Add fail2ban dev test environment (Stage 0)

- Add bangui-sim filter (filter.d/bangui-sim.conf) matching the simulated authentication failure log format - Add bangui-sim jail (jail.d/bangui-sim.conf) with maxretry=3, bantime=60s, findtime=120s, ignoreip safeguard, polling backend - Mount Docker/logs/ into fail2ban container at /remotelogs/bangui in compose.debug.yml - Add simulate_failed_logins.sh to write synthetic failure lines - Add check_ban_status.sh with optional --unban flag - Add dev-ban-test Makefile target for one-command smoke testing - Write Docker/fail2ban-dev-config/README.md with setup and troubleshooting docs - Update .gitignore to track custom config files while still excluding auto-generated linuxserver fail2ban files
2026-03-03 21:00:08 +01:00
parent 39ee1e2945
commit 1c89454197
9 changed files with 442 additions and 16 deletions
--- a/Docker/check_ban_status.sh
+++ b/Docker/check_ban_status.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# ──────────────────────────────────────────────────────────────
+#  check_ban_status.sh
+#
+#  Queries the bangui-sim jail inside the running fail2ban
+#  container and optionally unbans a specific IP.
+#
+#  Usage:
+#    bash Docker/check_ban_status.sh
+#    bash Docker/check_ban_status.sh --unban 192.168.100.99
+#
+#  Requirements:
+#    The bangui-fail2ban-dev container must be running.
+#    (docker compose -f Docker/compose.debug.yml up -d fail2ban)
+# ──────────────────────────────────────────────────────────────
+
+set -euo pipefail
+
+readonly CONTAINER="bangui-fail2ban-dev"
+readonly JAIL="bangui-sim"
+
+# ── Helper: run a fail2ban-client command inside the container ─
+f2b() {
+    docker exec "${CONTAINER}" fail2ban-client "$@"
+}
+
+# ── Parse arguments ───────────────────────────────────────────
+UNBAN_IP=""
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --unban)
+            if [[ -z "${2:-}" ]]; then
+                echo "ERROR: --unban requires an IP address argument." >&2
+                exit 1
+            fi
+            UNBAN_IP="$2"
+            shift 2
+            ;;
+        *)
+            echo "ERROR: Unknown argument: '$1'" >&2
+            echo "Usage: $0 [--unban <IP>]" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# ── Unban mode ────────────────────────────────────────────────
+if [[ -n "${UNBAN_IP}" ]]; then
+    echo "Unbanning ${UNBAN_IP} from jail '${JAIL}' ..."
+    f2b set "${JAIL}" unbanip "${UNBAN_IP}"
+    echo "Done. '${UNBAN_IP}' has been removed from the ban list."
+    echo ""
+fi
+
+# ── Jail status ───────────────────────────────────────────────
+echo "═══════════════════════════════════════════"
+echo "  Jail status: ${JAIL}"
+echo "═══════════════════════════════════════════"
+f2b status "${JAIL}"
+
+# ── Banned IPs with timestamps ────────────────────────────────
+echo ""
+echo "═══════════════════════════════════════════"
+echo "  Banned IPs with timestamps: ${JAIL}"
+echo "═══════════════════════════════════════════"
+f2b get "${JAIL}" banip --with-time || echo "(no IPs currently banned)"