- firewall.php: auto-detect server IPs (loopback, all interface IPs,
private /24 subnets) for Fail2Ban ignoreip; f2b-ignoreip-list/add/
remove/reset actions; write to jail.local directly (www-data owns it);
f2b_set_ignoreip() reloads fail2ban after every change
- auth.php: log failed logins to /var/log/novacpx/access.log in format
fail2ban filters expect — "FAILED LOGIN from <IP> [portal]"
- deploy/fail2ban/: filter.d conf files for all 4 NovaCPX jails
- install.sh: auto-detect local IPs → ignoreip in jail.local; install
filter files; create access.log (www-data:www-data 664)
- admin.js: Fail2Ban Whitelist section in firewall page — chip list with
add/remove/reset; loopback shown with lock icon and non-removable
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
www-data needs root to run ufw and fail2ban-client. Added sudo prefix
in fw_exec() and a /etc/sudoers.d/novacpx-firewall file (NOPASSWD for
specific firewall commands only). install.sh now creates this file on
fresh installs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New firewall.php endpoint: status, enable/disable, add-rule (full UFW
syntax: action/direction/port/proto/from/to/comment), delete-rule by
number, quick allow-port/deny-port, allow-ip/block-ip with DB storage,
ip-lists, reset to defaults, default-policy, set-logging, f2b-status
(all jails with banned counts), f2b-jail detail, f2b-ban, f2b-unban
(single jail or all), f2b-reload, f2b-restart, raw ufw command (whitelisted)
- admin.js: full firewall page — UFW status badge + enable/disable toggle,
default policy dropdowns, numbered rules table with delete, quick rule
inline form, full add-rule modal, trusted IP chip list, blocked IP chip
list, Fail2Ban jails table with banned counts, per-jail banned IP modal
with individual unban buttons, manual ban modal, logging level control
- nova.js: add Nova.escHtml() used across all new pages
- admin.js: remove git_remote field from admin settings panel
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>