Fail2Ban-Report

Fail2Ban-Report is a lightweight web-based dashboard that parses Fail2Ban logs into daily JSON event files and presents them via a responsive PHP frontend. It provides centralized, jail- and server-scoped blocklist management and a pull-based HTTPS sync mechanism for multi-server environments.

Key Features

• Parses fail2ban.log into structured JSON event files for easy searching and filtering.
• Searchable, filterable event timeline with aggregated statistics (today, 7 days, 30 days).
• Per-jail and per-server persistent blocklists with metadata (active, pending, source).
• Centralized blocklist management and firewall application/removal via UFW integration.
• Multi-server support through an HTTPS sync endpoint and pull-based client synchronization.
• Role-based authentication with read-only (viewer) and admin roles for ban/unban actions.
• Lightweight, no external database or heavy frameworks; backend implemented as shell scripts, frontend in PHP.
• Optional integrations for IP reputation and enrichment (API-key based lookups).

Use Cases

• System administrators who need a web UI to search and review Fail2Ban events across multiple servers.
• Small business or single-server operators who want centralized UFW blocklist control and persistent blocklists.
• Incident responders and DevOps engineers who require quick overview, statistics, and actionable ban/unban controls during brute-force or DDoS activity.

Limitations and Considerations

• Firewall control is implemented for UFW only; other firewall backends are not supported currently.
• The tool does not modify Fail2Ban jails directly; it manages persistent blocklists and applies rules via UFW.
• Critical operations (UFW updates) are executed by root cron/shell scripts and require careful privilege and deployment hardening.
• Designed for small to modest setups; not targeted at large-scale enterprise environments out of the box.

Fail2Ban-Report is intended as a visualization and blocklist management layer around Fail2Ban logs rather than a replacement for intrusion detection tooling. It is optimized for simple, auditable ban workflows and multi-server synchronization while remaining lightweight and easy to integrate.