V8.13.256.2025.10.21

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0007_update_logrotate.chroot

@@ -20,27 +20,49 @@ rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
 
-# rotate log files daily
+# Rotate log files daily
 daily
 
-# keep 384 daily worth of backlogs
+# Keep 384 daily worth of backlogs.
 rotate 384
 
-# hard cap: delete rotated logs older than 384 days
+# Hard cap: delete rotated logs older than 384 days.
 maxage 384
 
-# create new (empty) log files after rotating old ones
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
 create
 
-# use date as a suffix of the rotated file
+# Use date as a suffix of the rotated file.
 dateext
 
-# gzip older rotations
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
 compress
 
-# keep the most recent rotation uncompressed for one cycle
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
 delaycompress
 
+# Delete log files using shred -u instead of unlink().
+shred
+
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
 

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -24,7 +24,7 @@ sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
 chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
 
-cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -37,69 +37,106 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Security-Contact: security@coresecret.eu
 
 [DEFAULT]
-usedns    = yes
-# 127.0.0.1/8  – IPv4 loopback range (local host)
-# ::1/128      – IPv6 loopback
-# fe80::/10    – IPv6 link-local (on-link only; NDP/RA/DAD)
-# fc00::/7     – IPv6 ULA (private LAN addresses)
-# ff00::/8     – IPv6 multicast (not an unicast host)
-# ::/128       – IPv6 unspecified (all zeros; never a real peer)
-ignoreip  = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET
 
 [recidive]
-enabled   = true
-filter    = recidive
-logpath   = /var/log/fail2ban/fail2ban.log*
-banaction = iptables-allports
-bantime   = 32d
-findtime  = 384d
-maxretry  = 4
+enabled               = true
+banaction             = ufw[blocktype=deny]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 3
 
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 
 [sshd]
-enabled   = true
-backend   = systemd
-filter    = sshd
-mode      = normal
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 4
-findtime  = 24h
-bantime   = 24h
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+maxretry              = 4
+mode                  = aggressive
+port                  = MUST_BE_SET
+protocol              = tcp
 
 [sshd-refused]
-enabled   = true
-filter    = ciss-sshd-refused
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
+enabled               = true
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-sshd-refused
+findtime              = 16m
+logpath               = /var/log/auth.log
+maxretry              = 1
+port                  = MUST_BE_SET
+protocol              = tcp
 
-# ufw aggressive approach:
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
+#
+
+[icmp]
+enabled               = true
+banaction             = ufw[blocktype=deny]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-icmp
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
 
 [ufw]
-enabled   = true
-filter    = ciss-ufw
-action    = iptables-allports
-logpath   = /var/log/ufw.log
-maxretry  = 1
-bantime   = 24h
-findtime  = 24h
+enabled               = true
+banaction             = ufw[blocktype=deny]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -112,7 +149,29 @@ cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-Security-Contact: security@coresecret.eu
 
 [Definition]
-failregex = \[UFW BLOCK\].+SRC=<HOST> DST
+# Generic ICMP/ICMPv6 blocks
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
+                        ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -169,33 +228,36 @@ EOF
 
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
+logtarget             = /var/log/fail2ban/fail2ban.log
 
 [Database]
 # Keep entries for at least 384 days to cover recidive findtime.
-dbpurgeage = 384d
+dbpurgeage            = 384d
 EOF
 
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
 cat << EOF >| /etc/logrotate.d/fail2ban
 /var/log/fail2ban/fail2ban.log {
-
     daily
     rotate 384
-    compress
-    # Do not rotate if empty
+    maxage 384
     notifempty
-
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
     delaycompress
+    shred
     missingok
     postrotate
         fail2ban-client flushlogs 1>/dev/null
     endscript
-
     # If fail2ban runs as non-root it still needs to have write access
     # to logfiles.
     # create 640 fail2ban adm

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.224.2025.10.19"
+declare -gr VERSION="Master V8.13.256.2025.10.21"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.224.2025.10.19 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.256.2025.10.21 at: 10:18:37.9542

config/includes.chroot/root/.zshenv

@@ -13,15 +13,10 @@
 : "${XDG_CACHE_HOME:=${HOME}/.cache}"
 : "${XDG_DATA_HOME:=${HOME}/.local/share}"
 : "${XDG_STATE_HOME:=${HOME}/.local/state}"
-if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
-  if [ -d "/run/user/$(id -u)" ]; then
-    XDG_RUNTIME_DIR="/run/user/$(id -u)"
-  else
-    XDG_RUNTIME_DIR="/tmp/xdg-runtime-$(id -u)"
-  fi
-fi
 
-export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME XDG_RUNTIME_DIR
+# Do NOT set XDG_RUNTIME_DIR here.
+
+export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
 
 ### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
 if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then