#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

cd /root

cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak

### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf

mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak

cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

[DEFAULT]
usedns    = yes
# local | vpn
ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
maxretry  = 8
findtime  = 24h
bantime   = 24h

### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]

[sshd]
enabled   = true
backend   = systemd
filter    = sshd
mode      = normal
port      = MUST_BE_SET
protocol  = tcp
logpath   = /var/log/auth.log
maxretry  = 4
findtime  = 24h
bantime   = 24h

[sshd-refused]
enabled   = true
filter    = sshd-refused
port      = MUST_BE_SET
protocol  = tcp
logpath   = /var/log/auth.log
maxretry  = 1
findtime  = 24h
bantime   = 24h

# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.

[ufw]
enabled   = true
filter    = ufw.aggressive
action    = iptables-allports
logpath   = /var/log/ufw.log
maxretry  = 1
findtime  = 24h
bantime   = 24h
protocol  = tcp,udp

EOF

cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
[Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
EOF

cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
[Definition]
failregex = ^refused connect from \S+ \(<HOST>\)
EOF

###########################################################################################
# Remarks: hardening of fail2ban systemd                                                  #
###########################################################################################
# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
# operate # on any firewall that has a command-line shell interface. By using             #
# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
# allows Fail2ban to have write access on required paths.                                 #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir /var/log/fail2ban

cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

### Added by CISS.debian.live.builder
ProtectClock=true
ProtectHostname=true

EOF

cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
EOF

###########################################################################################
# Remarks: Logrotate must be updated either                                               #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
touch /var/log/fail2ban/fail2ban.log
chmod 640 /var/log/fail2ban/fail2ban.log

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh