V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-30 00:28:39 +02:00
parent 2680012395
commit b2282d3475
172 changed files with 14057 additions and 41 deletions
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -0,0 +1,148 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+cd /root
+
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
+chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
+
+### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
+chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
+
+cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[DEFAULT]
+usedns    = yes
+# local | vpn
+ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
+maxretry  = 8
+findtime  = 24h
+bantime   = 24h
+
+### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+
+[sshd]
+enabled   = true
+backend   = systemd
+filter    = sshd
+mode      = normal
+port      = MUST_BE_SET
+protocol  = tcp
+logpath   = /var/log/auth.log
+maxretry  = 4
+findtime  = 24h
+bantime   = 24h
+
+[sshd-refused]
+enabled   = true
+filter    = sshd-refused
+port      = MUST_BE_SET
+protocol  = tcp
+logpath   = /var/log/auth.log
+maxretry  = 1
+findtime  = 24h
+bantime   = 24h
+
+# ufw aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
+
+[ufw]
+enabled   = true
+filter    = ufw.aggressive
+action    = iptables-allports
+logpath   = /var/log/ufw.log
+maxretry  = 1
+findtime  = 24h
+bantime   = 24h
+protocol  = tcp,udp
+
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
+[Definition]
+failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
+[Definition]
+failregex = ^refused connect from \S+ \(<HOST>\)
+EOF
+
+###########################################################################################
+# Remarks: hardening of fail2ban systemd                                                  #
+###########################################################################################
+# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+# operate # on any firewall that has a command-line shell interface. By using             #
+# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
+# allows Fail2ban to have write access on required paths.                                 #
+###########################################################################################
+mkdir -p /etc/systemd/system/fail2ban.service.d
+mkdir /var/log/fail2ban
+
+cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+### Added by CISS.debian.live.builder
+ProtectClock=true
+ProtectHostname=true
+
+EOF
+
+cat << 'EOF' >> /etc/fail2ban/fail2ban.local
+[Definition]
+logtarget = /var/log/fail2ban/fail2ban.log
+EOF
+
+###########################################################################################
+# Remarks: Logrotate must be updated either                                               #
+###########################################################################################
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
+sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+touch /var/log/fail2ban/fail2ban.log
+chmod 640 /var/log/fail2ban/fail2ban.log
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh