msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.192.2025.10.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-18 18:40:07 +01:00
parent 9ea13fade8
commit 3cb59698cf
5 changed files with 86 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
config/hooks/live/9950_fail2ban_hardening.chroot
View File

@@ -44,6 +44,15 @@ maxretry = 8
findtime = 24h
bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
@@ -82,25 +91,43 @@ maxretry = 1
bantime = 24h
findtime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
failregex = \[UFW BLOCK\].+SRC=<HOST> DST
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
failregex = ^refused connect from \S+ \(<HOST>\)
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
###########################################################################################
@@ -114,7 +141,7 @@ EOF
# allows Fail2ban to have write access on required paths. #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir /var/log/fail2ban
mkdir -p /var/log/fail2ban
cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service]