msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.288.2025.10.24
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m49s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-24 13:14:02 +01:00
parent cca580000c
commit 571a94d7e8
5 changed files with 74 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/hooks/live/0900_ufw_setup.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
declare -r UFW_OUT_POLICY="deny" declare -r UFW_OUT_POLICY="deny"
declare -r SSHPORT="MUST_BE_SET" declare -r SSHPORT="SSHPORT_MUST_BE_SET"
ufw --force reset ufw --force reset

6
config/hooks/live/9950_fail2ban_hardening.chroot
View File

@@ -45,7 +45,7 @@ dbpurgeage = 384d
# fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD) # fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD)
# ff00::/8 - IPv6 multicast (not an unicast host) # ff00::/8 - IPv6 multicast (not an unicast host)
# ::/128 - IPv6 unspecified (all zeros; never a real peer) # ::/128 - IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
[recidive] [recidive]
enabled = true enabled = true
@@ -79,7 +79,7 @@ filter = sshd
findtime = 16m findtime = 16m
maxretry = 4 maxretry = 4
mode = aggressive mode = aggressive
port = MUST_BE_SET port = PORT_MUST_BE_SET
protocol = tcp protocol = tcp
[sshd-refused] [sshd-refused]
@@ -95,7 +95,7 @@ filter = ciss-sshd-refused
findtime = 16m findtime = 16m
logpath = /var/log/auth.log logpath = /var/log/auth.log
maxretry = 1 maxretry = 1
port = MUST_BE_SET port = PORT_MUST_BE_SET
protocol = tcp protocol = tcp
# #

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -28,7 +28,7 @@ LogLevel VERBOSE
AddressFamily any AddressFamily any
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
ListenAddress :: ListenAddress ::
Port MUST_BE_CHANGED PORT_MUST_BE_CHANGED
AllowUsers root AllowUsers root
UseDNS no UseDNS no
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first. ### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.

4
docs/CHANGELOG.md
View File

@@ -14,6 +14,10 @@ include_toc: true
## V8.13.288.2025.10.24 ## V8.13.288.2025.10.24
* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) + banaction = nftables-* * **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) + banaction = nftables-*
* **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection
* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) changed var injection
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
* **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
## V8.13.280.2025.10.23 ## V8.13.280.2025.10.23
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules

77
lib/lib_hardening_ultra.sh
View File

@@ -184,7 +184,7 @@ hardening_ultra() {
fi fi
### /config/includes.chroot/root/.ssh
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
@@ -194,15 +194,27 @@ hardening_ultra() {
declare -r sshport="${VAR_SSHPORT:-22}" declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" ### /config/includes.chroot/etc/ssh/sshd_config
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" # shellcheck disable=SC2155
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" declare pad="$(printf '%-29s' 'Port')"
sed -E -i "s|^[[:space:]]*#?[[:space:]]*(Port[[:space:]]+PORT_MUST_BE_CHANGED)[[:space:]]*$|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
### /config/hooks/live/9950_fail2ban_hardening.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line declare line
# shellcheck disable=SC2312 # shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -212,10 +224,15 @@ hardening_ultra() {
fi fi
declare host declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++)) ((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done done
fi fi
else else
@@ -226,14 +243,25 @@ hardening_ultra() {
declare -r sshport="${VAR_SSHPORT:-22}" declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" ### /config/includes.chroot/etc/ssh/sshd_config
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" # shellcheck disable=SC2155
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" declare pad="$(printf '%-29s' 'Port')"
sed -E -i "s|^[[:space:]]*#?[[:space:]]*(Port[[:space:]]+PORT_MUST_BE_CHANGED)[[:space:]]*$|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
### /config/hooks/live/9950_fail2ban_hardening.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line declare line
# shellcheck disable=SC2312 # shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -244,46 +272,67 @@ hardening_ultra() {
fi fi
declare host declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++)) ((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done done
fi fi
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
### /config/includes.chroot/etc/hosts.allow
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow" chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny" chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow" rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny" rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi fi
### /config/hooks/live/9950_fail2ban_hardening.chroot
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines # Join array entries with spaces, preserving any newlines
declare ips="${ARY_HANDLER_JUMPHOST[*]}" declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets [] # Flatten to a single line and strip literal brackets []
declare flat_ips declare flat_ips
# shellcheck disable=SC2312 # shellcheck disable=SC2312
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]') flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
# flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64" # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
# Perform an in-place replacement of MUST_BE_SET with the cleaned list # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \ sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n" printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i \
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \ sed -i 's/IGNORE_IP_MUST_BE_SET//g' "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi fi
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh