#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

cd /root

cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak

### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf

mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak

cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

[DEFAULT]
banaction             = nftables-multiport
banaction_allports    = nftables-allports
dbpurgeage            = 384d
#                       127.0.0.1/8 - IPv4 loopback range (local host)
#                       ::1/128     - IPv6 loopback
#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
#                       ff00::/8    - IPv6 multicast (not an unicast host)
#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
usedns		            = yes

[recidive]
enabled               = true
banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime               = 8d
bantime.increment     = true
bantime.factor        = 1
bantime.maxtime       = 128d
bantime.multipliers   = 1 2 4 8 16
bantime.overalljails  = true
bantime.rndtime       = 877s
filter                = recidive
findtime              = 16d
logpath               = /var/log/fail2ban/fail2ban.log*
maxretry              = 3

### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]

[sshd]
enabled               = true
backend               = systemd
bantime               = 1h
bantime.increment     = true
bantime.factor        = 1
bantime.maxtime       = 16d
bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails  = true
bantime.rndtime       = 877s
filter                = sshd
findtime              = 16m
maxretry              = 4
mode                  = aggressive
port                  = PORT_MUST_BE_SET
protocol              = tcp

[sshd-refused]
enabled               = true
bantime               = 1h
bantime.increment     = true
bantime.factor        = 1
bantime.maxtime       = 16d
bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails  = true
bantime.rndtime       = 877s
filter                = ciss-sshd-refused
findtime              = 16m
logpath               = /var/log/auth.log
maxretry              = 1
port                  = PORT_MUST_BE_SET
protocol              = tcp

#
# CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
#

[ufw]
enabled               = true
banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime               = 1h
bantime.increment     = true
bantime.factor        = 1
bantime.maxtime       = 16d
bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails  = true
bantime.rndtime       = 877s
filter                = ciss-ufw
findtime              = 16m
logpath               = /var/log/ufw.log
maxretry              = 1

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

[Definition]
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
ignoreregex           =

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

[Definition]
failregex = ^refused connect from \S+ \(<HOST>\)

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

###########################################################################################
# Remarks: hardening of fail2ban systemd                                                  #
###########################################################################################
# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
# operate # on any firewall that has a command-line shell interface. By using             #
# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
# allows Fail2ban to have write access on required paths.                                 #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir -p /var/log/fail2ban

cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

### Added by CISS.debian.live.builder
ProtectClock=true
ProtectHostname=true

EOF

cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget             = /var/log/fail2ban/fail2ban.log

[Database]
# Keep entries for at least 384 days to cover recidive findtime.
dbpurgeage            = 384d
EOF

###########################################################################################
# Remarks: Logrotate must be updated either                                               #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
cat << EOF >| /etc/logrotate.d/fail2ban
/var/log/fail2ban/fail2ban.log {
    daily
    rotate 384
    maxage 384
    notifempty
    dateext
    dateyesterday
    compress
    compresscmd /usr/bin/zstd
    compressext .zst
    compressoptions -20
    uncompresscmd /usr/bin/unzstd
    delaycompress
    shred
    missingok
    postrotate
        fail2ban-client flushlogs 1>/dev/null
    endscript
    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 640 fail2ban adm
    create 640 root adm
}
EOF

touch /var/log/fail2ban/fail2ban.log
chmod 0640 /var/log/fail2ban/fail2ban.log

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh