxretry=3 matching lines."
|
||||
echo " Check ban status with: bash Docker/check_ban_status.sh"
|
||||
Reference in New Issue
Block a user