Skip to content

ronaldvdmeer/Fail2Bunny

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
images
images
 
 
systemd
systemd
 
 
README.md
README.md
 
 
config.json.example
config.json.example
 
 
fail2bunny.py
fail2bunny.py
 
 

Repository files navigation

Fail2Bunny

Python License Fail2ban Dependencies

Automatically sync Bunny CDN edge-server IPs to a Fail2ban whitelist — preventing 502 errors caused by accidentally banning Bunny edge proxies.

Table of Contents

How It Works

Bunny CDN API ──► Fail2Bunny ──► /etc/fail2ban/jail.d/bunny-edges.local ──► Fail2ban reload
  1. Fetch — Downloads IPv4 and IPv6 edge-server lists from the Bunny CDN API.
  2. Validate — Parses and deduplicates all IP addresses and CIDR ranges.
  3. Merge — Combines fetched IPs with your baseline whitelist (localhost, admin IPs, etc.).
  4. Compare — Diffs against the existing config file; skips writes when nothing changed.
  5. Write — Atomically writes the new config (temp file → rename, no partial writes).
  6. Reload — Reloads Fail2ban only when changes were actually made.

Features
📥 Downloads IPv4 + IPv6 edge lists from Bunny CDN API
✔️ Validates and deduplicates IP/CIDR entries
🔄 Atomic file updates — no partial writes
🎯 Reloads Fail2ban only on actual changes
🛡️ Configurable baseline IPs (localhost, admin, private ranges)
🧪 Dry-run mode for safe previews
📝 Systemd-friendly logging (stdout/stderr)
📦 Zero external dependencies — Python standard library only

Requirements

Dependency Version
Python 3.9+
Fail2ban installed & configured
Privileges root / sudo

Installation

1. Copy the script & config

sudo cp fail2bunny.py /usr/local/bin/
sudo chmod +x /usr/local/bin/fail2bunny.py

sudo mkdir -p /etc/fail2bunny
sudo cp config.json.example /etc/fail2bunny/config.json

2a. Systemd timer (recommended)

sudo cp systemd/fail2bunny.service /etc/systemd/system/
sudo cp systemd/fail2bunny.timer /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now fail2bunny.timer

2b. Cron alternative

# Run every 6 hours
0 */6 * * * /usr/bin/python3 /usr/local/bin/fail2bunny.py 2>&1 | logger -t fail2bunny

Configuration

Edit /etc/fail2bunny/config.json:

{
    "target_file": "/etc/fail2ban/jail.d/bunny-edges.local",
    "baseline_ignoreip": [
        "127.0.0.1/8",
        "::1",
        "10.0.0.0/8",
        "192.168.1.100"
    ],
    "timeout_seconds": 30,
    "reload_method": "auto",
    "interval_hint": "6h"
}
Option Description Default
target_file Path to the generated Fail2ban config file /etc/fail2ban/jail.d/bunny-edges.local
baseline_ignoreip IPs/CIDRs to always include in the whitelist ["127.0.0.1/8", "::1"]
timeout_seconds HTTP request timeout (seconds) 30
reload_method Fail2ban reload strategy: auto, systemctl, service, or client auto
interval_hint Informational hint for scheduling frequency "6h"

Usage

# Standard run
sudo fail2bunny.py

# Custom config path
sudo fail2bunny.py -c /path/to/config.json

# Dry run — preview changes without writing or reloading
sudo fail2bunny.py --dry-run

# Verbose output
sudo fail2bunny.py -v
Flag Short Description
--config -c Path to config file (default: /etc/fail2bunny/config.json)
--dry-run Show what would change without writing or reloading
--verbose -v Enable debug-level output

View logs

sudo journalctl -u fail2bunny.service -f

Monitor the timer

sudo systemctl status fail2bunny.timer
sudo systemctl list-timers fail2bunny.timer

Generated Config File

Fail2Bunny generates /etc/fail2ban/jail.d/bunny-edges.local:

# Bunny CDN Edge IP Whitelist for Fail2ban
# Auto-generated by fail2bunny — DO NOT EDIT MANUALLY
#
# IPv4 entries: 595
# IPv6 entries: 345
# Baseline entries: 2

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 1.2.3.4/32 5.6.7.8/32 …

The [DEFAULT] section extends ignoreip for all Fail2ban jails.

Verification

# All ignoreip rules across config
sudo fail2ban-client -d | grep -i "ignoreip"

# Per-jail check (e.g. sshd)
sudo fail2ban-client get sshd ignoreip

# Inspect generated file directly
cat /etc/fail2ban/jail.d/bunny-edges.local

# Overall Fail2ban status
sudo fail2ban-client status --all

Troubleshooting

Fail2ban not reloading 
sudo systemctl status fail2ban   # is it running?
sudo fail2ban-client reload       # manual reload
Configuration syntax errors 
sudo fail2ban-client -d           # dumps parsed config, shows errors
Network connectivity issues 
curl -I https://bunnycdn.com/api/system/edgeserverlist/

Development

git clone git@github.com:ronaldvdmeer/Fail2Bunny.git
cd Fail2Bunny

# Preview changes locally
python3 fail2bunny.py --dry-run

License

MIT

Author

Ronald van der Meer

About

A lightweight Python tool for Fail2ban setups that periodically whitelists Bunny.net edge IPs and reloads Fail2ban only when needed.

Topics

python fail2ban-filter bunnycdn

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages