|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| 
| | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1)
for the elastic theme. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | * Use nftables sets with a timeout
 * Start daemon with a hardened unit file and restricted Capability
   Bounding Set.  (This requires to change the log path to
   /var/log/fail2ban/*.)
 * Skip database as we don't care about persistence.
 * Refactor jail.local | 
| | 
| 
| 
| | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete". | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This is important as we don't want the IMAP server baning the webmail,
for instance.  (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.) | 
| | |  | 
| | |  | 
| | 
| 
| 
| | (For now, only LMTP and IMAP processes, without replication.) | 
| | |  | 
| | |  | 
| | 
| 
| 
| | So it doesn't mess with the high-priority rules regarding IPSec. | 
|  |  |