From 07ffa7a525f16d1ee10c9137ff182b29715400d4 Mon Sep 17 00:00:00 2001 From: serogaq <36307024+serogaq@users.noreply.github.com> Date: Sun, 8 Dec 2024 18:05:37 +0300 Subject: [PATCH] 7 / fail2ban, iptables and some fixes (#9) * 7 / fail2ban, iptables and some fixes * 7 / get public ip from env --- DockerEntrypoint.sh | 4 +-- Dockerfile | 82 +++++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 7 ++++ web/service/server.go | 6 ++++ 4 files changed, 97 insertions(+), 2 deletions(-) diff --git a/DockerEntrypoint.sh b/DockerEntrypoint.sh index b5a449ea..ec4771ed 100644 --- a/DockerEntrypoint.sh +++ b/DockerEntrypoint.sh @@ -4,8 +4,8 @@ fail2ban-client -x start # Docker Logs -ln -sf /dev/stdout /app/access.log -ln -sf /dev/stdout /app/error.log +#ln -sf /dev/stdout /app/access.log +#ln -sf /dev/stdout /app/error.log # Run x-ui exec /app/x-ui diff --git a/Dockerfile b/Dockerfile index f16d3422..5a46b268 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,8 @@ RUN apk add --no-cache --update \ ca-certificates \ tzdata \ fail2ban \ + ip6tables \ + iptables \ bash \ nano \ unzip @@ -46,6 +48,86 @@ RUN rm -f /etc/fail2ban/jail.d/alpine-ssh.conf \ && sed -i "s/^\[sshd\]$/&\nenabled = false/" /etc/fail2ban/jail.local \ && sed -i "s/#allowipv6 = auto/allowipv6 = auto/g" /etc/fail2ban/fail2ban.conf +RUN < /etc/fail2ban/jail.d/3x-ipl.conf +[3x-ipl] +enabled=true +backend=auto +filter=3x-ipl +action=3x-ipl +logpath=${iplimit_log_path} +maxretry=2 +findtime=32 +bantime=${bantime}m +EOF + +cat << EOF > /etc/fail2ban/filter.d/3x-ipl.conf +[Definition] +datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S +failregex = \[LIMIT_IP\]\s*Email\s*=\s*.+\s*\|\|\s*SRC\s*=\s* +ignoreregex = +EOF + +cat << EOF > /etc/fail2ban/action.d/3x-ipl.conf +[INCLUDES] +before = iptables-common.conf + +[Definition] +actionstart = -N f2b- + -A f2b- -j + -I -p -j f2b- + +actionstop = -D -p -j f2b- + + -X f2b- + +actioncheck = -n -L | grep -q 'f2b-[ \t]' + +actionban = -I f2b- 1 -s -j + echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") BAN [Email] = [IP] = banned for seconds." >> ${iplimit_banned_log_path} + +actionunban = -D f2b- -s -j + echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") UNBAN [Email] = [IP] = unbanned." >> ${iplimit_banned_log_path} + +[Init] +name = default +protocol = tcp +chain = INPUT +EOF + +cat << EOF > /etc/fail2ban/action.d/iptables-common.conf +[INCLUDES] +after = iptables-blocktype.local + iptables-common.local + +[Definition] +actionflush = -F f2b- + +[Init] +chain = INPUT +name = default +port = ssh +protocol = tcp +blocktype = REJECT --reject-with icmp-port-unreachable +returntype = RETURN +lockingopt = -w +iptables = iptables + +[Init?family=inet6] +blocktype = REJECT --reject-with icmp6-port-unreachable +iptables = ip6tables +EOF + +sed -i "1s/^/[INCLUDES]\n\nbefore = iptables-common.conf\n\n/" /etc/fail2ban/action.d/iptables.conf +EOT + +RUN mkdir -p /etc/x-ui && touch /etc/x-ui/announce.txt + RUN chmod +x \ /app/DockerEntrypoint.sh \ /app/x-ui \ diff --git a/docker-compose.yml b/docker-compose.yml index 0b5bdead..83135548 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -33,7 +33,14 @@ services: - "traefik.tcp.services.3x-ui-inbound-443.loadbalancer.server.port=443" volumes: - ./db/:/etc/x-ui/ + - ./db/fail2ban.sqlite3:/var/lib/fail2ban/fail2ban.sqlite3 - ./cert/:/root/cert/ + - ./logs/xray-access.log:/app/access.log + - ./logs/xray-error.log:/app/error.log + - ./logs/3xipl.log:/var/log/3xipl.log + - ./logs/3xipl-ap.log:/var/log/3xipl-ap.log + - ./logs/3xipl-banned.log:/var/log/3xipl-banned.log + - ./logs/fail2ban.log:/var/log/fail2ban.log - ./announce.txt:/etc/x-ui/announce.txt environment: PUID: 1000 diff --git a/web/service/server.go b/web/service/server.go index 3198e325..1695a89e 100644 --- a/web/service/server.go +++ b/web/service/server.go @@ -95,6 +95,12 @@ type ServerService struct { } func getPublicIP(url string) string { + var host string + host = os.Getenv("XUI_SERVER_IP") + if host != "" && !strings.ContainsAny(str1, "6") { + return host + } + resp, err := http.Get(url) if err != nil { return "N/A"