msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
52670eff775b23f9a382be67ef3caf3380095b2a2583a7019944afec11c1d6e2
CISS.debian.live.builder/config/hooks/live/9950_fail2ban_hardening.chroot
Marc S. Weidner 52670eff77
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 53m19s
Details
V8.13.224.2025.10.19 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-19 09:24:19 +01:00

213 lines
7.7 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /root
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[DEFAULT]
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET
maxretry = 8
findtime = 24h
bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
findtime = 24h
bantime = 24h
[sshd-refused]
enabled = true
filter = ciss-sshd-refused
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
maxretry = 1
findtime = 24h
bantime = 24h
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
[ufw]
enabled = true
filter = ciss-ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
bantime = 24h
findtime = 24h
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
failregex = \[UFW BLOCK\].+SRC=<HOST> DST
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
failregex = ^refused connect from \S+ \(<HOST>\)
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
###########################################################################################
# Remarks: hardening of fail2ban systemd #
###########################################################################################
# https://wiki.archlinux.org/title/fail2ban#Service_hardening #
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read #
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to #
# operate # on any firewall that has a command-line shell interface. By using #
# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths #
# allows Fail2ban to have write access on required paths. #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir -p /var/log/fail2ban
cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
### Added by CISS.debian.live.builder
ProtectClock=true
ProtectHostname=true
EOF
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
[Database]
# Keep entries for at least 384 days to cover recidive findtime.
dbpurgeage = 384d
EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
cat << EOF >| /etc/logrotate.d/fail2ban
/var/log/fail2ban/fail2ban.log {
daily
rotate 384
compress
# Do not rotate if empty
notifempty
delaycompress
missingok
postrotate
fail2ban-client flushlogs 1>/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
}
EOF
touch /var/log/fail2ban/fail2ban.log
chmod 0640 /var/log/fail2ban/fail2ban.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink