V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -104,7 +104,7 @@ image: "linux-image-6.16.3+deb13-amd64"
                                # "linux-image-6.16.3+deb13-amd64"
 needrun: false                 # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
 provider: "netcup"             # MUST be one of "contabo", "hetzner", "netcup" or leave empty.
-security_ext: "selinux"        # MUST be one of "apparmor" or "selinux".
+security_ext: "apparmor"        # MUST be one of "apparmor" or "selinux".
 
 ################################################################################################################################
 # Dropbear settings
@@ -509,6 +509,7 @@ network:
     dhcp: 60                   # If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
     linkwait: 3                # To set a different link detection timeout (default is 3 seconds).
   static:
+    dns_dhcp_override: true    # If you want to override the DNS settings of the DHCP server.
     enable: true               # If you want the preconfiguration file to work on systems both with and without a dhcp
                                # server, change 'network.static.enable' from "false" to "true" and configure the static
                                # configuration below.
@@ -820,6 +821,10 @@ ssh:
   allow_hardening: true        # For additional hardening of SSH connections via TCP wrapper: '/etc/hosts.allow'.
                                # If "allow_hardening" = "true", at least one 'allow_ipv4' MUST be provided.
   allow_ipv4:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4: will be added: 'f2ban-ignoreip'.
+                               # Also, ufw will be configured to ufw aggressive approach:
+                               # Any valid client communicating with the server should be going directly to the service ports
+                               # opened in ufw (ssh, 80, ...). Any client touching other ports is treated as malicious and
+                               # therefore is blocked access to ALL ports after 1 attempt.
     - 202.61.246.50
   allow_ipv6:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6: will be added: 'f2ban-ignoreip'.
     - 2a03:4000:53:f:abcd:9494:0:2

ciss_debian_installer.sh

@@ -416,8 +416,8 @@ accounts_setup
 info_echo "4600_installation_packages.sh [${TARGET}]"
 installation_packages
 
-#info_echo "4610_installation_security.sh [${TARGET}]"
-#installation_security
+info_echo "4610_installation_security.sh [${TARGET}]"
+installation_security
 
 info_echo "4620_installation_verification.sh [${TARGET}]"
 install_verification

func/cdi_4300_network/4300_installation_network.sh

@@ -24,9 +24,9 @@ guard_sourcing
 #   VAR_FINAL_IPV6_CIDR
 #   VAR_FINAL_IPV6_GW
 #   VAR_FINAL_NIC
-#   VAR_LINK_IPV6
 #   network_autoconfig_enable
 #   network_choose_interface_auto
+#   network_static_dns_dhcp_override
 #   network_static_ipv4nameserver_0
 #   network_static_ipv6address
 #   network_static_ipv6nameserver_0
@@ -74,7 +74,7 @@ installation_network() {
   # For servers or systems with static interfaces that should always be available (e.g., eth0 on a server).
   # For configurations where the interface should be active regardless of the cable status.
   # allow-hotplug:
-  # For systems with dynamic or removable network devices (e.g., laptops or USB adapters).
+  # For systems with dynamic or removable network devices (e.g., laptops, USB adapters, VMs).
   # To avoid boot delays when interfaces are unavailable.
 
   insert_header   "${TARGET}/etc/network/interfaces"
@@ -83,8 +83,6 @@ installation_network() {
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 
-source-directory /etc/network/interfaces.d
-
 # The loopback network interface
 auto lo
 iface lo inet loopback
@@ -99,9 +97,7 @@ EOF
 
     cat << EOF >>   "${TARGET}/etc/network/interfaces"
 # The primary network interface: IPv4 via DHCP
-auto ${VAR_FINAL_NIC}
 allow-hotplug ${VAR_FINAL_NIC}
-
 iface ${VAR_FINAL_NIC} inet dhcp
 
 EOF
@@ -111,9 +107,7 @@ EOF
 
     cat << EOF >>   "${TARGET}/etc/network/interfaces"
 # The primary network interface: IPv4 via DHCP
-auto ${VAR_FINAL_NIC}
 allow-hotplug ${VAR_FINAL_NIC}
-
 iface ${VAR_FINAL_NIC} inet dhcp
 
 EOF
@@ -125,9 +119,7 @@ EOF
 
     cat << EOF >>   "${TARGET}/etc/network/interfaces"
 # The primary network interface: IPv4 via static IP
-auto ${VAR_FINAL_NIC}
 allow-hotplug ${VAR_FINAL_NIC}
-
 iface ${VAR_FINAL_NIC} inet static
   address ${VAR_FINAL_IPV4}
   netmask ${VAR_FINAL_IPV4_SUBNET}
@@ -176,6 +168,9 @@ EOF
   insert_header   "${TARGET}/etc/dhcpcd.conf"
   insert_comments "${TARGET}/etc/dhcpcd.conf"
   cat << 'EOF' >> "${TARGET}/etc/dhcpcd.conf"
+### No Global APIPA-Fallback.
+noipv4ll
+
 ### A ServerID is required by RFC2131.
 require dhcp_server_identifier
 
