V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-27 19:10:46 +02:00
parent a90a20a4f6
commit 0800a06a03
6 changed files with 211 additions and 6 deletions
--- a/func/cdi_4400_hardening/4435_hardening_fail2ban.sh
+++ b/func/cdi_4400_hardening/4435_hardening_fail2ban.sh
@@ -0,0 +1,198 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Hardening files and directories.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_fail2ban() {
+
+
+
+
+
+  systemctl stop fail2ban
+  cp -u /etc/fail2ban/fail2ban.conf "${DIR_BAK}"fail2ban.conf.bak
+  chmod 644 "${DIR_BAK}"fail2ban.conf.bak
+
+  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+  mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bak
+  chmod 644 /etc/fail2ban/jail.d/defaults-debian.conf.bak
+
+  if [[ "${JUMPHOST,,}" = "yes" ]]; then
+
+    ###########################################################################################
+    # Remarks: fail2ban ufw aggresive mode - one attempt for Jumphost configuration           #
+    ###########################################################################################
+    cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
+##### Added by hardening.sh - Module: do_hardening_fail2ban #####
+
+[DEFAULT]
+usedns    = yes
+ignoreip  = 127.0.0.0/8 ::1
+# $FQDN
+  $IPV4 $IPV6/64
+# Jumphost
+  $JUMPHOST_IPV4 $JUMPHOST_IPV6/64
+maxretry  = 8
+findtime  = 12h
+bantime   = 12h
+
+[sshd]
+enabled   = true
+backend   = systemd
+filter    = sshd
+mode      = normal
+port      = $SSHPORT
+protocol  = tcp
+logpath   = /var/log/auth.log
+maxretry  = 3
+findtime  = 1d
+bantime   = 1d
+
+#
+# ufw aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
+#
+
+[ufw]
+enabled   = true
+filter    = ufw.aggressive
+action    = iptables-allports
+logpath   = /var/log/ufw.log
+maxretry  = 1
+findtime  = 1d
+bantime   = 1d
+protocol  = tcp,udp
+
+EOF
+
+  else
+    ###########################################################################################
+    # Remarks: fail2ban ufw aggresive mode 32 attempts for NO Jumphost configuration          #
+    ###########################################################################################
+    cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
+##### Added by hardening.sh - Module: do_hardening_fail2ban #####
+
+[DEFAULT]
+usedns    = yes
+ignoreip  = 127.0.0.0/8 ::1
+# $FQDN
+  $IPV4 $IPV6/64
+maxretry  = 8
+findtime  = 12h
+bantime   = 12h
+
+[sshd]
+enabled   = true
+backend   = systemd
+filter    = sshd
+mode      = normal
+port      = $SSHPORT
+protocol  = tcp
+logpath   = /var/log/auth.log
+maxretry  = 3
+findtime  = 1d
+bantime   = 1d
+
+#
+# ufw aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
+#
+
+[ufw]
+enabled   = true
+filter    = ufw.aggressive
+action    = iptables-allports
+logpath   = /var/log/ufw.log
+maxretry  = 32
+findtime  = 1d
+bantime   = 1d
+protocol  = tcp,udp
+
+EOF
+
+  fi
+
+  cat <<EOF >/etc/fail2ban/filter.d/ufw.aggressive.conf
+##### Added by hardening.sh - Module: do_hardening_fail2ban  #####
+
+[Definition]
+failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
+ignoreregex =
+
+EOF
+
+  ###########################################################################################
+  # Remarks: hardening of fail2ban systemd                                                  #
+  ###########################################################################################
+  # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+  # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+  # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+  # operate # on any firewall that has command-line shell interface. By using               #
+  # ProtectSystem=strict the filesystem hierarchy will only be read-only, ReadWritePaths    #
+  # allows Fail2ban to have write access on required paths.                                 #
+  ###########################################################################################
+  mkdir -p /etc/systemd/system/fail2ban.service.d
+  mkdir /var/log/fail2ban
+
+  cat <<EOF >/etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+##### Added by CenDev
+ProtectClock=true
+ProtectHostname=true
+EOF
+
+  cat <<EOF >>/etc/fail2ban/fail2ban.local
+[Definition]
+logtarget = /var/log/fail2ban/fail2ban.log
+EOF
+
+  ###########################################################################################
+  # Remarks: Hetzner needs special ignoreip rules                                           #
+  ###########################################################################################
+  if [[ "${VPSPROVIDER,,}" = "hetzner" ]]; then
+    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' /etc/fail2ban/jail.d/centurion-default.conf
+  fi
+
+  ###########################################################################################
+  # Remarks: Logrotate must be updated either                                               #
+  ###########################################################################################
+  cp -a /etc/logrotate.d/fail2ban "${DIR_BAK}"fail2ban_logrotate.bak
+  sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+  touch /var/log/fail2ban/fail2ban.log
+  chmod 640 /var/log/fail2ban/fail2ban.log
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh