V8.13.192.2025.10.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -16,15 +16,15 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
 
 cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
 
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
 
-cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
+cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -61,7 +61,7 @@ bantime   = 24h
 
 [sshd-refused]
 enabled   = true
-filter    = sshd-refused
+filter    = ciss-sshd-refused
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
@@ -75,22 +75,30 @@ bantime   = 24h
 
 [ufw]
 enabled   = true
-filter    = ufw.aggressive
+filter    = ciss-ufw
 action    = iptables-allports
 logpath   = /var/log/ufw.log
 maxretry  = 1
-findtime  = 24h
 bantime   = 24h
-protocol  = tcp,udp
+findtime  = 24h
+
+[recidive]
+enabled   = true
+filter    = recidive
+logpath   = /var/log/fail2ban/fail2ban.log*
+banaction = iptables-allports
+bantime   = 32d
+findtime  = 384d
+maxretry  = 4
 
 EOF
 
-cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
 [Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
+failregex = \[UFW BLOCK\].+SRC=<HOST> DST
 EOF
 
-cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
 EOF
@@ -130,15 +138,41 @@ EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
 logtarget = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage = 384d
 EOF
 
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+
+    daily
+    rotate 384
+    compress
+    # Do not rotate if empty
+    notifempty
+
+    delaycompress
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+
 touch /var/log/fail2ban/fail2ban.log
-chmod 640 /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"