@@ -187,6 +182,7 @@ option host_name
 option domain_name
 option domain_search
 option domain_name_servers
+option rapid_commit
 
 ### Most distributions have NTP support.
 option ntp_servers
@@ -201,7 +197,7 @@ EOF
   [[ -n "${network_static_ipv4nameserver_0:-}" ]] && ary_dns_supersede+=( "${ARY_IPV4_NS[@]}" )
   [[ -n "${network_static_ipv6nameserver_0:-}" ]] && ary_dns_supersede+=( "${ARY_IPV6_NS[@]}" )
 
-  if [[ "${#ary_dns_supersede[@]}" -gt 0 ]]; then
+  if [[ "${#ary_dns_supersede[@]}" -gt 0 && "${network_static_dns_dhcp_override}" == "true" ]]; then
 
     cat << EOF >>   "${TARGET}/etc/dhcpcd.conf"
 ### Enforce static DNS

func/cdi_4300_network/4330_installation_ssh.sh

@@ -20,6 +20,7 @@ guard_sourcing
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
+#   VAR_FINAL_NIC
 #   VAR_SETUP_PATH
 #   VAR_SSH_CA
 #   VAR_SSH_PORT
@@ -38,6 +39,16 @@ installation_ssh() {
   chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
 
   mkdir -p "${TARGET}/etc/systemd/system/ssh.service.d"
+  cat << EOF >> "${TARGET}/etc/systemd/system/ssh.service.d/override.conf"
+[Unit]
+Wants=ifup@${VAR_FINAL_NIC}.service network-online.target
+After=ifup@{VAR_FINAL_NIC}.service network-online.target
+
+[Service]
+Restart=on-failure
+RestartSec=3s
+
+EOF
 
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -48,13 +48,13 @@ allowipv6 = auto
 
 EOF
 
-  insert_header   "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
-  insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+  insert_header   "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+  insert_comments "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 
   if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
 
     ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 usedns    = yes
 ignoreip  = 127.0.0.0/8 ::1
@@ -64,27 +64,27 @@ EOF
 
     if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
 
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
   ${VAR_FINAL_IPV6}/64
 EOF
     fi
 
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 # Jumphost
   ${ARY_ALLOW_IPV4[*]}
 EOF
 
     if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
 
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
   ${ARY_ALLOW_IPV6[*]}
 EOF
     fi
 
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 maxretry  = 8
-findtime  = 12h
-bantime   = 12h
+findtime  = 24h
+bantime   = 24h
 
 [sshd]
 enabled   = true
@@ -95,23 +95,23 @@ port      = ${VAR_SSH_PORT}
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 3
-findtime  = 1d
-bantime   = 1d
+findtime  = 24h
+bantime   = 24h
 
 #
 # ufw aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
-# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
 #
 
 [ufw]
 enabled   = true
-filter    = ufw.aggressive
+filter    = ciss.ufw
 action    = iptables-allports
 logpath   = /var/log/ufw.log
 maxretry  = 1
-findtime  = 1d
-bantime   = 1d
+findtime  = 24h
+bantime   = 24h
 protocol  = tcp,udp
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -120,7 +120,7 @@ EOF
   else
 
     ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 usedns    = yes
 ignoreip  = 127.0.0.0/8 ::1
@@ -130,15 +130,15 @@ EOF
 
     if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
 
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
   ${VAR_FINAL_IPV6}/64
 EOF
     fi
 
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 maxretry  = 8
-findtime  = 12h
-bantime   = 12h
+findtime  = 24h
+bantime   = 24h
 
 [sshd]
 enabled   = true
@@ -149,23 +149,23 @@ port      = ${VAR_SSH_PORT}
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 3
-findtime  = 1d
-bantime   = 1d
+findtime  = 24h
+bantime   = 24h
 
 #
 # ufw aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
-# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 8 attempts.
 #
 
 [ufw]
 enabled   = true
-filter    = ufw.aggressive
+filter    = ciss.ufw
 action    = iptables-allports
 logpath   = /var/log/ufw.log
-maxretry  = 32
-findtime  = 1d
-bantime   = 1d
+maxretry  = 8
+findtime  = 24h
+bantime   = 24h
 protocol  = tcp,udp
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -176,13 +176,13 @@ EOF
   ### Provider Hetzner needs special ignoreip rules.
   if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
 
-    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
 
   fi
 
-  insert_header   "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
-  insert_comments "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
-  cat << EOF >>   "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  insert_header   "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
+  insert_comments "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
+  cat << EOF >>   "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
 [Definition]
 failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
 ignoreregex =

includes/target/root/.ciss/clean_logout.sh

@@ -34,7 +34,7 @@ echo -e "\e[95m          Please consider making a donation: \e[0m"
 echo -e "\e[95m          https://coresecret.eu/spenden/ \e[0m"
 echo ""
 echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
-echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
+echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOST}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read