moved fail2ban to docker

docker/fail2ban/action.d/cloudflare.conf

@@ -0,0 +1,3 @@
+[Definition]
+actionban = /data/action.d/entryPoint.py <ip> add
+actionunban = /data/action.d/entryPoint.py <ip> del

docker/fail2ban/action.d/entryPoint.py

@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+""" 
+Creates a virtual environment, installs dependencies, and then calls modifyBanList.py
+"""
+
+import os
+import sys
+
+if len(sys.argv) < 3:
+    print("Usage: ./entryPoint.py <ip> <add|del>")
+    sys.exit(1)
+
+venv_dir = 'env'
+
+if not os.path.exists(venv_dir):
+    os.system(f"{sys.executable} -m venv {venv_dir}")
+
+os.system(f"{os.path.join(venv_dir, 'bin', 'pip')} install --upgrade requests ipaddress")
+os.system(f"{os.path.join(venv_dir, 'bin', 'python')} /data/action.d/modifyBanList.py {sys.argv[1]} {sys.argv[2]}")

docker/fail2ban/action.d/modifyBanList.py

@@ -0,0 +1,83 @@
+#!/usr/bin/python3
+
+""" 
+Called by entryPoint.py, performs the addition or deletion of an item in a Cloudflare custom list.
+Support for IPV6 is limited as it blocks the entire /64 subnet.
+"""
+
+import sys
+import requests
+from requests import Response
+import json
+import ipaddress
+
+def getIPList(apiEndpoint : str, headers : dict) -> json:
+    response = requests.get(apiEndpoint, headers=headers)
+    if response.status_code == 200:
+        return response.json()
+    else:
+        print(f"Failed to fetch existing IP list. Status code: {response.status_code}")
+        print(response.text)
+        sys.exit(1)
+
+def addIPtoList(ipAddr : str, apiEndpoint : str, headers : dict) -> Response:
+    payload = [{"ip": ipAddr}]
+    response = requests.post(apiEndpoint, headers=headers, data=json.dumps(payload))
+    return response
+
+def removeIPFromList(ipId : str, apiEndpoint : str, headers : dict) -> Response:
+    payload = {"items": [{"id": ipId}]}
+    response = requests.delete(apiEndpoint, headers=headers, data=json.dumps(payload))
+    return response
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        print("Usage: ./modifyBanList.py <ip> <add|del>")
+        sys.exit(1)
+
+    ipAddr = sys.argv[1]
+
+    try:
+        addr = ipaddress.IPv6Address(ipAddr)
+        first_64_bits = str(addr.exploded).split(':')[:4]
+        ipAddr = ':'.join(first_64_bits) + '::/64'
+    except:
+        pass
+
+    action = sys.argv[2]
+    listId = ''
+    accountId = ''
+    email = ''
+    apiKey = ''
+    apiEndpoint = f'https://api.cloudflare.com/client/v4/accounts/{accountId}/rules/lists/{listId}/items'
+
+    headers = {
+        'X-Auth-Email': f'{email}',
+        'X-Auth-Key': f'{apiKey}',
+        'Content-Type': 'application/json'
+    }
+
+    existingIpList = getIPList(apiEndpoint,headers)
+    print(existingIpList)
+    response = None
+
+    if action == "del":
+        ipId = None
+        for item in existingIpList['result']:
+            if item['ip'] == ipAddr:
+                ipId = item['id']
+                break
+        payload = {"items": [{"id": ipId}]}
+
+        if ipId is not None:
+            response = requests.delete(apiEndpoint,headers=headers,data=json.dumps(payload))
+    elif not any(item['ip'] == ipAddr for item in existingIpList['result']):
+        payload = [{
+            "ip": ipAddr
+        }]
+        response = requests.post(apiEndpoint, headers=headers, data=json.dumps(payload))
+
+    if response is not None and response.status_code == 200:
+            print(f"IP address {ipAddr} {action} to the custom IP list successfully.")
+    else:
+        print(f"Failed to {action} IP address {ipAddr} to the custom IP list.")

docker/fail2ban/filter.d/authelia-auth.conf

@@ -0,0 +1,13 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^.*Unsuccessful (1FA|TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+            (?i)^.*access to .*is not authorized.*remote_ip=<HOST>
+            ^.* is banned until .*remote_ip=<HOST> stack.*
+
+ignoreregex = ^.*level=debug.*
+              ^.*level=info.*
+              ^.*level=warning.*

docker/fail2ban/filter.d/gitea-auth.conf

@@ -0,0 +1,7 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

docker/fail2ban/filter.d/nextcloud-auth.conf

@@ -0,0 +1,7 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex=^{"reqId":".*","remoteAddr":"<HOST>".*message":"Login failed: .*}$

docker/fail2ban/jail.d/authelia-auth.conf

@@ -0,0 +1,5 @@
+[authelia-auth]
+
+enabled  = false
+port     = http,https,9091
+logpath  = /remotelogs/authelia/authelia.log

docker/fail2ban/jail.d/gitea-auth.conf

@@ -0,0 +1,5 @@
+[gitea-auth]
+
+enabled  = false
+port     = http,https
+logpath  = /remotelogs/gitea/gitea/log/gitea.log

docker/fail2ban/jail.d/jail.local

@@ -0,0 +1,24 @@
+[DEFAULT]
+ignoreip = 10.0.0.0/8, 192.168.0.0/16, 127.0.0.1, 172.0.0.0/8
+action = cloudflare
+
+[authelia-auth]
+filter=authelia-auth
+enabled = yes
+findtime = 3600
+maxretry = 3
+bantime = -1
+
+[nextcloud-auth]
+filter=nextcloud-auth
+enabled = yes
+findtime = 3600
+maxretry = 3
+bantime = -1
+
+[gitea-auth]
+filter=gitea-auth
+#enabled = yes
+findtime = 3600
+maxretry = 3
+bantime = -1

docker/fail2ban/jail.d/nextcloud-auth.conf

@@ -0,0 +1,5 @@
+[nextcloud-auth]
+
+enabled  = false
+port     = http,https
+logpath  = /remotelogs/nextcloud/data/nextcloud.log