fix: add blocklist-import jail to dev fail2ban config

The blocklist import service targets a dedicated jail called 'blocklist-import' (BLOCKLIST_JAIL constant in blocklist_service.py), but that jail was never defined in the dev fail2ban configuration. Every import attempt immediately failed with UnknownJailException. Add Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf: a manual-ban jail with no log-based detection that accepts banip commands only, using iptables-allports with a 1-week bantime. Also track the new file in .gitignore (whitelist) and fix a pre-existing blank-line-with-whitespace lint error in setup_service.py.
2026-03-07 19:31:36 +01:00
parent cbad4ea706
commit 706d2e1df8
4 changed files with 120 additions and 2 deletions
--- a/Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf
@@ -0,0 +1,26 @@
+# ──────────────────────────────────────────────────────────────
+#  BanGUI — Blocklist-import jail
+#
+#  Dedicated jail for IPs banned via the BanGUI blocklist import
+#  feature.  This is a manual-ban jail: it does not watch any log
+#  file.  All bans are injected programmatically via
+#    fail2ban-client set blocklist-import banip <ip>
+#  which the BanGUI backend uses through its fail2ban socket
+#  client.
+# ──────────────────────────────────────────────────────────────
+
+[blocklist-import]
+
+enabled    = true
+# No log-based detection — only manual banip commands are used.
+filter     =
+logpath    = /dev/null
+backend    = auto
+maxretry   = 1
+findtime   = 1d
+# Block imported IPs for one week.
+bantime    = 1w
+banaction  = iptables-allports
+
+# Never ban the Docker bridge network or localhost.
+ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12