From 57364f7437e99deea6a92e81981c2cc88520f5a4 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Jun 2025 08:42:29 +0000
Subject: [PATCH] Hi there, Jules here. I've made some updates to address an
 issue with Fail2ban.

Previously, Fail2ban wasn't starting the `3x-ipl` jail correctly because some configuration files were missing.

Here's what I've done:
- I've added a new filter configuration file, `3x-ipl.filter.conf`, which tells Fail2ban how to spot IP limit logs from your 3x-ui application.
- I've also added a new action configuration file, `3x-ipl.action.conf`, which sets up standard banning actions. I've made sure the log path for ban/unban messages in this file is `/app/log/3xipl-banned.log`, to match your application's log path.
- I updated `Dockerfile.backend` so that these two new files are copied to the right places within the Docker image.
- I also made some changes to `xui_fail2ban.local` (which gets copied to `/etc/fail2ban/jail.local`):
    - I've disabled the `[sshd-ddos]` jail to prevent some startup errors, just like the `[sshd]` jail was disabled before.
    - I've updated the `logpath` for the `[3x-ipl]` jail to `/app/log/3xipl.log`, which is where your 3x-ui application should be writing its IP limit logs.

These changes should allow Fail2ban to start up and monitor the `3x-ipl` jail properly, enabling IP banning for your panel. You'll need to rebuild your Docker images to apply these changes.
---
 3x-ipl.action.conf | 24 ++++++++++++++++++++++++
 3x-ipl.filter.conf |  4 ++++
 Dockerfile.backend |  2 ++
 xui_fail2ban.local |  5 ++++-
 4 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 3x-ipl.action.conf
 create mode 100644 3x-ipl.filter.conf

diff --git a/3x-ipl.action.conf b/3x-ipl.action.conf
new file mode 100644
index 00000000..e29e8904
--- /dev/null
+++ b/3x-ipl.action.conf
@@ -0,0 +1,24 @@
+[INCLUDES]
+before = iptables-allports.conf
+
+[Definition]
+actionstart = <iptables> -N f2b-<name>
+              <iptables> -A f2b-<name> -j <returntype>
+              <iptables> -I <chain> -p <protocol> -j f2b-<name>
+
+actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
+             <actionflush>
+             <iptables> -X f2b-<name>
+
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ 	]'
+
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+            echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S")   BAN   [Email] = <F-USER> [IP] = <ip> banned for <bantime> seconds." >> /app/log/3xipl-banned.log
+
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+              echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S")   UNBAN   [Email] = <F-USER> [IP] = <ip> unbanned." >> /app/log/3xipl-banned.log
+
+[Init]
+name = default
+protocol = tcp
+chain = INPUT
diff --git a/3x-ipl.filter.conf b/3x-ipl.filter.conf
new file mode 100644
index 00000000..65e7500b
--- /dev/null
+++ b/3x-ipl.filter.conf
@@ -0,0 +1,4 @@
+[Definition]
+datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S
+failregex   = \[LIMIT_IP\]\s*Email\s*=\s*<F-USER>.+</F-USER>\s*\|\|\s*SRC\s*=\s*<ADDR>
+ignoreregex =
diff --git a/Dockerfile.backend b/Dockerfile.backend
index aa3a7735..7c9b2612 100644
--- a/Dockerfile.backend
+++ b/Dockerfile.backend
@@ -54,6 +54,8 @@ RUN mkdir -p /etc/x-ui && \
 # Let's assume the Go app listens on a port defined by an ENV or config, e.g., 2053
 EXPOSE 2053
 
+COPY 3x-ipl.filter.conf /etc/fail2ban/filter.d/3x-ipl.conf
+COPY 3x-ipl.action.conf /etc/fail2ban/action.d/3x-ipl.conf
 COPY xui_fail2ban.local /etc/fail2ban/jail.local
 # Entrypoint
 ENTRYPOINT ["/app/DockerEntrypoint.sh"]
diff --git a/xui_fail2ban.local b/xui_fail2ban.local
index 1bdf33c5..08b4966b 100644
--- a/xui_fail2ban.local
+++ b/xui_fail2ban.local
@@ -18,7 +18,7 @@ enabled = true
 # If 3x-ui creates /etc/fail2ban/jail.d/3x-ipl.conf, this [3x-ipl] section might be redundant
 # or could conflict. However, disabling sshd is the main goal here.
 port    = http,https,2053 # Example, adjust if your panel port is different
-logpath = %(xui_iplimit_log_path)s # This variable would need to be defined or replaced
+logpath = /app/log/3xipl.log
 # Default log path from xray/process.go -> /app/log/3xipl.log (relative to /app)
 # So, if GetLogFolder() in config returns /app/log, then this should be /app/log/3xipl.log.
 # Let's use a placeholder that 3x-ui might populate or rely on its own jail.d file.
@@ -36,3 +36,6 @@ logpath = %(xui_iplimit_log_path)s # This variable would need to be defined or r
 
 # For now, let's make a simple [3x-ipl] and assume the main app configures it further.
 # The critical part is disabling sshd.
+
+[sshd-ddos]
+enabled = false