V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

ciss_debian_installer.sh

@@ -311,6 +311,8 @@ info_echo "4420_installation_ssh.sh"
 installation_ssh
 info_echo "4430_installation_skel.sh"
 installation_skel
+#info_echo "4435_hardening_fail2ban.sh"
+#hardening_fail2ban
 info_echo "4440_hardening_files.sh"
 hardening_files
 info_echo "4450_hardening_haveged.sh"

func/cdi_3200_partitioning/3200_partitioning.sh

@@ -21,6 +21,7 @@ guard_sourcing
 
 #######################################
 # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+# https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs
 # EFI System Partition, FAT32    | c12a7328-f81f-11d2-ba4b-00a0c93ec93b
 # BIOS Boot Partition GRUB       | 21686148-6449-6e6f-744e-656564454649
 # Extended Boot Loader Partition | bc13c2ff-59e6-4262-a352-b275fd6f7172

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -89,15 +89,18 @@ partition_encryption() {
     if [[ "${var_encryption_path,,}" == "/boot" ]]; then
       ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_boot.txt" )
       ary_luks_opts+=(
-        --iter-time "${VAR_ITER_TIME:-3000}"
+        --iter-time "${VAR_ITER_TIME:-3000}"\
       )
+
     else
+
       ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_common.txt" )
       ary_luks_opts+=(
         --pbkdf-parallel "${VAR_KDF_THREADS:-1}"
         --pbkdf-memory "${VAR_KDF_MEMORY:-4}"
-        --pbkdf-force-iterations "${VAR_KDF_ITERATIONS:-4}"
+        --pbkdf-force-iterations "${VAR_KDF_ITERATIONS:-4}"\
       )
+
     fi
 
     ary_luks_opts+=(

func/cdi_4200_boot/4210_generate_crypttab.sh

@@ -51,7 +51,7 @@ write_crypttab() {
 #######################################
 generate_crypttab() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_uuid=""
+  declare     var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_fs_label=""
 
   ensure_lowercase "VAR_DROPBEAR"
 
@@ -117,11 +117,11 @@ EOF
   for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do
 
     var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}"
-    var_host_fs_label="${HMP_PATH_PARTUUID["${var_key}"]}"
+    var_host_fs_label="${HMP_EPHEMERAL_FS_LABEL["${var_key}"]}"
 
-    case "${var_key}" in
+    case "${var_key,,}" in
 
-      SWAP)
+      swap)
         write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "plain,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,swap"
         ;;
 

func/cdi_4400_hardening/4435_hardening_fail2ban.sh

@@ -0,0 +1,198 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Hardening files and directories.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_fail2ban() {
+
+
+
+
+
+  systemctl stop fail2ban
+  cp -u /etc/fail2ban/fail2ban.conf "${DIR_BAK}"fail2ban.conf.bak
+  chmod 644 "${DIR_BAK}"fail2ban.conf.bak
+
+  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+  mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bak
+  chmod 644 /etc/fail2ban/jail.d/defaults-debian.conf.bak
+
+  if [[ "${JUMPHOST,,}" = "yes" ]]; then
+
+    ###########################################################################################
+    # Remarks: fail2ban ufw aggresive mode - one attempt for Jumphost configuration           #
+    ###########################################################################################
+    cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
+##### Added by hardening.sh - Module: do_hardening_fail2ban #####
+
+[DEFAULT]
+usedns    = yes
+ignoreip  = 127.0.0.0/8 ::1
+# $FQDN
+  $IPV4 $IPV6/64
+# Jumphost
+  $JUMPHOST_IPV4 $JUMPHOST_IPV6/64
+maxretry  = 8
+findtime  = 12h
+bantime   = 12h
+
+[sshd]
+enabled   = true
+backend   = systemd
+filter    = sshd
+mode      = normal
+port      = $SSHPORT
+protocol  = tcp
+logpath   = /var/log/auth.log
+maxretry  = 3
+findtime  = 1d
+bantime   = 1d
+
+#
+# ufw aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
+#
+
+[ufw]
+enabled   = true
+filter    = ufw.aggressive
+action    = iptables-allports
+logpath   = /var/log/ufw.log
+maxretry  = 1
+findtime  = 1d
+bantime   = 1d
+protocol  = tcp,udp
+
+EOF
+
+  else
+    ###########################################################################################
+    # Remarks: fail2ban ufw aggresive mode 32 attempts for NO Jumphost configuration          #
+    ###########################################################################################
+    cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
+##### Added by hardening.sh - Module: do_hardening_fail2ban #####
+
+[DEFAULT]
+usedns    = yes
+ignoreip  = 127.0.0.0/8 ::1
+# $FQDN
+  $IPV4 $IPV6/64
+maxretry  = 8
+findtime  = 12h
+bantime   = 12h
+
+[sshd]
+enabled   = true
+backend   = systemd
+filter    = sshd
+mode      = normal
+port      = $SSHPORT
+protocol  = tcp
+logpath   = /var/log/auth.log
+maxretry  = 3
+findtime  = 1d
+bantime   = 1d
+
+#
+# ufw aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
+#
+
+[ufw]
+enabled   = true
+filter    = ufw.aggressive
+action    = iptables-allports
+logpath   = /var/log/ufw.log
+maxretry  = 32
+findtime  = 1d
+bantime   = 1d
+protocol  = tcp,udp
+
+EOF
+
+  fi
+
+  cat <<EOF >/etc/fail2ban/filter.d/ufw.aggressive.conf
+##### Added by hardening.sh - Module: do_hardening_fail2ban  #####
+
+[Definition]
+failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
+ignoreregex =
+
+EOF
+
+  ###########################################################################################
+  # Remarks: hardening of fail2ban systemd                                                  #
+  ###########################################################################################
+  # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+  # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+  # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+  # operate # on any firewall that has command-line shell interface. By using               #
+  # ProtectSystem=strict the filesystem hierarchy will only be read-only, ReadWritePaths    #
+  # allows Fail2ban to have write access on required paths.                                 #
+  ###########################################################################################
+  mkdir -p /etc/systemd/system/fail2ban.service.d
+  mkdir /var/log/fail2ban
+
+  cat <<EOF >/etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+##### Added by CenDev
+ProtectClock=true
+ProtectHostname=true
+EOF
+
+  cat <<EOF >>/etc/fail2ban/fail2ban.local
+[Definition]
+logtarget = /var/log/fail2ban/fail2ban.log
+EOF
+
+  ###########################################################################################
+  # Remarks: Hetzner needs special ignoreip rules                                           #
+  ###########################################################################################
+  if [[ "${VPSPROVIDER,,}" = "hetzner" ]]; then
+    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' /etc/fail2ban/jail.d/centurion-default.conf
+  fi
+
+  ###########################################################################################
+  # Remarks: Logrotate must be updated either                                               #
+  ###########################################################################################
+  cp -a /etc/logrotate.d/fail2ban "${DIR_BAK}"fail2ban_logrotate.bak
+  sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+  touch /var/log/fail2ban/fail2ban.log
+  chmod 640 /var/log/fail2ban/fail2ban.log
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -83,6 +83,7 @@ source_guard "./func/cdi_4400_hardening/4400_kernel_modules.sh"
 source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
 source_guard "./func/cdi_4400_hardening/4420_installation_ssh.sh"
 source_guard "./func/cdi_4400_hardening/4430_installation_skel.sh"
+source_guard "./func/cdi_4400_hardening/4435_hardening_fail2ban.sh"
 source_guard "./func/cdi_4400_hardening/4440_hardening_files.sh"
 source_guard "./func/cdi_4400_hardening/4450_hardening_haveged.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_memory.sh"