msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
31c2a2cf6f8fdc6e6d1e36caad159d1bff44c86ca61ae30d434d4c1ec94de53a
CISS.debian.live.builder/config/hooks/live/9950_hardening_fail2ban.chroot
Marc S. Weidner ae0bd5f3e9
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m6s
Details
V8.13.384.2025.11.06 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-06 23:04:22 +01:00

242 lines
9.3 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /root
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[DEFAULT]
banaction = nftables-multiport
banaction_allports = nftables-allports
dbpurgeage = 384d
# 127.0.0.1/8 - IPv4 loopback range (local host)
# ::1/128 - IPv6 loopback
# fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD)
# ff00::/8 - IPv6 multicast (not an unicast host)
# ::/128 - IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
usedns = yes
[recidive]
enabled = true
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 8d
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 128d
bantime.multipliers = 1 2 4 8 16
bantime.overalljails = true
bantime.rndtime = 877s
filter = recidive
findtime = 16d
logpath = /var/log/fail2ban/fail2ban.log*
maxretry = 2
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
[sshd]
enabled = true
backend = systemd
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = sshd
findtime = 16m
maxretry = 4
mode = aggressive
port = PORT_MUST_BE_SET
protocol = tcp
[sshd-refused]
enabled = true
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-sshd-refused
findtime = 16m
logpath = /var/log/auth.log
maxretry = 1
port = PORT_MUST_BE_SET
protocol = tcp
#
# CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
#
[ufw]
enabled = true
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-ufw
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
ignoreregex =
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
failregex = ^refused connect from \S+ \(<HOST>\)
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
###########################################################################################
# Remarks: hardening of fail2ban systemd #
###########################################################################################
# https://wiki.archlinux.org/title/fail2ban#Service_hardening #
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read #
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to #
# operate # on any firewall that has a command-line shell interface. By using #
# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths #
# allows Fail2ban to have write access on required paths. #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir -p /var/log/fail2ban
cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
### Added by CISS.debian.live.builder
ProtectClock=true
ProtectHostname=true
EOF
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
[Database]
# Keep entries for at least 384 days to cover recidive findtime.
dbpurgeage = 384d
EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
cat << EOF >| /etc/logrotate.d/fail2ban
/var/log/fail2ban/fail2ban.log {
daily
rotate 384
maxage 384
notifempty
dateext
dateyesterday
compress
compresscmd /usr/bin/zstd
compressext .zst
compressoptions -20
uncompresscmd /usr/bin/unzstd
delaycompress
shred
missingok
postrotate
fail2ban-client flushlogs 1>/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
}
EOF
touch /var/log/fail2ban/fail2ban.log
chmod 0640 /var/log/fail2ban/fail2ban.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink