diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index 932e8ba..5aa2653 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -130,27 +130,26 @@ squashfs overlay #### nftables ------------------------------------------------------------------------------------------------------------------ +#nf_log_common # built-in +#nft_counter # built-in +#nft_icmp # built-in +#nft_icmpv6 # built-in +#nft_meta # built-in +#nft_set_hash # built-in +#nft_set_rbtree # built-in +#nft_tcp # built-in +#nft_udp # built-in nf_conntrack -nf_log_common nf_nat nf_reject_ipv4 nf_reject_ipv6 nf_tables -nft_counter nft_ct -nft_icmp -nft_icmpv6 nft_limit nft_log nft_masq -nft_meta nft_nat nft_reject_inet -nft_set_hash -nft_set_rbtree -nft_tcp -nft_udp -nft_reject_inet nfnetlink nfnetlink_log diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_hardening_fail2ban.chroot similarity index 86% rename from config/hooks/live/9950_fail2ban_hardening.chroot rename to config/hooks/live/9950_hardening_fail2ban.chroot index 28550f3..e517e80 100644 --- a/config/hooks/live/9950_fail2ban_hardening.chroot +++ b/config/hooks/live/9950_hardening_fail2ban.chroot @@ -49,7 +49,7 @@ ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_ [recidive] enabled = true -banaction = %(banaction_allports)s +banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop] bantime = 8d bantime.increment = true bantime.factor = 1 @@ -105,24 +105,9 @@ protocol = tcp # There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked. # -[icmp] -enabled = true -banaction = %(banaction_allports)s -bantime = 1h -bantime.increment = true -bantime.factor = 1 -bantime.maxtime = 16d -bantime.multipliers = 1 2 4 8 16 32 64 128 256 384 -bantime.overalljails = true -bantime.rndtime = 877s -filter = ciss-icmp -findtime = 16m -logpath = /var/log/ufw.log -maxretry = 1 - [ufw] enabled = true -banaction = %(banaction_allports)s +banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop] bantime = 1h bantime.increment = true bantime.factor = 1 @@ -138,26 +123,6 @@ maxretry = 1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -[Definition] -# Generic ICMP/ICMPv6 blocks -failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?\bPROTO=ICMP\b.*$ - ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?\bPROTO=ICMPv6\b.*$ - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf -EOF - cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 6d11522..5f07327 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -14,9 +14,9 @@ include_toc: true ## V8.13.288.2025.10.24 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods -* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) + banaction = nftables-* +* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-* * **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection -* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) changed var injection +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection * **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection @@ -34,13 +34,13 @@ include_toc: true ## V8.13.256.2025.10.21 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) -* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) * **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv) ## V8.13.224.2025.10.19 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv) * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) -* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) updated ignoreip +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd @@ -49,7 +49,7 @@ include_toc: true * **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) * **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) * **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support -* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) hardened MaxStartups * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) removed haveged alias * **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) removed haveged entry diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index c2223d5..bca08fc 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -199,7 +199,7 @@ hardening_ultra() { declare pad="$(printf '%-29s' 'Port')" sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" - ### /config/hooks/live/9950_fail2ban_hardening.chroot + ### /config/hooks/live/9950_hardening_fail2ban.chroot sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" ### /config/hooks/live/0900_ufw_setup.chroot @@ -248,7 +248,7 @@ hardening_ultra() { declare pad="$(printf '%-29s' 'Port')" sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" - ### /config/hooks/live/9950_fail2ban_hardening.chroot + ### /config/hooks/live/9950_hardening_fail2ban.chroot sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" ### /config/hooks/live/0900_ufw_setup.chroot @@ -306,7 +306,7 @@ hardening_ultra() { fi - ### /config/hooks/live/9950_fail2ban_hardening.chroot + ### /config/hooks/live/9950_hardening_fail2ban.chroot if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"