Preconfigure fail2ban and core security services by default

config/auditd/hardening.rules

@@ -0,0 +1,6 @@
+## Managed by sicherheit-install
+-w /etc/passwd -p wa -k identity
+-w /etc/group -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/sudoers -p wa -k scope
+-w /var/log/auth.log -p wa -k authlog

config/fail2ban/jail.local

@@ -1,18 +1,35 @@
 [DEFAULT]
 ignoreip = 127.0.0.1/8 ::1
-bantime  = 1h
+bantime = 1h
 findtime = 10m
 maxretry = 5
-backend  = systemd
+backend = systemd
+banaction = ufw
+banaction_allports = ufw
+
+action = %(action_mwl)s
 
 [sshd]
-enabled  = true
-port     = ssh
-logpath  = %(sshd_log)s
-maxretry = 5
+enabled = true
+mode = aggressive
+port = ssh
+logpath = %(sshd_log)s
+maxretry = 4
+findtime = 10m
+bantime = 4h
 
 [sshd-ddos]
-enabled  = true
-port     = ssh
-logpath  = %(sshd_log)s
+enabled = true
+port = ssh
+logpath = %(sshd_log)s
 maxretry = 3
+findtime = 10m
+bantime = 8h
+
+[recidive]
+enabled = true
+logpath = /var/log/fail2ban.log
+banaction = ufw-allports
+findtime = 1d
+bantime = 7d
+maxretry = 5

config/ssh/sshd_config.d-sicherheit.conf

@@ -0,0 +1,13 @@
+# Managed by sicherheit-install
+Protocol 2
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+X11Forwarding no
+ClientAliveInterval 300
+ClientAliveCountMax 2
+MaxAuthTries 4
+MaxSessions 10
+LoginGraceTime 30
+AllowTcpForwarding no

config/sysctl/99-sicherheit.conf

@@ -0,0 +1,10 @@
+# Managed by sicherheit-install
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2

config/ufw/after.rules

@@ -0,0 +1,10 @@
+# Managed by sicherheit-install
+*filter
+:ufw-after-input - [0:0]
+:ufw-after-output - [0:0]
+:ufw-after-forward - [0:0]
+
+# Drop invalid packets early
+-A ufw-after-input -m conntrack --ctstate INVALID -j DROP
+
+COMMIT

config/unattended-upgrades/20auto-upgrades

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

config/unattended-upgrades/50unattended-upgrades

@@ -0,0 +1,9 @@
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+        "${distro_id}ESMApps:${distro_codename}-apps-security";
+        "${distro_id}ESM:${distro_codename}-infra-security";
+};
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Automatic-Reboot "false";