Marc S. Weidner
60374476ab
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m6s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
242 lines
9.3 KiB
Bash
242 lines
9.3 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
set -Ceuo pipefail
|
|
|
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
|
|
|
cd /root
|
|
|
|
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
|
|
chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
|
|
|
|
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
|
|
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
|
|
|
|
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
|
|
chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
|
|
|
|
cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
|
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
[DEFAULT]
|
|
banaction = nftables-multiport
|
|
banaction_allports = nftables-allports
|
|
dbpurgeage = 384d
|
|
# 127.0.0.1/8 - IPv4 loopback range (local host)
|
|
# ::1/128 - IPv6 loopback
|
|
# fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD)
|
|
# ff00::/8 - IPv6 multicast (not an unicast host)
|
|
# ::/128 - IPv6 unspecified (all zeros; never a real peer)
|
|
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
|
|
usedns = yes
|
|
|
|
[recidive]
|
|
enabled = true
|
|
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
|
|
bantime = 8d
|
|
bantime.increment = true
|
|
bantime.factor = 1
|
|
bantime.maxtime = 128d
|
|
bantime.multipliers = 1 2 4 8 16
|
|
bantime.overalljails = true
|
|
bantime.rndtime = 877s
|
|
filter = recidive
|
|
findtime = 16d
|
|
logpath = /var/log/fail2ban/fail2ban.log*
|
|
maxretry = 2
|
|
|
|
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
|
|
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
|
|
|
|
[sshd]
|
|
enabled = true
|
|
backend = systemd
|
|
bantime = 1h
|
|
bantime.increment = true
|
|
bantime.factor = 1
|
|
bantime.maxtime = 16d
|
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
|
bantime.overalljails = true
|
|
bantime.rndtime = 877s
|
|
filter = sshd
|
|
findtime = 16m
|
|
maxretry = 4
|
|
mode = aggressive
|
|
port = PORT_MUST_BE_SET
|
|
protocol = tcp
|
|
|
|
[sshd-refused]
|
|
enabled = true
|
|
bantime = 1h
|
|
bantime.increment = true
|
|
bantime.factor = 1
|
|
bantime.maxtime = 16d
|
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
|
bantime.overalljails = true
|
|
bantime.rndtime = 877s
|
|
filter = ciss-sshd-refused
|
|
findtime = 16m
|
|
logpath = /var/log/auth.log
|
|
maxretry = 1
|
|
port = PORT_MUST_BE_SET
|
|
protocol = tcp
|
|
|
|
#
|
|
# CISS aggressive approach:
|
|
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
|
|
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
|
|
#
|
|
|
|
[ufw]
|
|
enabled = true
|
|
banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
|
|
bantime = 1h
|
|
bantime.increment = true
|
|
bantime.factor = 1
|
|
bantime.maxtime = 16d
|
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
|
bantime.overalljails = true
|
|
bantime.rndtime = 877s
|
|
filter = ciss-ufw
|
|
findtime = 16m
|
|
logpath = /var/log/ufw.log
|
|
maxretry = 1
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
|
EOF
|
|
|
|
cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
|
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
[Definition]
|
|
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
|
|
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
|
|
ignoreregex =
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
|
EOF
|
|
|
|
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
|
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
[Definition]
|
|
failregex = ^refused connect from \S+ \(<HOST>\)
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
|
EOF
|
|
|
|
###########################################################################################
|
|
# Remarks: hardening of fail2ban systemd #
|
|
###########################################################################################
|
|
# https://wiki.archlinux.org/title/fail2ban#Service_hardening #
|
|
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read #
|
|
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to #
|
|
# operate # on any firewall that has a command-line shell interface. By using #
|
|
# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths #
|
|
# allows Fail2ban to have write access on required paths. #
|
|
###########################################################################################
|
|
mkdir -p /etc/systemd/system/fail2ban.service.d
|
|
mkdir -p /var/log/fail2ban
|
|
|
|
cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
|
|
[Service]
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectHome=read-only
|
|
ProtectSystem=strict
|
|
ReadWritePaths=-/var/run/fail2ban
|
|
ReadWritePaths=-/var/lib/fail2ban
|
|
ReadWritePaths=-/var/log/fail2ban
|
|
ReadWritePaths=-/var/spool/postfix/maildrop
|
|
ReadWritePaths=-/run/xtables.lock
|
|
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|
|
|
|
### Added by CISS.debian.live.builder
|
|
ProtectClock=true
|
|
ProtectHostname=true
|
|
|
|
EOF
|
|
|
|
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
|
|
[Definition]
|
|
logtarget = /var/log/fail2ban/fail2ban.log
|
|
|
|
[Database]
|
|
# Keep entries for at least 384 days to cover recidive findtime.
|
|
dbpurgeage = 384d
|
|
EOF
|
|
|
|
###########################################################################################
|
|
# Remarks: Logrotate must be updated either #
|
|
###########################################################################################
|
|
cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
|
|
cat << EOF >| /etc/logrotate.d/fail2ban
|
|
/var/log/fail2ban/fail2ban.log {
|
|
daily
|
|
rotate 384
|
|
maxage 384
|
|
notifempty
|
|
dateext
|
|
dateyesterday
|
|
compress
|
|
compresscmd /usr/bin/zstd
|
|
compressext .zst
|
|
compressoptions -20
|
|
uncompresscmd /usr/bin/unzstd
|
|
delaycompress
|
|
shred
|
|
missingok
|
|
postrotate
|
|
fail2ban-client flushlogs 1>/dev/null
|
|
endscript
|
|
# If fail2ban runs as non-root it still needs to have write access
|
|
# to logfiles.
|
|
# create 640 fail2ban adm
|
|
create 640 root adm
|
|
}
|
|
EOF
|
|
|
|
touch /var/log/fail2ban/fail2ban.log
|
|
chmod 0640 /var/log/fail2ban/fail2ban.log
|
|
|
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
|
|
|
exit 0
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|