Add ban management features and update documentation

- Implement ban model, service, and router endpoints in backend - Add ban table component and dashboard integration in frontend - Update ban-related types and API endpoints - Add comprehensive tests for ban service and dashboard router - Update documentation (Features, Tasks, Architecture, Web-Design) - Clean up old fail2ban configuration files - Update Makefile with new commands
2026-03-06 20:33:42 +01:00
parent 06738dbfa5
commit cbad4ea706
20 changed files with 58 additions and 760 deletions
--- a/Docker/fail2ban-dev-config/README.md
+++ b/Docker/fail2ban-dev-config/README.md
@@ -67,50 +67,6 @@ Chains steps 1–3 automatically with appropriate sleep intervals.

 ---

-## Testing the Access List Feature
-
-The **Access List** tab in BanGUI displays each individual matched log line
-stored in fail2ban's database.  A second jail — `bangui-access` — monitors
-`Docker/logs/access.log` for simulated HTTP bot-scan entries.
-
-### 1 — Run the access-scan simulation
-
-```bash
-bash Docker/simulate_accesses.sh
-```
-
-Default: writes **5** HTTP-scan lines for IP `203.0.113.7` to
-`Docker/logs/access.log`.  
-Optional overrides:
-
-```bash
-bash Docker/simulate_accesses.sh <COUNT> <SOURCE_IP> <LOG_FILE>
-# e.g. bash Docker/simulate_accesses.sh 6 198.51.100.5
-```
-
-Log line format:
-
-```
-YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "GET /.env HTTP/1.1" 404
-```
-
-### 2 — Verify the IP was banned
-
-```bash
-bash Docker/check_ban_status.sh
-```
-
-The `bangui-access` jail should appear alongside `bangui-sim`, showing the
-banned IP and matched line count.
-
-### 3 — Unban and re-test
-
-```bash
-bash Docker/check_ban_status.sh --unban 203.0.113.7
-```
-
---
-
 ## Configuration Reference

 | File | Purpose |
@@ -118,9 +74,6 @@ bash Docker/check_ban_status.sh --unban 203.0.113.7
 | `fail2ban/filter.d/bangui-sim.conf` | Defines the `failregex` that matches simulation log lines |
 | `fail2ban/jail.d/bangui-sim.conf` | Jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
 | `Docker/logs/auth.log` | Log file written by the simulation script (host path) |
-| `fail2ban/filter.d/bangui-access.conf` | Defines the `failregex` that matches access-scan log lines |
-| `fail2ban/jail.d/bangui-access.conf` | Access jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
-| `Docker/logs/access.log` | Log file written by `simulate_accesses.sh` (host path) |

 Inside the container the log file is mounted at `/remotelogs/bangui/auth.log`
 (see `fail2ban/paths-lsio.conf` — `remote_logs_path = /remotelogs`).
@@ -156,9 +109,6 @@ Test the regex manually:
 ```bash
 docker exec bangui-fail2ban-dev \
    fail2ban-regex /remotelogs/bangui/auth.log bangui-sim
-
-docker exec bangui-fail2ban-dev \
-    fail2ban-regex /remotelogs/bangui/access.log bangui-access
 ```

 The output should show matched lines. If nothing matches, check that the log
@@ -167,9 +117,6 @@ lines match the corresponding `failregex` pattern:
 ```
 # bangui-sim (auth log):
 YYYY-MM-DD HH:MM:SS bangui-auth: authentication failure from <IP>
-
-# bangui-access (access log):
-YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
 ```

 ### iptables / permission errors
--- a/Docker/fail2ban-dev-config/fail2ban/filter.d/bangui-access.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/filter.d/bangui-access.conf
@@ -1,13 +0,0 @@
-# ──────────────────────────────────────────────────────────────
-#  BanGUI — Simulated HTTP access scan failure filter
-#
-#  Matches lines written by Docker/simulate_accesses.sh.
-#  Format:
-#    YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
-# ──────────────────────────────────────────────────────────────
-
-[Definition]
-
-failregex = ^.* bangui-access: http scan from <HOST> ".*" [45]\d\d\s*$
-
-ignoreregex =
--- a/Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf
@@ -1,20 +0,0 @@
-# ──────────────────────────────────────────────────────────────
-#  BanGUI — Simulated HTTP access scan jail
-#
-#  Watches Docker/logs/access.log (mounted at /remotelogs/bangui)
-#  for lines produced by Docker/simulate_accesses.sh.
-# ──────────────────────────────────────────────────────────────
-
-[bangui-access]
-
-enabled    = true
-filter     = bangui-access
-logpath    = /remotelogs/bangui/access.log
-backend    = polling
-maxretry   = 3
-findtime   = 120
-bantime    = 60
-banaction  = iptables-allports
-
-# Never ban localhost, the Docker bridge network, or the host machine.
-ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12
--- a/Docker/simulate_accesses.sh
+++ b/Docker/simulate_accesses.sh
@@ -1,82 +0,0 @@
-#!/usr/bin/env bash
-# ──────────────────────────────────────────────────────────────
-#  simulate_accesses.sh
-#
-#  Writes synthetic HTTP-scan log lines to a file that matches
-#  the bangui-access fail2ban filter.  Use this to populate the
-#  Access List tab in BanGUI without a real web server.
-#
-#  Usage:
-#    bash Docker/simulate_accesses.sh [COUNT] [SOURCE_IP] [LOG_FILE]
-#
-#  Defaults:
-#    COUNT    : 5
-#    SOURCE_IP: 203.0.113.7
-#    LOG_FILE : Docker/logs/access.log   (relative to repo root)
-#
-#  Log line format (must match bangui-access failregex exactly):
-#    YYYY-MM-DD HH:MM:SS bangui-access: http scan from <IP> "<METHOD> <path> HTTP/1.1" <STATUS>
-#
-#  fail2ban bans the IP after maxretry (default 3) matching lines.
-# ──────────────────────────────────────────────────────────────
-
-set -euo pipefail
-
-# ── Defaults ──────────────────────────────────────────────────
-readonly DEFAULT_COUNT=5
-readonly DEFAULT_IP="203.0.113.7"
-
-# Resolve script location so defaults work regardless of cwd.
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-readonly DEFAULT_LOG_FILE="${SCRIPT_DIR}/logs/access.log"
-
-# ── Arguments ─────────────────────────────────────────────────
-COUNT="${1:-${DEFAULT_COUNT}}"
-SOURCE_IP="${2:-${DEFAULT_IP}}"
-LOG_FILE="${3:-${DEFAULT_LOG_FILE}}"
-
-# ── Validate COUNT is a positive integer ──────────────────────
-if ! [[ "${COUNT}" =~ ^[1-9][0-9]*$ ]]; then
-    echo "ERROR: COUNT must be a positive integer, got: '${COUNT}'" >&2
-    exit 1
-fi
-
-# ── Common bot-scan paths ─────────────────────────────────────
-PATHS=(
-    "GET /.env HTTP/1.1"
-    "GET /wp-login.php HTTP/1.1"
-    "GET /admin HTTP/1.1"
-    "POST /wp-login.php HTTP/1.1"
-    "GET /.git/config HTTP/1.1"
-    "GET /phpinfo.php HTTP/1.1"
-    "GET /wp-config.php HTTP/1.1"
-    "GET /phpmyadmin HTTP/1.1"
-)
-readonly PATHS
-
-NUM_PATHS="${#PATHS[@]}"
-
-# ── Ensure log directory exists ───────────────────────────────
-LOG_DIR="$(dirname "${LOG_FILE}")"
-mkdir -p "${LOG_DIR}"
-
-# ── Write scan lines ──────────────────────────────────────────
-echo "Writing ${COUNT} HTTP-scan line(s) for ${SOURCE_IP} to ${LOG_FILE} ..."
-
-for ((i = 1; i <= COUNT; i++)); do
-    TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"
-    # Cycle through the scan paths so each run looks varied.
-    PATH_ENTRY="${PATHS[$(( (i - 1) % NUM_PATHS ))]}"
-    printf '%s bangui-access: http scan from %s "%s" 404\n' \
-        "${TIMESTAMP}" "${SOURCE_IP}" "${PATH_ENTRY}" >> "${LOG_FILE}"
-    sleep 0.5
-done
-
-# ── Summary ───────────────────────────────────────────────────
-echo "Done."
-echo "  Lines written : ${COUNT}"
-echo "  Source IP     : ${SOURCE_IP}"
-echo "  Log file      : ${LOG_FILE}"
-echo ""
-echo "  fail2ban bans after maxretry=3 matching lines."
-echo "  Check ban status with: bash Docker/check_ban_status.sh"