Marc S. Weidner
d316c1d2b5
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m36s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
205 lines
6.8 KiB
Bash
205 lines
6.8 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing
|
|
|
|
#######################################
|
|
# Hardening files and directories.
|
|
# Globals:
|
|
# None
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
#######################################
|
|
hardening_fail2ban() {
|
|
### Declare Arrays, HashMaps, and Variables.
|
|
declare
|
|
declare -r var_logfile="/root/.ciss/cdi/log/4435_hardening_fail2ban.log"
|
|
|
|
chroot_logger "${TARGET}${var_logfile}"
|
|
|
|
chroot_script "${TARGET}" "
|
|
export INITRD=No
|
|
apt-get install -y --no-install-suggests fail2ban 2>&1 | tee -a ${var_logfile}
|
|
echo ExitCode: \$? >> ${var_logfile}
|
|
"
|
|
cp -u /etc/fail2ban/fail2ban.conf "${DIR_BAK}"fail2ban.conf.bak
|
|
mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
|
|
|
|
|
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
|
|
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
|
|
|
|
mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bak
|
|
chmod 644 /etc/fail2ban/jail.d/defaults-debian.conf.bak
|
|
|
|
if [[ "${JUMPHOST,,}" = "yes" ]]; then
|
|
|
|
###########################################################################################
|
|
# Remarks: fail2ban ufw aggresive mode - one attempt for Jumphost configuration #
|
|
###########################################################################################
|
|
cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
|
|
##### Added by hardening.sh - Module: do_hardening_fail2ban #####
|
|
|
|
[DEFAULT]
|
|
usedns = yes
|
|
ignoreip = 127.0.0.0/8 ::1
|
|
# $FQDN
|
|
$IPV4 $IPV6/64
|
|
# Jumphost
|
|
$JUMPHOST_IPV4 $JUMPHOST_IPV6/64
|
|
maxretry = 8
|
|
findtime = 12h
|
|
bantime = 12h
|
|
|
|
[sshd]
|
|
enabled = true
|
|
backend = systemd
|
|
filter = sshd
|
|
mode = normal
|
|
port = $SSHPORT
|
|
protocol = tcp
|
|
logpath = /var/log/auth.log
|
|
maxretry = 3
|
|
findtime = 1d
|
|
bantime = 1d
|
|
|
|
#
|
|
# ufw aggressive approach:
|
|
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
|
|
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
|
|
#
|
|
|
|
[ufw]
|
|
enabled = true
|
|
filter = ufw.aggressive
|
|
action = iptables-allports
|
|
logpath = /var/log/ufw.log
|
|
maxretry = 1
|
|
findtime = 1d
|
|
bantime = 1d
|
|
protocol = tcp,udp
|
|
|
|
EOF
|
|
|
|
else
|
|
###########################################################################################
|
|
# Remarks: fail2ban ufw aggresive mode 32 attempts for NO Jumphost configuration #
|
|
###########################################################################################
|
|
cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
|
|
##### Added by hardening.sh - Module: do_hardening_fail2ban #####
|
|
|
|
[DEFAULT]
|
|
usedns = yes
|
|
ignoreip = 127.0.0.0/8 ::1
|
|
# $FQDN
|
|
$IPV4 $IPV6/64
|
|
maxretry = 8
|
|
findtime = 12h
|
|
bantime = 12h
|
|
|
|
[sshd]
|
|
enabled = true
|
|
backend = systemd
|
|
filter = sshd
|
|
mode = normal
|
|
port = $SSHPORT
|
|
protocol = tcp
|
|
logpath = /var/log/auth.log
|
|
maxretry = 3
|
|
findtime = 1d
|
|
bantime = 1d
|
|
|
|
#
|
|
# ufw aggressive approach:
|
|
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
|
|
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
|
|
#
|
|
|
|
[ufw]
|
|
enabled = true
|
|
filter = ufw.aggressive
|
|
action = iptables-allports
|
|
logpath = /var/log/ufw.log
|
|
maxretry = 32
|
|
findtime = 1d
|
|
bantime = 1d
|
|
protocol = tcp,udp
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
cat <<EOF >/etc/fail2ban/filter.d/ufw.aggressive.conf
|
|
##### Added by hardening.sh - Module: do_hardening_fail2ban #####
|
|
|
|
[Definition]
|
|
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
|
|
ignoreregex =
|
|
|
|
EOF
|
|
|
|
###########################################################################################
|
|
# Remarks: hardening of fail2ban systemd #
|
|
###########################################################################################
|
|
# https://wiki.archlinux.org/title/fail2ban#Service_hardening #
|
|
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read #
|
|
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to #
|
|
# operate # on any firewall that has command-line shell interface. By using #
|
|
# ProtectSystem=strict the filesystem hierarchy will only be read-only, ReadWritePaths #
|
|
# allows Fail2ban to have write access on required paths. #
|
|
###########################################################################################
|
|
mkdir -p /etc/systemd/system/fail2ban.service.d
|
|
mkdir /var/log/fail2ban
|
|
|
|
cat <<EOF >/etc/systemd/system/fail2ban.service.d/override.conf
|
|
[Service]
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectHome=read-only
|
|
ProtectSystem=strict
|
|
ReadWritePaths=-/var/run/fail2ban
|
|
ReadWritePaths=-/var/lib/fail2ban
|
|
ReadWritePaths=-/var/log/fail2ban
|
|
ReadWritePaths=-/var/spool/postfix/maildrop
|
|
ReadWritePaths=-/run/xtables.lock
|
|
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|
|
##### Added by CenDev
|
|
ProtectClock=true
|
|
ProtectHostname=true
|
|
EOF
|
|
|
|
cat <<EOF >>/etc/fail2ban/fail2ban.local
|
|
[Definition]
|
|
logtarget = /var/log/fail2ban/fail2ban.log
|
|
EOF
|
|
|
|
###########################################################################################
|
|
# Remarks: Hetzner needs special ignoreip rules #
|
|
###########################################################################################
|
|
if [[ "${VPSPROVIDER,,}" = "hetzner" ]]; then
|
|
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' /etc/fail2ban/jail.d/centurion-default.conf
|
|
fi
|
|
|
|
###########################################################################################
|
|
# Remarks: Logrotate must be updated either #
|
|
###########################################################################################
|
|
cp -a /etc/logrotate.d/fail2ban "${DIR_BAK}"fail2ban_logrotate.bak
|
|
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
|
|
touch /var/log/fail2ban/fail2ban.log
|
|
chmod 640 /var/log/fail2ban/fail2ban.log
|
|
|
|
guard_dir && return 0
|
|
}
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|