@roflsec/fail2scan 0.0.1

package/LICENSE

@@ -0,0 +1,19 @@
+The LulzHat License v1.0
+
+Copyright (c) 2025 RoflSec
+
+Permission is hereby granted, free of charge, to any human, robot, or sentient AI
+that obtains a copy of this software and associated documentation files (the "Software"), 
+to do whatever the hell they want but ONLY for educational purposes, legal pentesting, 
+or making your cat look cooler on the internet.
+
+YOU CANNOT use this software to be an actual jerk: hacking random people, destroying stuff, 
+or getting arrested is strictly forbidden. If you ignore this, congratulations, 
+you are legally and morally dumb.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
+PURPOSE, OR NOT GETTING SUED. USE AT YOUR OWN RISK, AND MAY THE LULZ BE WITH YOU.
+
+By using this software, you pledge to only cause chaos (in a lab, a VM, or a controlled environment, or your mum's computer).
+Breaking real laws voids your permission and might make you cry in court, the software creator can't be held responsible.

package/Readme.md

@@ -0,0 +1,118 @@
+
+
+---
+
+Fail2Scan
+
+Fail2Scan is a Node.js daemon that watches your Fail2Ban logs for banned IP addresses and automatically scans them using system tools (nmap, dig, whois). All results are saved in a structured folder for easy review.
+
+
+---
+
+Features
+
+Watches Fail2Ban logs in real time.
+
+Detects new banned IPs automatically.
+
+Runs nmap for full port scanning.
+
+Runs dig for reverse DNS lookup.
+
+Runs whois for IP ownership and ASN info.
+
+Saves output in /var/log/fail2scan/<YYYY-MM-DD>/<IP>_<timestamp>/.
+
+Pure Node.js, no external dependencies, works with Node 18+.
+
+Compatible with PM2 or any process manager.
+
+
+
+---
+
+Installation
+
+# Install globally
+sudo npm install -g @roflsec/fail2scan
+
+
+---
+
+Usage
+
+# Start daemon (default settings)
+fail2scan-daemon
+
+# Custom log file, output directory, concurrency, nmap arguments, quiet mode
+fail2scan-daemon --log /var/log/fail2ban.log --out /var/log/fail2scan --concurrency 2 --nmap-args "-sS -Pn -p- -T4 -sV" --quiet
+
+CLI Options
+
+Option	Default	Description
+
+--log	/var/log/fail2ban.log	Path to your Fail2Ban log file.
+--out	/var/log/fail2scan	Output directory for scan results.
+--concurrency	1	Number of scans to run in parallel.
+--nmap-args	-sS -Pn -p- -T4 -sV	Arguments to pass to nmap.
+--quiet	false	Suppress console output.
+--help / -h		Show usage info.
+
+
+
+---
+
+Output Structure
+
+Results are saved in this format:
+
+/var/log/fail2scan/
+└─ 2025-10-12/
+   └─ 192.168.1.100_2025-10-12T14-30-00Z/
+      ├─ nmap.txt      # raw nmap output
+      ├─ dig.txt       # raw dig output
+      ├─ whois.txt     # raw whois output
+      └─ summary.json  # JSON summary of scan results
+
+summary.json includes:
+
+ip – scanned IP
+
+timestamp – ISO timestamp of scan
+
+commands – details of each scan (nmap, dig, whois)
+
+open_ports – array of open ports detected by nmap
+
+
+
+---
+
+Requirements
+
+Node.js 18+
+
+System tools installed: nmap, dig, whois
+
+Permissions to read Fail2Ban logs and write to the output directory
+
+
+# Debian/Ubuntu example
+sudo apt install nmap dnsutils whois
+
+
+---
+
+Running with PM2
+
+# Start daemon with PM2
+pm2 start $(which fail2scan-daemon) -- --log /var/log/fail2ban.log --out /var/log/fail2scan
+pm2 save
+pm2 status
+
+
+---
+
+License
+
+MIT © RoflSec

package/bin/daemon.js

@@ -0,0 +1,155 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Fail2Scan v0.0.1
+ * Watches Fail2Ban logs for "Ban <IP>" entries and scans the banned IPs using
+ * system tools (nmap, dig, whois). Results are saved to /var/log/fail2scan/<date>/<ip>_<ts>/
+ *
+ * Node 18+, CommonJS, no external dependencies.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+
+const execFileP = promisify(execFile);
+const argv = process.argv.slice(2);
+
+function getArg(key, def) {
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === key && argv[i + 1]) return argv[++i];
+    if (a.startsWith(key + '=')) return a.split('=')[1];
+  }
+  return def;
+}
+
+if (argv.includes('--help') || argv.includes('-h')) {
+  console.log('Usage: fail2scan-daemon [--log /path/to/fail2ban.log] [--out /path/to/output] [--concurrency N] [--nmap-args "args"] [--quiet]');
+  process.exit(0);
+}
+
+const LOG_PATH = getArg('--log', '/var/log/fail2ban.log');
+const OUT_ROOT = getArg('--out', '/var/log/fail2scan');
+const CONCURRENCY = Math.max(1, parseInt(getArg('--concurrency', '1'), 10) || 1);
+const NMAP_ARGS_STR = getArg('--nmap-args', '-sS -Pn -p- -T4 -sV');
+const QUIET = argv.includes('--quiet');
+
+function log(...args) { if (!QUIET) console.log(new Date().toISOString(), ...args); }
+
+function safeMkdirSync(p) { fs.mkdirSync(p, { recursive: true, mode: 0o750 }); }
+async function which(bin) { try { await execFileP('which', [bin]); return true; } catch { return false; } }
+async function runCmd(cmd, args, opts = {}) {
+  try {
+    const { stdout, stderr } = await execFileP(cmd, args, { maxBuffer: 1024 * 1024 * 32, ...opts });
+    return { ok: true, stdout, stderr };
+  } catch (e) {
+    return { ok: false, stdout: e.stdout || '', stderr: e.stderr || e.message };
+  }
+}
+
+function sanitizeFilename(s) { return s.replace(/[:\/\\<>?"|* ]+/g, '_'); }
+
+async function checkPrereqs() {
+  const tools = ['nmap', 'dig', 'whois'];
+  for (const t of tools) if (!(await which(t))) {
+    console.error(`Missing required binary: ${t}. Please install it (e.g. apt install ${t}).`);
+    process.exit(2);
+  }
+}
+checkPrereqs();
+
+class FileTail {
+  constructor(filePath, onLine) {
+    this.filePath = filePath;
+    this.onLine = onLine;
+    this.position = 0;
+    this.inode = null;
+    this.buffer = '';
+    this.watch = null;
+    this.start();
+  }
+
+  async start() {
+    try {
+      const st = fs.statSync(this.filePath);
+      this.inode = st.ino;
+      this.position = st.size;
+    } catch {}
+    this.watch = fs.watch(this.filePath, { persistent: true }, async () => {
+      try {
+        const st = fs.statSync(this.filePath);
+        if (st.size < this.position) this.position = 0;
+        if (st.size === this.position) return;
+        const stream = fs.createReadStream(this.filePath, { start: this.position, end: st.size - 1, encoding: 'utf8' });
+        for await (const chunk of stream) {
+          this.buffer += chunk;
+          let idx;
+          while ((idx = this.buffer.indexOf('\n')) >= 0) {
+            const line = this.buffer.slice(0, idx);
+            this.buffer = this.buffer.slice(idx + 1);
+            if (line.trim()) this.onLine(line);
+          }
+        }
+        this.position = st.size;
+      } catch {}
+    });
+  }
+
+  close() { try { if (this.watch) this.watch.close(); } catch {} }
+}
+
+class ScanQueue {
+  constructor(concurrency = 1) { this.c = concurrency; this.r = 0; this.q = []; this.set = new Set(); }
+  push(ip) { if (this.set.has(ip)) return; this.set.add(ip); this.q.push(ip); this.next(); }
+  next() {
+    if (this.r >= this.c) return;
+    const ip = this.q.shift(); if (!ip) return;
+    this.r++; this.run(ip).finally(() => { this.r--; this.set.delete(ip); this.next(); });
+  }
+  async run(ip) {
+    try { log('Scanning', ip); await performScan(ip); log('Done', ip); }
+    catch (e) { console.error('Error scanning', ip, e); }
+  }
+}
+
+const IPV4 = '(?:\\d{1,3}\\.){3}\\d{1,3}';
+const IPV6 = '(?:[0-9a-fA-F:]+)';
+const IP_RE = new RegExp(`(${IPV4}|${IPV6})`);
+const BAN_RE = new RegExp('\\bBan\\b.*(' + IPV4 + '|' + IPV6 + ')', 'i');
+
+async function performScan(ip) {
+  const now = new Date();
+  const dateDir = now.toISOString().slice(0, 10);
+  const safeIp = sanitizeFilename(ip);
+  const outDir = path.join(OUT_ROOT, dateDir, `${safeIp}_${now.toISOString().replace(/[:.]/g, '-')}`);
+  safeMkdirSync(outDir);
+
+  const summary = { ip, ts: now.toISOString(), cmds: {} };
+
+  const nmapRes = await runCmd('nmap', NMAP_ARGS_STR.trim().split(/\s+/).concat([ip]));
+  fs.writeFileSync(path.join(outDir, 'nmap.txt'), nmapRes.stdout + (nmapRes.stderr ? '\n\n' + nmapRes.stderr : ''));
+  summary.cmds.nmap = { ok: nmapRes.ok };
+
+  const digRes = await runCmd('dig', ['-x', ip, '+short']);
+  fs.writeFileSync(path.join(outDir, 'dig.txt'), digRes.stdout + (digRes.stderr ? '\n\n' + digRes.stderr : ''));
+  summary.cmds.dig = { ok: digRes.ok };
+
+  const whoisRes = await runCmd('whois', [ip]);
+  fs.writeFileSync(path.join(outDir, 'whois.txt'), whoisRes.stdout + (whoisRes.stderr ? '\n\n' + whoisRes.stderr : ''));
+  summary.cmds.whois = { ok: whoisRes.ok };
+
+  fs.writeFileSync(path.join(outDir, 'summary.json'), JSON.stringify(summary, null, 2));
+}
+
+const q = new ScanQueue(CONCURRENCY);
+log('Fail2Scan daemon started on', LOG_PATH);
+const tail = new FileTail(LOG_PATH, (line) => {
+  const match = BAN_RE.exec(line);
+  if (match && match[1]) q.push(match[1]);
+});
+
+process.on('SIGINT', () => { log('Stopping...'); tail.close(); process.exit(0); });
+process.on('SIGTERM', () => { log('Stopping...'); tail.close(); process.exit(0); });

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@roflsec/fail2scan",
+  "version": "0.0.1",
+  "description": "Fail2Scan daemon - watches fail2ban logs and scans banned IPs using nmap, dig and whois.",
+  "bin": {
+    "fail2scan-daemon": "./bin/daemon.js"
+  },
+  "preferGlobal": true,
+  "files": [
+    "bin/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "start": "node ./bin/daemon.js",
+    "test": "node ./bin/daemon.js --help"
+  },
+  "author": "RoflSecurity",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  }
+}