diff options
| author | Craig Jennings <c@cjennings.net> | 2026-01-17 23:55:54 -0600 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-01-17 23:55:54 -0600 |
| commit | 8a2076e1e5909f1241ccfd8906469e179fab25d6 (patch) | |
| tree | c03a190e98a340db0e0770062e63f39effcdd605 /archsetup | |
| parent | 399512e5e7b19d2817f0089d7afd67f7a8119523 (diff) | |
feat(archsetup): add fail2ban for SSH brute force protection
- Install and configure fail2ban with ufw integration
- SSH jail: 3 attempts, 1 hour ban
- Default jail: 5 attempts, 10 minute ban
- Also file security recommendations to assets/
Diffstat (limited to 'archsetup')
| -rwxr-xr-x | archsetup | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -633,6 +633,34 @@ essential_services() { action="starting the openssh service" && display "task" "$action" systemctl start sshd >> "$logfile" 2>&1 || error "error" "$action" "$?" + # SSH Brute Force Protection + + display "subtitle" "SSH Brute Force Protection" + pacman_install fail2ban + + action="configuring fail2ban for SSH protection" && display "task" "$action" + cat << 'EOF' > /etc/fail2ban/jail.local +[DEFAULT] +# Ban for 10 minutes by default +bantime = 10m +findtime = 10m +maxretry = 5 +# Use ufw for ban actions +banaction = ufw + +[sshd] +enabled = true +port = ssh +# Stricter settings for SSH: 3 attempts, 1 hour ban +maxretry = 3 +bantime = 1h +EOF + + action="enabling fail2ban service" && display "task" "$action" + systemctl enable fail2ban >> "$logfile" 2>&1 || error "error" "$action" "$?" + action="starting fail2ban service" && display "task" "$action" + systemctl start fail2ban >> "$logfile" 2>&1 || error "error" "$action" "$?" + # Firewall # deny all connections by default, then allow the following: |