V8.13.288.2025.10.24

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-24 13:14:02 +01:00
parent cca580000c
commit 571a94d7e8
5 changed files with 74 additions and 21 deletions
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"

 ufw --force reset

--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -45,7 +45,7 @@ dbpurgeage            = 384d
 #                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
-ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET

 [recidive]
 enabled               = true
@@ -62,8 +62,8 @@ findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
 maxretry              = 3

-### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
+### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]

 [sshd]
 enabled               = true
@@ -79,7 +79,7 @@ filter                = sshd
 findtime              = 16m
 maxretry              = 4
 mode                  = aggressive
-port                  = MUST_BE_SET
+port                  = PORT_MUST_BE_SET
 protocol              = tcp

 [sshd-refused]
@@ -95,7 +95,7 @@ filter                = ciss-sshd-refused
 findtime              = 16m
 logpath               = /var/log/auth.log
 maxretry              = 1
-port                  = MUST_BE_SET
+port                  = PORT_MUST_BE_SET
 protocol              = tcp

 #