Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

fwallascan2ban - Web server log scanner auto updates target list

Follow
Avatar
John Shelton

I have a simple website I had stood up for a friend.  Started getting lots of bad requests from folks looking for holes.  Firewalla does great at the edge, but i wanted fine grained rules like fail2ban provides.  In addition, I wanted something to update the rule(s) at the edge and not have the web server do the blocking.

So I wrote this daemon like fail2ban called fwallascan2ban.  It can read logs, look for bannable patterns, and then uses the MSP API to auto update rules and target lists.

If you have the same need, check it out.  Always open to feedback. 

Here is the github link: https://github.com/moosery/fwallascan2ban

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    John Shelton

    fwallascan2ban v2.0.1 — now with SafeLine WAF integration

    Quick update on the project I posted about a while back.

    v2.0.1 is out with a couple of meaningful additions:

    Multi-log source support — A single daemon instance can now monitor multiple log files simultaneously, each with its own path, patterns, and maxretry threshold. So you can have it watching your Tomcat access log and a WAF log at the same time, banning at the Firewalla edge for hits from either source.

    SafeLine WAF integration — This is the one I'm most excited about. SafeLine is a reverse proxy WAF that sits in front of your web server and blocks malicious requests. It's free, self-hosted, and genuinely good. The problem is getting those block events out to Firewalla automatically.

    fwallascan2ban now includes a small Python poller (safeline-poll) that runs as a systemd timer every 60 seconds. It queries the SafeLine open platform API for new denied-IP events and feeds them into the log scanner. With maxretry = 1, every SafeLine block triggers an immediate Firewalla ban. This works on the SafeLine free plan — no syslog export required.

    So the layered setup is:

    • SafeLine WAF blocks the request at the app layer
    • fwallascan2ban sees the block event and bans the IP at the Firewalla edge
    • Future traffic from that IP never reaches your server at all

    Full setup docs and install instructions on GitHub: https://github.com/moosery/fwallascan2ban

    Still open to feedback — happy to answer questions if anyone wants to try it out.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post