#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Hardening files and directories. # Globals: # None # Arguments: # None # Returns: # 0: on success ####################################### hardening_fail2ban() { ### Declare Arrays, HashMaps, and Variables. declare declare -r var_logfile="/root/.ciss/cdi/log/4435_hardening_fail2ban.log" chroot_logger "${TARGET}${var_logfile}" chroot_script "${TARGET}" " export INITRD=No apt-get install -y --no-install-suggests fail2ban 2>&1 | tee -a ${var_logfile} echo ExitCode: \$? >> ${var_logfile} " cp -u /etc/fail2ban/fail2ban.conf "${DIR_BAK}"fail2ban.conf.bak mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak" # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bak chmod 644 /etc/fail2ban/jail.d/defaults-debian.conf.bak if [[ "${JUMPHOST,,}" = "yes" ]]; then ########################################################################################### # Remarks: fail2ban ufw aggresive mode - one attempt for Jumphost configuration # ########################################################################################### cat </etc/fail2ban/jail.d/centurion-default.conf ##### Added by hardening.sh - Module: do_hardening_fail2ban ##### [DEFAULT] usedns = yes ignoreip = 127.0.0.0/8 ::1 # $FQDN $IPV4 $IPV6/64 # Jumphost $JUMPHOST_IPV4 $JUMPHOST_IPV6/64 maxretry = 8 findtime = 12h bantime = 12h [sshd] enabled = true backend = systemd filter = sshd mode = normal port = $SSHPORT protocol = tcp logpath = /var/log/auth.log maxretry = 3 findtime = 1d bantime = 1d # # ufw aggressive approach: # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...). # Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt. # [ufw] enabled = true filter = ufw.aggressive action = iptables-allports logpath = /var/log/ufw.log maxretry = 1 findtime = 1d bantime = 1d protocol = tcp,udp EOF else ########################################################################################### # Remarks: fail2ban ufw aggresive mode 32 attempts for NO Jumphost configuration # ########################################################################################### cat </etc/fail2ban/jail.d/centurion-default.conf ##### Added by hardening.sh - Module: do_hardening_fail2ban ##### [DEFAULT] usedns = yes ignoreip = 127.0.0.0/8 ::1 # $FQDN $IPV4 $IPV6/64 maxretry = 8 findtime = 12h bantime = 12h [sshd] enabled = true backend = systemd filter = sshd mode = normal port = $SSHPORT protocol = tcp logpath = /var/log/auth.log maxretry = 3 findtime = 1d bantime = 1d # # ufw aggressive approach: # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...). # Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts. # [ufw] enabled = true filter = ufw.aggressive action = iptables-allports logpath = /var/log/ufw.log maxretry = 32 findtime = 1d bantime = 1d protocol = tcp,udp EOF fi cat </etc/fail2ban/filter.d/ufw.aggressive.conf ##### Added by hardening.sh - Module: do_hardening_fail2ban ##### [Definition] failregex = ^.*UFW BLOCK.* SRC= .*DPT=\d+ .* ignoreregex = EOF ########################################################################################### # Remarks: hardening of fail2ban systemd # ########################################################################################### # https://wiki.archlinux.org/title/fail2ban#Service_hardening # # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read # # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to # # operate # on any firewall that has command-line shell interface. By using # # ProtectSystem=strict the filesystem hierarchy will only be read-only, ReadWritePaths # # allows Fail2ban to have write access on required paths. # ########################################################################################### mkdir -p /etc/systemd/system/fail2ban.service.d mkdir /var/log/fail2ban cat </etc/systemd/system/fail2ban.service.d/override.conf [Service] PrivateDevices=yes PrivateTmp=yes ProtectHome=read-only ProtectSystem=strict ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/log/fail2ban ReadWritePaths=-/var/spool/postfix/maildrop ReadWritePaths=-/run/xtables.lock CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW ##### Added by CenDev ProtectClock=true ProtectHostname=true EOF cat <>/etc/fail2ban/fail2ban.local [Definition] logtarget = /var/log/fail2ban/fail2ban.log EOF ########################################################################################### # Remarks: Hetzner needs special ignoreip rules # ########################################################################################### if [[ "${VPSPROVIDER,,}" = "hetzner" ]]; then sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' /etc/fail2ban/jail.d/centurion-default.conf fi ########################################################################################### # Remarks: Logrotate must be updated either # ########################################################################################### cp -a /etc/logrotate.d/fail2ban "${DIR_BAK}"fail2ban_logrotate.bak sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban touch /var/log/fail2ban/fail2ban.log chmod 640 /var/log/fail2ban/fail2ban.log guard_dir && return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh