msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m3s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-24 20:40:00 +01:00
parent 559a5a3b88
commit 1453f64a72
7 changed files with 73 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -99,7 +99,7 @@ usedns = yes
[recidive]
enabled = true
banaction = %(banaction_allports)s
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 8d
bantime.increment = true
bantime.factor = 1
@@ -133,27 +133,11 @@ maxretry = 4
# CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
#
[icmp]
enabled = true
banaction = %(banaction_allports)s
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-icmp
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 1
[ufw]
enabled = true
banaction = %(banaction_allports)s
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 1h
bantime.increment = true
bantime.factor = 1
@@ -199,7 +183,7 @@ usedns = yes
[recidive]
enabled = true
banaction = %(banaction_allports)s
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 8d
bantime.increment = true
bantime.factor = 1
@@ -233,27 +217,11 @@ maxretry = 4
# CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
# There is no necessity to ping our servers excessively. Any client pinging us more than 3 times will be blocked.
#
[icmp]
enabled = true
banaction = %(banaction_allports)s
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-icmp
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 3
[ufw]
enabled = true
banaction = %(banaction_allports)s
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 1h
bantime.increment = true
bantime.factor = 1
@@ -278,17 +246,6 @@ EOF
fi
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
[Definition]
# Generic ICMP/ICMPv6 blocks
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"