From 571a94d7e863047c81f5f17bbb99623d516518f1f024a25e3f7b67574f2ba4ad Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 24 Oct 2025 13:14:02 +0100 Subject: [PATCH] V8.13.288.2025.10.24 Signed-off-by: Marc S. Weidner --- config/hooks/live/0900_ufw_setup.chroot | 2 +- .../hooks/live/9950_fail2ban_hardening.chroot | 10 +-- config/includes.chroot/etc/ssh/sshd_config | 2 +- docs/CHANGELOG.md | 4 + lib/lib_hardening_ultra.sh | 77 +++++++++++++++---- 5 files changed, 74 insertions(+), 21 deletions(-) diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot index 5ae19ba..9384343 100644 --- a/config/hooks/live/0900_ufw_setup.chroot +++ b/config/hooks/live/0900_ufw_setup.chroot @@ -14,7 +14,7 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" declare -r UFW_OUT_POLICY="deny" -declare -r SSHPORT="MUST_BE_SET" +declare -r SSHPORT="SSHPORT_MUST_BE_SET" ufw --force reset diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot index e7c96f6..28550f3 100644 --- a/config/hooks/live/9950_fail2ban_hardening.chroot +++ b/config/hooks/live/9950_fail2ban_hardening.chroot @@ -45,7 +45,7 @@ dbpurgeage = 384d # fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD) # ff00::/8 - IPv6 multicast (not an unicast host) # ::/128 - IPv6 unspecified (all zeros; never a real peer) -ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET +ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET [recidive] enabled = true @@ -62,8 +62,8 @@ findtime = 16d logpath = /var/log/fail2ban/fail2ban.log* maxretry = 3 -### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused] -### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd] +### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused] +### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd] [sshd] enabled = true @@ -79,7 +79,7 @@ filter = sshd findtime = 16m maxretry = 4 mode = aggressive -port = MUST_BE_SET +port = PORT_MUST_BE_SET protocol = tcp [sshd-refused] @@ -95,7 +95,7 @@ filter = ciss-sshd-refused findtime = 16m logpath = /var/log/auth.log maxretry = 1 -port = MUST_BE_SET +port = PORT_MUST_BE_SET protocol = tcp # diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index f68949b..78119b3 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -28,7 +28,7 @@ LogLevel VERBOSE AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: -Port MUST_BE_CHANGED +PORT_MUST_BE_CHANGED AllowUsers root UseDNS no ### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first. diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index b0a6e91..657f8cd 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -14,6 +14,10 @@ include_toc: true ## V8.13.288.2025.10.24 * **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) + banaction = nftables-* +* **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) changed var injection +* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection +* **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection ## V8.13.280.2025.10.23 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index e27a451..a14b07c 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -184,7 +184,7 @@ hardening_ultra() { fi - + ### /config/includes.chroot/root/.ssh if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" @@ -194,15 +194,27 @@ hardening_ultra() { declare -r sshport="${VAR_SSHPORT:-22}" - sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" - sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + ### /config/includes.chroot/etc/ssh/sshd_config + # shellcheck disable=SC2155 + declare pad="$(printf '%-29s' 'Port')" + sed -E -i "s|^[[:space:]]*#?[[:space:]]*(Port[[:space:]]+PORT_MUST_BE_CHANGED)[[:space:]]*$|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + ### /config/hooks/live/9950_fail2ban_hardening.chroot + sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + + ### /config/hooks/live/0900_ufw_setup.chroot + sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + + + ### /config/hooks/live/0900_ufw_setup.chroot if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" + declare line + # shellcheck disable=SC2312 line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) @@ -212,10 +224,15 @@ hardening_ultra() { fi declare host + for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do + ((line++)) + sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" + done + fi else @@ -226,14 +243,25 @@ hardening_ultra() { declare -r sshport="${VAR_SSHPORT:-22}" - sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" - sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + ### /config/includes.chroot/etc/ssh/sshd_config + # shellcheck disable=SC2155 + declare pad="$(printf '%-29s' 'Port')" + sed -E -i "s|^[[:space:]]*#?[[:space:]]*(Port[[:space:]]+PORT_MUST_BE_CHANGED)[[:space:]]*$|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + ### /config/hooks/live/9950_fail2ban_hardening.chroot + sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + + ### /config/hooks/live/0900_ufw_setup.chroot + sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + + + ### /config/hooks/live/0900_ufw_setup.chroot if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" + declare line # shellcheck disable=SC2312 line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) @@ -244,46 +272,67 @@ hardening_ultra() { fi declare host + for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do + ((line++)) sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" + done + fi + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n" + + ### /config/includes.chroot/etc/hosts.allow if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n" + cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" + chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow" chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny" + rm -f "${VAR_WORKDIR}/hosts.allow" rm -f "${VAR_WORKDIR}/hosts.deny" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n" + fi + + ### /config/hooks/live/9950_fail2ban_hardening.chroot if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n" + # Join array entries with spaces, preserving any newlines declare ips="${ARY_HANDLER_JUMPHOST[*]}" + # Flatten to a single line and strip literal brackets [] declare flat_ips # shellcheck disable=SC2312 flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]') # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64" - # Perform an in-place replacement of MUST_BE_SET with the cleaned list - sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \ - "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list + sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n" + else + printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n" - sed -i \ - -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \ - -e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \ - "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + + sed -i 's/IGNORE_IP_MUST_BE_SET//g' "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n" + fi } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh