From 8a2076e1e5909f1241ccfd8906469e179fab25d6 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sat, 17 Jan 2026 23:55:54 -0600
Subject: feat(archsetup): add fail2ban for SSH brute force protection

- Install and configure fail2ban with ufw integration
- SSH jail: 3 attempts, 1 hour ban
- Default jail: 5 attempts, 10 minute ban
- Also file security recommendations to assets/
---
 archsetup | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'archsetup')

diff --git a/archsetup b/archsetup
index efb711b..cd3fc41 100755
--- a/archsetup
+++ b/archsetup
@@ -633,6 +633,34 @@ essential_services() {
     action="starting the openssh service" && display "task" "$action"
     systemctl start sshd >> "$logfile" 2>&1   || error "error" "$action" "$?"
 
+    # SSH Brute Force Protection
+
+    display "subtitle" "SSH Brute Force Protection"
+    pacman_install fail2ban
+
+    action="configuring fail2ban for SSH protection" && display "task" "$action"
+    cat << 'EOF' > /etc/fail2ban/jail.local
+[DEFAULT]
+# Ban for 10 minutes by default
+bantime = 10m
+findtime = 10m
+maxretry = 5
+# Use ufw for ban actions
+banaction = ufw
+
+[sshd]
+enabled = true
+port = ssh
+# Stricter settings for SSH: 3 attempts, 1 hour ban
+maxretry = 3
+bantime = 1h
+EOF
+
+    action="enabling fail2ban service" && display "task" "$action"
+    systemctl enable fail2ban >> "$logfile" 2>&1 || error "error" "$action" "$?"
+    action="starting fail2ban service" && display "task" "$action"
+    systemctl start fail2ban >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
     # Firewall
 
     # deny all connections by default, then allow the following:
-- 
cgit v1.2.3