#!/usr/bin/env bash # ============================================================================= # ETC PRS — Install & configure fail2ban # Usage: sudo bash scripts/fail2ban/install.sh # ============================================================================= set -euo pipefail RED='\033[0;31m'; GREEN='\033[0;32m'; CYAN='\033[0;36m'; BOLD='\033[1m'; RESET='\033[0m' info() { echo -e "${CYAN}▸ $*${RESET}"; } success() { echo -e "${GREEN}✓ $*${RESET}"; } error() { echo -e "${RED}✗ $*${RESET}"; exit 1; } [[ $EUID -ne 0 ]] && error "Run as root: sudo bash scripts/fail2ban/install.sh" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # ── Install fail2ban ────────────────────────────────────────────────────────── info "Installing fail2ban…" apt-get install -y -qq fail2ban # ── Copy filter and jail config ─────────────────────────────────────────────── info "Installing filter: nginx-scan…" cp "$SCRIPT_DIR/nginx-scan.conf" /etc/fail2ban/filter.d/nginx-scan.conf info "Installing jail config…" cp "$SCRIPT_DIR/etc-prs.conf" /etc/fail2ban/jail.d/etc-prs.conf # ── Ensure Nginx is logging in combined format ──────────────────────────────── # fail2ban reads /var/log/nginx/access.log — verify it exists if [[ ! -f /var/log/nginx/access.log ]]; then error "Nginx access log not found at /var/log/nginx/access.log — is Nginx running?" fi success "Nginx access log found" # ── Enable and restart fail2ban ─────────────────────────────────────────────── info "Enabling fail2ban service…" systemctl enable fail2ban systemctl restart fail2ban sleep 2 # ── Verify ──────────────────────────────────────────────────────────────────── success "fail2ban installed and running" echo "" echo -e "${BOLD}Active jails:${RESET}" fail2ban-client status echo "" echo -e "${BOLD}Useful commands:${RESET}" echo -e " ${CYAN}sudo fail2ban-client status nginx-scan${RESET} — show banned IPs" echo -e " ${CYAN}sudo fail2ban-client set nginx-scan unbanip ${RESET} — unban an IP" echo -e " ${CYAN}sudo tail -f /var/log/fail2ban.log${RESET} — live ban log" echo ""