From 52670eff775b23f9a382be67ef3caf3380095b2a2583a7019944afec11c1d6e2 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Sun, 19 Oct 2025 09:24:19 +0100 Subject: [PATCH] V8.13.224.2025.10.19 Signed-off-by: Marc S. Weidner --- .gitea/trigger/t_generate_PRIVATE_trixie_0.yaml | 2 +- .gitea/trigger/t_generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- config/hooks/live/9950_fail2ban_hardening.chroot | 9 +++++++-- config/hooks/live/9999_yyyy_logrotate.chroot | 1 + docs/CHANGELOG.md | 2 ++ 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 2b0c186..bdea07a 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 + counter: 1023 version: V8.13.224.2025.10.19 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index 2b0c186..bdea07a 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 + counter: 1023 version: V8.13.224.2025.10.19 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index a574068..2c744e8 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 + counter: 1023 version: V8.13.224.2025.10.19 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot index 23d6c36..a6e531d 100644 --- a/config/hooks/live/9950_fail2ban_hardening.chroot +++ b/config/hooks/live/9950_fail2ban_hardening.chroot @@ -38,8 +38,13 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf [DEFAULT] usedns = yes -# local | vpn -ignoreip = 127.0.0.0/8 ::1 MUST_BE_SET +# 127.0.0.1/8 – IPv4 loopback range (local host) +# ::1/128 – IPv6 loopback +# fe80::/10 – IPv6 link-local (on-link only; NDP/RA/DAD) +# fc00::/7 – IPv6 ULA (private LAN addresses) +# ff00::/8 – IPv6 multicast (not an unicast host) +# ::/128 – IPv6 unspecified (all zeros; never a real peer) +ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET maxretry = 8 findtime = 24h bantime = 24h diff --git a/config/hooks/live/9999_yyyy_logrotate.chroot b/config/hooks/live/9999_yyyy_logrotate.chroot index 39ce553..e9aeeeb 100644 --- a/config/hooks/live/9999_yyyy_logrotate.chroot +++ b/config/hooks/live/9999_yyyy_logrotate.chroot @@ -25,6 +25,7 @@ declare -ar ary_logrotate=( "fail2ban" "rkhunter" "rsnapshot" + "rsyslog" "ufw" "unattended-upgrades" "usbguard" diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index a843e58..9589e57 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -15,6 +15,8 @@ include_toc: true ## V8.13.224.2025.10.19 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv) * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) updated ignoreip +* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd ## V8.13.192.2025.10.18