docs(setup): make fail2ban opt-in in 70-hardening.sh
CI / commits (pull_request) Successful in 3m51s
CI / scan (pull_request) Successful in 4m13s
CI / check (pull_request) Successful in 4m24s
CI / a11y (pull_request) Successful in 3m49s
Docs site / build (pull_request) Successful in 3m51s
CI / perf (pull_request) Successful in 6m54s
CI / commits (pull_request) Successful in 3m51s
CI / scan (pull_request) Successful in 4m13s
CI / check (pull_request) Successful in 4m24s
CI / a11y (pull_request) Successful in 3m49s
Docs site / build (pull_request) Successful in 3m51s
CI / perf (pull_request) Successful in 6m54s
Three branches now: (1) already running -> skip; (2) installed but stopped -> prompt to enable+start; (3) not installed -> prompt to install+enable+start. Each decline path logs `(user choice)` so a re-run doesn't surprise the dev with a different state. Reasoning: some corp environments already ship brute-force protection at the network layer (ACL / corp firewall / appliance). fail2ban on the host is then redundant and can be the wrong layer to debug from when a rule misfires. The other three hardening steps (UFW, sshd lockdown) were already prompt-gated; fail2ban was the odd one out. Table descriptors in the main doc + setup README updated to make each sub-step's prompt posture visible.
This commit is contained in:
@@ -47,13 +47,29 @@ EOF
|
||||
ok "unattended-upgrades enabled."
|
||||
fi
|
||||
|
||||
# ─── 3. fail2ban ───────────────────────────────────────────────────────
|
||||
apt_install fail2ban
|
||||
# ─── 3. fail2ban (opt-in) ──────────────────────────────────────────────
|
||||
# Some VMs already ship with infra-managed brute-force protection at the
|
||||
# network layer (corp firewall, ACLs, etc.). In that case fail2ban on the
|
||||
# host is redundant — and its presence can be the wrong layer to debug
|
||||
# from when a rule misfires. Make it a deliberate choice instead of
|
||||
# imposing it.
|
||||
if systemctl is-active fail2ban.service >/dev/null 2>&1; then
|
||||
skip "fail2ban already running."
|
||||
elif dpkg -s fail2ban >/dev/null 2>&1; then
|
||||
if confirm "fail2ban is installed but not running. Enable + start it now?"; then
|
||||
sudo systemctl enable --now fail2ban.service
|
||||
ok "fail2ban started + enabled at boot."
|
||||
else
|
||||
skip "fail2ban left stopped (user choice)."
|
||||
fi
|
||||
else
|
||||
sudo systemctl enable --now fail2ban.service
|
||||
ok "fail2ban started + enabled at boot."
|
||||
if confirm "Install + enable fail2ban (SSH brute-force protection)?"; then
|
||||
apt_install fail2ban
|
||||
sudo systemctl enable --now fail2ban.service
|
||||
ok "fail2ban installed + started + enabled at boot."
|
||||
else
|
||||
skip "fail2ban not installed (user choice)."
|
||||
fi
|
||||
fi
|
||||
|
||||
# ─── 4. sshd hardening ────────────────────────────────────────────────
|
||||
|
||||
Reference in New Issue
Block a user