7 / fail2ban, iptables and some fixes (#9)

* 7 / fail2ban, iptables and some fixes
* 7 / get public ip from env

DockerEntrypoint.sh

@@ -4,8 +4,8 @@
 fail2ban-client -x start
 
 # Docker Logs
-ln -sf /dev/stdout /app/access.log
+#ln -sf /dev/stdout /app/access.log
-ln -sf /dev/stdout /app/error.log
+#ln -sf /dev/stdout /app/error.log
 
 # Run x-ui
 exec /app/x-ui

Dockerfile

@@ -30,6 +30,8 @@ RUN apk add --no-cache --update \
   ca-certificates \
   tzdata \
   fail2ban \
+  ip6tables \
+  iptables \
   bash \
   nano \
   unzip
@@ -46,6 +48,86 @@ RUN rm -f /etc/fail2ban/jail.d/alpine-ssh.conf \
   && sed -i "s/^\[sshd\]$/&\nenabled = false/" /etc/fail2ban/jail.local \
   && sed -i "s/#allowipv6 = auto/allowipv6 = auto/g" /etc/fail2ban/fail2ban.conf
 
+RUN <<EOT
+bantime="15"
+log_folder="/var/log"
+iplimit_log_path="${log_folder}/3xipl.log"
+iplimit_banned_log_path="${log_folder}/3xipl-banned.log"
+
+cat << EOF > /etc/fail2ban/jail.d/3x-ipl.conf
+[3x-ipl]
+enabled=true
+backend=auto
+filter=3x-ipl
+action=3x-ipl
+logpath=${iplimit_log_path}
+maxretry=2
+findtime=32
+bantime=${bantime}m
+EOF
+
+cat << EOF > /etc/fail2ban/filter.d/3x-ipl.conf
+[Definition]
+datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S
+failregex   = \[LIMIT_IP\]\s*Email\s*=\s*<F-USER>.+</F-USER>\s*\|\|\s*SRC\s*=\s*<ADDR>
+ignoreregex =
+EOF
+
+cat << EOF > /etc/fail2ban/action.d/3x-ipl.conf
+[INCLUDES]
+before = iptables-common.conf
+
+[Definition]
+actionstart = <iptables> -N f2b-<name>
+              <iptables> -A f2b-<name> -j <returntype>
+              <iptables> -I <chain> -p <protocol> -j f2b-<name>
+
+actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
+             <actionflush>
+             <iptables> -X f2b-<name>
+
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+            echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S")   BAN   [Email] = <F-USER> [IP] = <ip> banned for <bantime> seconds." >> ${iplimit_banned_log_path}
+
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+              echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S")   UNBAN   [Email] = <F-USER> [IP] = <ip> unbanned." >> ${iplimit_banned_log_path}
+
+[Init]
+name = default
+protocol = tcp
+chain = INPUT
+EOF
+
+cat << EOF > /etc/fail2ban/action.d/iptables-common.conf
+[INCLUDES]
+after = iptables-blocktype.local
+        iptables-common.local
+
+[Definition]
+actionflush = <iptables> -F f2b-<name>
+
+[Init]
+chain = INPUT
+name = default
+port = ssh
+protocol = tcp
+blocktype = REJECT --reject-with icmp-port-unreachable
+returntype = RETURN
+lockingopt = -w
+iptables = iptables <lockingopt>
+
+[Init?family=inet6]
+blocktype = REJECT --reject-with icmp6-port-unreachable
+iptables = ip6tables <lockingopt>
+EOF
+
+sed -i "1s/^/[INCLUDES]\n\nbefore = iptables-common.conf\n\n/" /etc/fail2ban/action.d/iptables.conf
+EOT
+
+RUN mkdir -p /etc/x-ui && touch /etc/x-ui/announce.txt
+
 RUN chmod +x \
   /app/DockerEntrypoint.sh \
   /app/x-ui \

docker-compose.yml

@@ -33,7 +33,14 @@ services:
       - "traefik.tcp.services.3x-ui-inbound-443.loadbalancer.server.port=443"
     volumes:
       - ./db/:/etc/x-ui/
+      - ./db/fail2ban.sqlite3:/var/lib/fail2ban/fail2ban.sqlite3
       - ./cert/:/root/cert/
+      - ./logs/xray-access.log:/app/access.log
+      - ./logs/xray-error.log:/app/error.log
+      - ./logs/3xipl.log:/var/log/3xipl.log
+      - ./logs/3xipl-ap.log:/var/log/3xipl-ap.log
+      - ./logs/3xipl-banned.log:/var/log/3xipl-banned.log
+      - ./logs/fail2ban.log:/var/log/fail2ban.log
       - ./announce.txt:/etc/x-ui/announce.txt
     environment:
       PUID: 1000

web/service/server.go

@@ -95,6 +95,12 @@ type ServerService struct {
 }
 
 func getPublicIP(url string) string {
+	var host string
+	host = os.Getenv("XUI_SERVER_IP")
+	if host != "" && !strings.ContainsAny(str1, "6") {
+		return host
+	}
+
 	resp, err := http.Get(url)
 	if err != nil {
 		return "N/A"