msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m13s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-21 07:59:51 +01:00
parent 45b4bd7f12
commit 82096f7b7d
3 changed files with 231 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -50,7 +50,7 @@ hardening_fail2ban() {
insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
[DEFAULT]
allowipv6 = auto
allowipv6 = auto
EOF
@@ -62,14 +62,14 @@ EOF
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
@@ -94,30 +94,42 @@ EOF
fi
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 24h
bantime = 24h
maxretry = 3
findtime = 1d
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.overalljails = true
bantime.rndtime = 877s
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
maxretry = 3
findtime = 16d
bantime = 8d
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 96d
bantime.multipliers = 1, 2, 4, 8
bantime.overalljails = true
bantime.rndtime = 877s
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 24h
bantime = 24h
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
#
# ufw aggressive approach:
@@ -126,13 +138,11 @@ bantime = 24h
#
[ufw]
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
findtime = 24h
bantime = 24h
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -142,8 +152,14 @@ EOF
### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
@@ -156,30 +172,42 @@ EOF
fi
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 24h
bantime = 24h
maxretry = 3
findtime = 1d
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.overalljails = true
bantime.rndtime = 877s
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
maxretry = 3
findtime = 16d
bantime = 8d
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 96d
bantime.multipliers = 1, 2, 4, 8
bantime.overalljails = true
bantime.rndtime = 877s
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 24h
bantime = 24h
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
#
# ufw aggressive approach:
@@ -188,13 +216,11 @@ bantime = 24h
#
[ufw]
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 8
findtime = 24h
bantime = 24h
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 4
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF