feat(archsetup): add fail2ban for SSH brute force protection

- Install and configure fail2ban with ufw integration
- SSH jail: 3 attempts, 1 hour ban
- Default jail: 5 attempts, 10 minute ban
- Also file security recommendations to assets/

1 files changed, 119 insertions, 0 deletions

diff --git a/assets/security-and-hardening-recommendations.txt b/assets/security-and-hardening-recommendations.txt
new file mode 100644
index 0000000..22a0c53
--- /dev/null
+++ b/assets/security-and-hardening-recommendations.txt
@@ -0,0 +1,119 @@
+# Security and Hardening Recommendations for archsetup
+
+These recommendations come from the install-archzfs base install.
+The base system is minimal - archsetup should handle hardening.
+
+## SSH Hardening (Priority: High)
+
+If SSH was enabled during install (for headless servers), it uses password auth.
+archsetup should:
+
+1. Install and configure fail2ban
+   - pacman -S fail2ban
+   - Enable sshd jail
+   - Configure ban times (suggested: 10m first offense, escalating)
+   - Consider integration with firewalld/nftables
+
+2. Switch to key-based authentication
+   - Prompt user for SSH public key or generate keypair
+   - Disable password authentication in /etc/ssh/sshd_config:
+     PasswordAuthentication no
+     PermitRootLogin prohibit-password (or 'no' for desktop)
+
+3. Consider changing default SSH port (optional, security through obscurity)
+
+## Firewall (Priority: High)
+
+Base install has no firewall configured. Options:
+
+1. firewalld (recommended for most users)
+   - pacman -S firewalld
+   - systemctl enable --now firewalld
+   - Default zone should block incoming except SSH
+
+2. nftables (for advanced users)
+   - Already installed as iptables backend
+   - Needs manual configuration
+
+3. ufw (simpler alternative)
+   - pacman -S ufw
+   - Good for users coming from Ubuntu
+
+## ZFS-Specific Recommendations
+
+1. Sanoid/Syncoid for automated snapshots
+   - pacman -S sanoid
+   - Configure /etc/sanoid/sanoid.conf for automatic snapshot retention
+   - Suggested policy: hourly for 24h, daily for 7d, monthly for 12m
+
+2. ZFS scrub timer
+   - systemctl enable zfs-scrub-weekly.timer
+   - Or create monthly timer for large pools
+
+3. ZED (ZFS Event Daemon) email alerts
+   - Configure /etc/zfs/zed.d/zed.rc
+   - Set ZED_EMAIL_ADDR for pool health notifications
+
+4. Consider zfs-auto-snapshot as alternative to sanoid
+
+## User Account Setup
+
+Base install only has root. archsetup should:
+
+1. Create primary user account with sudo access
+2. Lock root account for direct login (sudo only)
+3. Configure sudo timeout and logging
+
+## Package Manager Hardening
+
+1. Enable pacman hooks for security
+   - Verify package signatures (already default)
+
+2. Consider enabling reflector timer
+   - Keeps mirrorlist updated with fastest/most recent mirrors
+
+3. Install pacman-contrib for paccache
+   - Configure paccache.timer to clean old package cache
+
+## Automatic Updates (Optional)
+
+For servers that need unattended security updates:
+- Consider pacman-auto-update or similar
+- ZFS pre-pacman snapshots (already in install-archzfs) make this safer
+
+## AppArmor/SELinux (Optional, Advanced)
+
+For high-security environments:
+- AppArmor is easier: pacman -S apparmor
+- Requires kernel parameter: lsm=apparmor
+
+## Misc Recommendations
+
+1. Install and enable systemd-timesyncd or chrony for NTP
+
+2. Configure journald retention
+   - /etc/systemd/journald.conf
+   - SystemMaxUse=500M (or appropriate for system)
+
+3. Disable core dumps for security (optional)
+   - /etc/security/limits.conf: * hard core 0
+
+4. Install lynis for security auditing
+   - pacman -S lynis
+   - Run: lynis audit system
+
+## Desktop-Specific (if applicable)
+
+1. Consider firejail for sandboxing applications
+2. Install a password manager (pass, keepassxc)
+3. Configure automatic screen lock
+
+## Server-Specific (if applicable)
+
+1. Install and configure logwatch or logrotate
+2. Consider setting up centralized logging
+3. Install monitoring (prometheus node_exporter, netdata, etc.)
+
+---
+Generated by install-archzfs build system
+These are recommendations - implement based on your security requirements.