msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.256.2025.10.21
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m0s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m4s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-21 20:52:39 +01:00
parent 343ae97968
commit 2a866d7520
40 changed files with 200 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
config/hooks/live/0007_update_logrotate.chroot
View File

@@ -20,27 +20,49 @@ rm -f "/etc/logrotate.conf"
cat << EOF >| "/etc/logrotate.conf"
# See "man logrotate" for details. Global options do not affect preceding include directives.
# rotate log files daily
# Rotate log files daily
daily
# keep 384 daily worth of backlogs
# Keep 384 daily worth of backlogs.
rotate 384
# hard cap: delete rotated logs older than 384 days
# Hard cap: delete rotated logs older than 384 days.
maxage 384
# create new (empty) log files after rotating old ones
# Do not rotate the log if it is empty (this overrides the ifempty option).
notifempty
# Create new (empty) log files after rotating old ones.
create
# use date as a suffix of the rotated file
# Use date as a suffix of the rotated file.
dateext
# gzip older rotations
# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
# that is the same as the timestamps within it.
dateyesterday
# Enable compression
compress
# keep the most recent rotation uncompressed for one cycle
# Use zstd instead of gzip.
compresscmd /usr/bin/zstd
# File extension for compressed logs.
compressext .zst
# Set zstd level 3 (default).
compressoptions -20
# How to decompress for 'logrotate -d' or similar.
uncompresscmd /usr/bin/unzstd
# Keep the most recent rotation uncompressed for one cycle.
delaycompress
# Delete log files using shred -u instead of unlink().
shred
# packages drop log rotation information into this directory
include /etc/logrotate.d

176
config/hooks/live/9950_fail2ban_hardening.chroot
View File

@@ -24,7 +24,7 @@ sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -37,69 +37,106 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Security-Contact: security@coresecret.eu
[DEFAULT]
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET
maxretry = 8
findtime = 24h
bantime = 24h
dbpurgeage = 384d
# 127.0.0.1/8 - IPv4 loopback range (local host)
# ::1/128 - IPv6 loopback
# fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD)
# ff00::/8 - IPv6 multicast (not an unicast host)
# ::/128 - IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
enabled = true
banaction = ufw[blocktype=deny]
bantime = 8d
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 128d
bantime.multipliers = 1 2 4 8 16
bantime.overalljails = true
bantime.rndtime = 877s
filter = recidive
findtime = 16d
logpath = /var/log/fail2ban/fail2ban.log*
maxretry = 3
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
findtime = 24h
bantime = 24h
enabled = true
backend = systemd
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = sshd
findtime = 16m
maxretry = 4
mode = aggressive
port = MUST_BE_SET
protocol = tcp
[sshd-refused]
enabled = true
filter = ciss-sshd-refused
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
maxretry = 1
findtime = 24h
bantime = 24h
enabled = true
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-sshd-refused
findtime = 16m
logpath = /var/log/auth.log
maxretry = 1
port = MUST_BE_SET
protocol = tcp
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
#
# CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
#
[icmp]
enabled = true
banaction = ufw[blocktype=deny]
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-icmp
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 1
[ufw]
enabled = true
filter = ciss-ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
bantime = 24h
findtime = 24h
enabled = true
banaction = ufw[blocktype=deny]
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-ufw
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -112,7 +149,29 @@ cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
failregex = \[UFW BLOCK\].+SRC=<HOST> DST
# Generic ICMP/ICMPv6 blocks
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
ignoreregex =
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -169,33 +228,36 @@ EOF
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
logtarget = /var/log/fail2ban/fail2ban.log
[Database]
# Keep entries for at least 384 days to cover recidive findtime.
dbpurgeage = 384d
dbpurgeage = 384d
EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
cat << EOF >| /etc/logrotate.d/fail2ban
/var/log/fail2ban/fail2ban.log {
daily
rotate 384
compress
# Do not rotate if empty
maxage 384
notifempty
dateext
dateyesterday
compress
compresscmd /usr/bin/zstd
compressext .zst
compressoptions -20
uncompresscmd /usr/bin/unzstd
delaycompress
shred
missingok
postrotate
fail2ban-client flushlogs 1>/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm