#!/bin/sh # Start fail2ban with the 3x-ipl jail if [ "$XUI_ENABLE_FAIL2BAN" = "true" ]; then LOG_FOLDER="${XUI_LOG_FOLDER:-/var/log/x-ui}" mkdir -p "$LOG_FOLDER" touch "$LOG_FOLDER/3xipl.log" "$LOG_FOLDER/3xipl-banned.log" mkdir -p /etc/fail2ban/jail.d /etc/fail2ban/filter.d /etc/fail2ban/action.d cat > /etc/fail2ban/jail.d/3x-ipl.conf << EOF [3x-ipl] enabled=true backend=auto filter=3x-ipl action=3x-ipl logpath=$LOG_FOLDER/3xipl.log maxretry=1 findtime=32 bantime=30m EOF cat > /etc/fail2ban/filter.d/3x-ipl.conf << 'EOF' [Definition] datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S failregex = \[LIMIT_IP\]\s*Email\s*=\s*.+\s*\|\|\s*Disconnecting OLD IP\s*=\s*\s*\|\|\s*Timestamp\s*=\s*\d+ ignoreregex = EOF # Ports to exempt from the ban so an over-limit proxy client can never lock # the administrator out of SSH or the panel. The ban still covers every other # TCP port (including all Xray inbounds), so IP-limit keeps working for inbounds # added later without regenerating these files. SSH_PORTS=$(grep -oE '^[[:space:]]*Port[[:space:]]+[0-9]+' /etc/ssh/sshd_config 2>/dev/null | grep -oE '[0-9]+' | paste -sd, -) [ -z "$SSH_PORTS" ] && SSH_PORTS="22" PANEL_PORT=$(/app/x-ui setting -show true 2>/dev/null | grep -Eo 'port: .+' | awk '{print $2}') EXEMPT_PORTS="$SSH_PORTS" [ -n "$PANEL_PORT" ] && EXEMPT_PORTS="$EXEMPT_PORTS,$PANEL_PORT" cat > /etc/fail2ban/action.d/3x-ipl.conf << EOF [INCLUDES] before = iptables-allports.conf [Definition] actionstart = -N f2b- -A f2b- -j -I -p -j f2b- actionstop = -D -p -j f2b- -X f2b- actioncheck = -n -L | grep -q 'f2b-[ \t]' actionban = -I f2b- 1 -s -p -m multiport ! --dports -j echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") BAN [Email] = [IP] = banned for seconds." >> $LOG_FOLDER/3xipl-banned.log actionunban = -D f2b- -s -p -m multiport ! --dports -j echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") UNBAN [Email] = [IP] = unbanned." >> $LOG_FOLDER/3xipl-banned.log [Init] name = default protocol = tcp chain = INPUT exemptports = $EXEMPT_PORTS EOF fail2ban-client -x start fi # Run x-ui exec /app/x-ui