msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-11 22:14:22 +01:00
parent be0a6c7c6a
commit 353568eb69
60 changed files with 2267 additions and 1163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -21,6 +21,7 @@ guard_sourcing
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_PROVIDER
# VAR_SSH_PORT
# Arguments:
@@ -49,6 +50,7 @@ EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
@@ -58,10 +60,28 @@ usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
# Jumphost
${ARY_ALLOW_IPV4[*]}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${ARY_ALLOW_IPV6[*]}
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
@@ -106,7 +126,16 @@ usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
@@ -146,7 +175,9 @@ EOF
### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
@@ -211,4 +242,7 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_fail2ban
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh