V8.13.288.2025.10.24

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-24 18:53:43 +01:00
parent 7a71c4e27a
commit c19f66319d
4 changed files with 19 additions and 55 deletions
--- a/config/hooks/live/9950_hardening_fail2ban.chroot
+++ b/config/hooks/live/9950_hardening_fail2ban.chroot
@@ -0,0 +1,241 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /root
+
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
+
+### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
+
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 3
+
+### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+maxretry              = 4
+mode                  = aggressive
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+[sshd-refused]
+enabled               = true
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-sshd-refused
+findtime              = 16m
+logpath               = /var/log/auth.log
+maxretry              = 1
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+failregex = ^refused connect from \S+ \(<HOST>\)
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+###########################################################################################
+# Remarks: hardening of fail2ban systemd                                                  #
+###########################################################################################
+# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+# operate # on any firewall that has a command-line shell interface. By using             #
+# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
+# allows Fail2ban to have write access on required paths.                                 #
+###########################################################################################
+mkdir -p /etc/systemd/system/fail2ban.service.d
+mkdir -p /var/log/fail2ban
+
+cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+### Added by CISS.debian.live.builder
+ProtectClock=true
+ProtectHostname=true
+
+EOF
+
+cat << 'EOF' >> /etc/fail2ban/fail2ban.local
+[Definition]
+logtarget             = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage            = 384d
+EOF
+
+###########################################################################################
+# Remarks: Logrotate must be updated either                                               #
+###########################################################################################
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+    daily
+    rotate 384
+    maxage 384
+    notifempty
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
+    delaycompress
+    shred
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+
+touch /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh