From 8c5d45515df84ff4f2f0a2d6827c72dbabd7fccd6077381013b18ee0ea23184d Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 2 Jun 2025 18:28:31 +0200 Subject: [PATCH] V8.03.256.2025.06.02 Signed-off-by: Marc S. Weidner --- ..._flavour_0.yaml => t_generate_PUBLIC.yaml} | 0 .../generate_PRIVATE_iso_flavour_0.yaml | 6 +- .../generate_PRIVATE_iso_flavour_1.yaml | 8 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 343 ++++++++++++++++++ LIVE_ISO.private | 25 -- README.md | 21 +- docs/DL_PUB_ISO.md | 47 ++- 7 files changed, 407 insertions(+), 43 deletions(-) rename .gitea/trigger/{t_generate_PUBLIC_iso_flavour_0.yaml => t_generate_PUBLIC.yaml} (100%) create mode 100644 .gitea/workflows/generate_PUBLIC_iso.yaml delete mode 100644 LIVE_ISO.private diff --git a/.gitea/trigger/t_generate_PUBLIC_iso_flavour_0.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml similarity index 100% rename from .gitea/trigger/t_generate_PUBLIC_iso_flavour_0.yaml rename to .gitea/trigger/t_generate_PUBLIC.yaml diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml index 4fcbc5a..59229ad 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml @@ -159,7 +159,7 @@ jobs: --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \ --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \ --root-password-file /opt/config/password.txt \ - --ssh-port 42842 \ + --ssh-port "${{ secrets.CISS_DLB_SSH_PORT }} \ --ssh-pubkey /opt/config - name: đŸ“Ĩ Checking Centurion Cloud for existing LIVE ISOs. @@ -297,7 +297,7 @@ jobs: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - PRIVATE_FILE="LIVE_ISO.private" + PRIVATE_FILE="LIVE_ISO_FLV_0.private" git add "${PRIVATE_FILE}" || echo "✔ī¸ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. @@ -321,7 +321,7 @@ jobs: WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO [skip ci] + COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci] ${CI_HEADER} diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml index a47fdda..9a211d9 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml @@ -156,7 +156,7 @@ jobs: --control "${timestamp}" \ --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS_1 }}" \ --root-password-file /opt/config/password.txt \ - --ssh-port 42842 \ + --ssh-port "${{ secrets.CISS_DLB_SSH_PORT_1 }}" \ --ssh-pubkey /opt/config - name: đŸ“Ĩ Checking Centurion Cloud for existing LIVE ISOs. @@ -244,7 +244,7 @@ jobs: gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - PRIVATE_FILE="LIVE_ISO_FLV_0.private" + PRIVATE_FILE="LIVE_ISO_FLV_1.private" touch "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 @@ -294,7 +294,7 @@ jobs: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - PRIVATE_FILE="LIVE_ISO.private" + PRIVATE_FILE="LIVE_ISO_FLV_1.private" git add "${PRIVATE_FILE}" || echo "✔ī¸ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. @@ -318,7 +318,7 @@ jobs: WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO [skip ci] + COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci] ${CI_HEADER} diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml new file mode 100644 index 0000000..f763cfe --- /dev/null +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -0,0 +1,343 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Version Master V8.03.256.2025.06.02 + +name: Generating a PUBLIC Live ISO. + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/trigger/t_generate_PUBLIC.yaml' + +jobs: + generate-private-ciss-debian-live-iso: + name: Generating a PUBLIC Live ISO. + runs-on: ciss.debian.live.builder + + ### Run all steps inside Debian Bookworm + container: + image: debian:trixie + + steps: + - name: 🛠ī¸ Basic Image Setup and enable Bookworm Backports. + run: | + apt-get update + apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo + echo 'deb https://deb.debian.org/debian bookworm-backports main' \ + >| /etc/apt/sources.list.d/bookworm-backports.list + apt-get update + + - name: 🛠ī¸ Installing Build Tools. + shell: bash + run: | + apt-get update + apt-get install -y \ + cryptsetup \ + curl \ + debootstrap \ + dosfstools \ + efibootmgr \ + gnupg \ + git \ + gpgv \ + haveged \ + live-build \ + parted \ + ssh \ + ssl-cert \ + wget \ + whois + + - name: ⚙ī¸ Check GnuPG Version. + shell: bash + run: | + gpg --version + + - name: ⚙ī¸ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + shell: bash + run: | + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: 🛠ī¸ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + shell: bash + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." + + - name: 🛠ī¸ Cleaning the workspace. + shell: bash + run: | + git reset --hard + git clean -fd + + - name: ⚙ī¸ Importing the 'CI PGP DEPLOY ONLY' key. + shell: bash + run: | + set -euo pipefail + ### GPG-Home relative to the Runner Workspace to avoid changing global files. + export GNUPGHOME="$(pwd)/.gnupg" + mkdir -m 700 "${GNUPGHOME}" + echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc + gpg --batch --import ci-bot.sec.asc + ### Trust the key automatically + KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') + echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + + - name: ⚙ī¸ Configuring Git for signed CI/DEPLOY commits. + shell: bash + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + + - name: ⚙ī¸ Preparing the build environment. + shell: bash + run: | + set -euo pipefail + mkdir -p /opt/config + mkdir -p /opt/livebuild + touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt + touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys + echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt + echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys + + - name: 🛠ī¸ Starting CISS.debian.live.builder. This may take a while ... + shell: bash + run: | + set -euo pipefail + chmod 0755 ciss_live_builder.sh + timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") + ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. + ./ciss_live_builder.sh \ + --autobuild=6.12.22+bpo-amd64 \ + --architecture amd64 \ + --build-directory /opt/livebuild \ + --control "${timestamp}" \ + --root-password-file /opt/config/password.txt \ + --ssh-port 42137 \ + --ssh-pubkey /opt/config + + - name: đŸ“Ĩ Checking Centurion Cloud for existing LIVE ISOs. + shell: bash + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}" + run: | + set -euo pipefail + SHARE_SUBDIR="" + + echo "đŸ“Ĩ Get directory listing via PROPFIND ..." + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X PROPFIND \ + -H "Depth: 1" \ + "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + + echo "đŸ“Ĩ Filter .iso files from the PROPFIND response ..." + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true + + if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + echo "ℹī¸ Old ISO files found and deleted :" + while IFS= read -r href; do + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + if curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X DELETE "${FILE_URL}"; then + echo " ✅ Successfully deleted: $(basename "${href}")" + else + echo " ❌ Error: $(basename "${href}") could not be deleted" + fi + done < public_iso_list.txt + else + echo "ℹī¸ No old ISO files found to delete." + fi + + - name: 🛠ī¸ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + shell: bash + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}" + run: | + set -euo pipefail + if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + AUTH="${SHARE_TOKEN}:${SHARE_PASS}" + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ + --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then + echo "✅ New ISO successfully uploaded." + else + echo "❌ Uploading the new ISO failed." + exit 1 + fi + + - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. + shell: bash + run: | + if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" + touch "${VAR_ISO_FILE_SHA512}" + sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" + touch "${SIGNATURE_FILE}" + export GNUPGHOME="$(pwd)/.gnupg" + gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + PRIVATE_FILE="LIVE_ISO.public" + touch "${PRIVATE_FILE}" + cat << EOF >| "${PRIVATE_FILE}" + # SPDX-Version: 3.0 + # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; + # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git + # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency + # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; + # SPDX-FileType: SOURCE + # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 + # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. + # SPDX-PackageName: CISS.debian.live.builder + # SPDX-Security-Contact: security@coresecret.eu + + This file was automatically generated by the DEPLOY BOT on: "${timestamp}". + + CISS.debian.live.builder ISO : + "${VAR_ISO_FILE_NAME}" + CISS.debian.live.builder ISO sha512 : + "${VAR_ISO_FILE_SHA512}" + CISS.debian.live.builder ISO sha512 sign : + $(< "${SIGNATURE_FILE}") + + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text + EOF + + - name: 🔄 Sync with remote before commit using merge strategy. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + echo "🔄 Fetching origin/master ..." + git fetch origin master + + echo "🔁 Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "✔ī¸ Already up to date or fast-forward." + + echo "📋 Post-merge status :" + git status + git log --oneline -n 5 + + - name: đŸ“Ļ Stage generated files. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + PRIVATE_FILE="LIVE_ISO.public" + git add "${PRIVATE_FILE}" || echo "✔ī¸ Nothing to add." + + - name: 🔑 Commit and sign changes with CI metadata. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + if git diff --cached --quiet; then + echo "✔ī¸ No staged changes to commit." + else + echo "📝 Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT: Auto-Generate PUBLIC LIVE ISO [skip ci] + + ${CI_HEADER} + + Generated at: ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD → ${GIT_REF} + " + + echo "🔏 Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + fi + + - name: 🔁 Push back to repository. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/LIVE_ISO.private b/LIVE_ISO.private deleted file mode 100644 index fb73550..0000000 --- a/LIVE_ISO.private +++ /dev/null @@ -1,25 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -This file was automatically generated by the DEPLOY BOT on: "2025-06-02T07:05:05Z". - -CISS.debian.live.builder ISO : - "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso" -CISS.debian.live.builder ISO sha512 : - "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso.sha512" -CISS.debian.live.builder ISO sha512 sign : - -----BEGIN PGP SIGNATURE----- - -iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD1NIQAKCRA85KY4hzOw -IUI1AQCy+C8u2sxrulp9oEsYNPEQLnVuyqGxlsaGF9soF+ay4AD/cjMt0sNK/SUd -Rt0J3YmtZbbXgIAaUyAMKMc3Bf3nHgc= -=Z0iZ ------END PGP SIGNATURE----- diff --git a/README.md b/README.md index f8df654..a404d5f 100644 --- a/README.md +++ b/README.md @@ -30,8 +30,10 @@ include_toc: true This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for -cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. The latest generic ISO is available at: -[CISS.debian.live.ISO_PUBLIC](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.md) +cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows +based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant +changes and made publicly available for download. The latest generic ISO is available at: +[CISS.debian.live.ISO PUBLIC](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.md) Check out more: * [CenturionNet Services](https://coresecret.eu/cnet/) @@ -89,11 +91,11 @@ After build and configuration, the following audit reports can be generated: * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type `ssh-audit :`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md) -## 1.2. Preview +## 1.3. Preview ![CISS.debian.live.builder](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/screenshots/CISS.debian.live.builder_preview.jpeg) -## 1.3. Caution. Significant information for those considering using D-I. +## 1.4. Caution. Significant information for those considering using D-I. **The Debian Installer (d-i) will ALWAYS boot a new system.**
@@ -124,6 +126,17 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- * Logging (rsyslog, journald) ✘ not active, * preseed control over the network is possible (but without any protection). +## 1.5. Versioning Schema + +This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. + +Example: `8.03.256.2025.06.02` + +x.y.z represents major (x), minor (y), and patch (z) version increments. + +Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring +reproducibility and traceability. + # 2. Features & Rationale Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture. diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index f6830f4..6842881 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -12,22 +12,26 @@ include_toc: true # 2. Download the latest PUBLIC CISS.debian.live.ISO -## 2.1. URL +## 2.1. Autobuild Information + +The latest information about the public CISS.debian.live.ISO is available at `./LIVE_ISO.public`. + +## 2.2. URL Download the latest Auto-Generated [CISS.debian.live.ISO_PUBLIC](https://cloud.e2ee.li/s/E7FoctLroB4oF7P). -## 2.2. Root Passwd +## 2.3. Root Passwd Use the following Root Passwd: ````text Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH ```` -## 2.3. Root SSH Keys +## 2.4. Root SSH Keys Use the following Root SSH Key Material: -### 2.3.1. SSH Public Key +### 2.4.1. SSH Public Key ````text ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2025_ciss.debian.live.ISO_PUBLIC_ONLY" @@ -36,7 +40,7 @@ AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS ---- END SSH2 PUBLIC KEY ---- ```` -### 2.3.2. SSH Private Key OPENSSH +### 2.4.2. SSH Private Key OPENSSH ````text -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABB0 @@ -49,7 +53,7 @@ Clw5PIdM7+BObTSD0g99dLFI -----END OPENSSH PRIVATE KEY----- ```` -### 2.3.3. SSH Private Key +### 2.4.3. SSH Private Key ````text PuTTY-User-Key-File-3: ssh-ed25519 Encryption: aes256-cbc @@ -67,7 +71,36 @@ onOztqghDo2kzYMa7VosVQ+TMr1AHLknwGPMIpuDEb0GyfdVB6LqV3rAKEJRRXJg Private-MAC: 3c87f88ee5306c56e7b2240d7bddda3ce4369d6d296b9101d8a8c5834fdf5e25 ```` -### 2.3.4. SSH Private Key Encryption Key (KEK) +### 2.4.4. SSH Private Key Encryption Key (KEK) +````text +Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH +```` + +# 3. Login + +## 3.1. SSH + +Connect to `:42137`. Please note that if you select a different port by mistake, your client IP address will be blocked +instantly — literally in a few microseconds — for 86,400 seconds (i.e., one full day) due to the + +* `ufw` +* `fail2ban` +* `/etc/hosts.deny` + +ultimate hardening rules: + +````text +### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused] +### Jump host mistyped 1–3 times: no ban, only after four attempts [sshd] +(...) +# ufw aggressive approach: +# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...). +# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt. +```` + +## 3.2. Console + +Login as root and present the following credentials: ````text Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH ````