Zoraxy Forensics from Logs

[Braedach]

Hello,

Please consider this feedback

The following script was built and run against the logs

#!/bin/bash

################################################################################
# Zoraxy Forensic Report Generator
# Version: 1.1.1
# Date: 2026-02-04
#
# Description:
#   Generates a forensic security report from Zoraxy Proxy logs, filtering
#   out internal traffic and noise. Saves the report to a file and emails it
#   to the security team via postfix as an attachment.
#
# Key Changes in v1.1.1:
#   - Fixed attachment handling for different mail command versions
#
# Key Changes in v1.1.0:
#   - Changed to send report as attachment instead of inline (cleaner emails)
#
# Key Changes in v1.0.0:
#   - Added file output to /tmp/forensic-report.txt
#   - Implemented email delivery via postfix/sendmail
#   - Added timestamp and hostname to report header
#   - Wrapped report generation in function for cleaner output redirection
#   - Added error handling for report generation and email delivery
#   - Configurable email recipient, sender, and subject variables
#
# Requirements:
#   - Postfix configured and running
#   - Access to Zoraxy logs directory
#   - mailx or mutt installed for attachments
#
# Usage:
#   ./forensic-report.sh
#
################################################################################

LOGDIR="/srv/zoraxy/log"
LANIP="192.168.1.166"
REPORT_FILE="/tmp/forensic-report.txt"
EMAIL_TO="[your security email address]"
EMAIL_FROM="zoraxy-forensics@$(hostname -f)"
EMAIL_SUBJECT="Zoraxy Forensic Report - $(date '+%Y-%m-%d %H:%M:%S')"

# Function to generate report
generate_report() {
    echo
    echo "==============================================="
    echo "        ZORAXY OFFLINE FORENSIC SUMMARY"
    echo "==============================================="
    echo "Generated: $(date '+%Y-%m-%d %H:%M:%S')"
    echo "Hostname: $(hostname)"
    echo

    # Ensure logs exist
    LOGS=$(ls -1 $LOGDIR/zr_*.log 2>/dev/null)
    if [ -z "$LOGS" ]; then
        echo "No Zoraxy logs found in $LOGDIR"
        return 1
    fi

    echo "Logs found:"
    echo "$LOGS"
    echo

    # Combine logs and remove noise
    FILTERED=$(mktemp)
    grep -h -v "$LANIP" $LOGS \
    | grep -v "netstatgraph" \
    | grep -v "summary?fast" \
    | grep -v "snippet" \
    | grep -v "script/" \
    | grep -v "darktheme" \
    > "$FILTERED"

    echo "-----------------------------------------------"
    echo " External Requests by IP"
    echo "-----------------------------------------------"
    awk '{print $0}' "$FILTERED" \
    | grep -Eo "client: [^]]+" \
    | awk '{print $2}' \
    | sort | uniq -c | sort -nr
    echo

    echo "-----------------------------------------------"
    echo " Suspicious User Agents"
    echo "-----------------------------------------------"
    grep -v "Mozilla/5.0" "$FILTERED" \
    | grep -Eo "useragent: [^]]+" \
    | awk -F'useragent: ' '{print $2}' \
    | sort | uniq -c | sort -nr
    echo

    echo "-----------------------------------------------"
    echo " HTTP Errors (4xx / 5xx)"
    echo "-----------------------------------------------"
    grep -E " 4[0-9][0-9] | 5[0-9][0-9] " "$FILTERED" \
    | awk '{print $NF}' \
    | sort | uniq -c | sort -nr
    echo

    echo "-----------------------------------------------"
    echo " Exploit Attempts"
    echo "-----------------------------------------------"
    grep -i "exploit" "$FILTERED" || echo "None detected"
    echo

    echo "-----------------------------------------------"
    echo " Suspicious URLs (non-dashboard)"
    echo "-----------------------------------------------"
    grep -E "GET|POST" "$FILTERED" \
    | awk '{print $NF}' \
    | sort | uniq -c | sort -nr \
    | head -20
    echo

    echo "-----------------------------------------------"
    echo " Summary Complete"
    echo "-----------------------------------------------"
    echo

    rm "$FILTERED"
}

# Generate report and save to file
generate_report > "$REPORT_FILE" 2>&1

# Check if report was generated successfully
if [ ! -f "$REPORT_FILE" ]; then
    echo "Error: Failed to generate report file"
    exit 1
fi

# Send email with attachment using MIME encoding
(
    echo "To: $EMAIL_TO"
    echo "From: $EMAIL_FROM"
    echo "Subject: $EMAIL_SUBJECT"
    echo "MIME-Version: 1.0"
    echo "Content-Type: multipart/mixed; boundary=\"BOUNDARY\""
    echo ""
    echo "--BOUNDARY"
    echo "Content-Type: text/plain; charset=UTF-8"
    echo ""
    echo "Zoraxy forensic report attached."
    echo "Generated on $(hostname) at $(date '+%Y-%m-%d %H:%M:%S')"
    echo ""
    echo "--BOUNDARY"
    echo "Content-Type: text/plain; charset=UTF-8"
    echo "Content-Disposition: attachment; filename=\"forensic-report.txt\""
    echo ""
    cat "$REPORT_FILE"
    echo ""
    echo "--BOUNDARY--"
) | /usr/sbin/sendmail -t

# Check if email was sent successfully
if [ $? -eq 0 ]; then
    echo "Forensic report generated and emailed to $EMAIL_TO"
    echo "Report saved to: $REPORT_FILE"
else
    echo "Error: Failed to send email"
    echo "Report saved to: $REPORT_FILE"
    exit 1
fi

Zoraxy Forensic Report

The resulting report is here after the output of the script was put through the AI.

Zoraxy Forensic Analysis Post

Fail2ban

Can someone help verify this for me please

Here is the finalized content for /etc/fail2ban/filter.d/zoraxy-strict.conf

[Definition]
# Detection: Matches the client IP and the exploit signatures
failregex = \[router:exploit-blocked\].*?\[client:\s*<HOST>\]

# Exclusions: Ignore internal IPv4 (192.168.x.x) and IPv6 Link-Local (fe80::)
ignoreregex = \[client:\s*(?:192\.168\.|fe80:).*\]

datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S

Draft jail

---

[DEFAULT]
# Global Whitelist: 
# 127.0.0.1/8 ::1 (Localhost)
# 192.168.0.0/16 (Your internal network)
# fe80::/10 (IPv6 Link-Local)
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 fe80::/10

#Set nftables as the default backend for all jails
banaction = nftables-multiport
banaction_allports = nftables-allports

# Zoraxy Jail
[zoraxy-strict]
enabled  = true
port     = http,https
filter   = zoraxy-strict
logpath  = /srv/zoraxy/log/zr_2026-*.log
# This line excludes your internal IPv4 and IPv6 ranges
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 fe80::/10
##### One strike and you're out for specific exploit patterns
maxretry = 1
findtime = 1h
bantime  = 24h

[recidive]
enabled  = true
logpath  = /var/log/fail2ban.log
filter   = recidive
#### If an IP gets banned 3 times in 2 days, ban them for 1 week
maxretry = 3
findtime = 2d
bantime  = 7d
# Use allports for recidive to completely kick them off the server
banaction = nftables-allports

---

WAN access is provided by Cloudflare tunnel directly on the Proxy LXC running under Proxmox VE 9.1
I decided to go this way rather than opening a port on my router although that maybe would have caught the IP address
Cloudflare analytics is reporting intercepted threats - so only 1 got through to the proxy.

I am very happy with your work. Thanks again.