msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-14 10:32:08 +01:00
parent e0879a4969
commit 77856e9436
6 changed files with 56 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -48,13 +48,13 @@ allowipv6 = auto
EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
insert_header "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
@@ -64,27 +64,27 @@ EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
# Jumphost
${ARY_ALLOW_IPV4[*]}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
${ARY_ALLOW_IPV6[*]}
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
findtime = 24h
bantime = 24h
[sshd]
enabled = true
@@ -95,23 +95,23 @@ port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 1d
bantime = 1d
findtime = 24h
bantime = 24h
#
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
#
[ufw]
enabled = true
filter = ufw.aggressive
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
findtime = 1d
bantime = 1d
findtime = 24h
bantime = 24h
protocol = tcp,udp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -120,7 +120,7 @@ EOF
else
### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
@@ -130,15 +130,15 @@ EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
findtime = 24h
bantime = 24h
[sshd]
enabled = true
@@ -149,23 +149,23 @@ port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 1d
bantime = 1d
findtime = 24h
bantime = 24h
#
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 8 attempts.
#
[ufw]
enabled = true
filter = ufw.aggressive
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 32
findtime = 1d
bantime = 1d
maxretry = 8
findtime = 24h
bantime = 24h
protocol = tcp,udp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -176,13 +176,13 @@ EOF
### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
insert_comments "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
insert_header "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
insert_comments "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
[Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
ignoreregex =