V8.13.288.2025.10.24

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0001_initramfs_modules.chroot

@@ -130,27 +130,26 @@ squashfs
 overlay
 
 #### nftables ------------------------------------------------------------------------------------------------------------------
+#nf_log_common  # built-in
+#nft_counter    # built-in
+#nft_icmp       # built-in
+#nft_icmpv6     # built-in
+#nft_meta       # built-in
+#nft_set_hash   # built-in
+#nft_set_rbtree # built-in
+#nft_tcp        # built-in
+#nft_udp        # built-in
 nf_conntrack
-nf_log_common
 nf_nat
 nf_reject_ipv4
 nf_reject_ipv6
 nf_tables
-nft_counter
 nft_ct
-nft_icmp
-nft_icmpv6
 nft_limit
 nft_log
 nft_masq
-nft_meta
 nft_nat
 nft_reject_inet
-nft_set_hash
-nft_set_rbtree
-nft_tcp
-nft_udp
-nft_reject_inet
 nfnetlink
 nfnetlink_log
 

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -49,7 +49,7 @@ ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_
 
 [recidive]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -105,24 +105,9 @@ protocol              = tcp
 # There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
 #
 
-[icmp]
-enabled               = true
-banaction             = %(banaction_allports)s
-bantime               = 1h
-bantime.increment     = true
-bantime.factor        = 1
-bantime.maxtime       = 16d
-bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-bantime.overalljails  = true
-bantime.rndtime       = 877s
-filter                = ciss-icmp
-findtime              = 16m
-logpath               = /var/log/ufw.log
-maxretry              = 1
-
 [ufw]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -138,26 +123,6 @@ maxretry              = 1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-[Definition]
-# Generic ICMP/ICMPv6 blocks
-failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
-                        ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
 cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>

docs/CHANGELOG.md

@@ -14,9 +14,9 @@ include_toc: true
 
 ## V8.13.288.2025.10.24
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
-* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) + banaction = nftables-*
+* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
 * **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection
-* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) changed var injection
+* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
 * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
 * **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
 
@@ -34,13 +34,13 @@ include_toc: true
 
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
-* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)
+* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
 * **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv)
 
 ## V8.13.224.2025.10.19
 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
 * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
-* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) updated ignoreip
+* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
 * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
 
@@ -49,7 +49,7 @@ include_toc: true
 * **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot)
 * **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
 * **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
-* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)
+* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
 * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) hardened MaxStartups
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) removed haveged alias
 * **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) removed haveged entry

lib/lib_hardening_ultra.sh

@@ -199,7 +199,7 @@ hardening_ultra() {
     declare pad="$(printf '%-29s' 'Port')"
     sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
 
-    ### /config/hooks/live/9950_fail2ban_hardening.chroot
+    ### /config/hooks/live/9950_hardening_fail2ban.chroot
     sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
 
     ### /config/hooks/live/0900_ufw_setup.chroot
@@ -248,7 +248,7 @@ hardening_ultra() {
     declare pad="$(printf '%-29s' 'Port')"
     sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
 
-    ### /config/hooks/live/9950_fail2ban_hardening.chroot
+    ### /config/hooks/live/9950_hardening_fail2ban.chroot
     sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
 
     ### /config/hooks/live/0900_ufw_setup.chroot
@@ -306,7 +306,7 @@ hardening_ultra() {
   fi
 
 
-  ### /config/hooks/live/9950_fail2ban_hardening.chroot
+  ### /config/hooks/live/9950_hardening_fail2ban.chroot
   if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
 
     printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"