personal-server/.security.example at main · HichemAK/personal-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# =============================================================================
# WARNING: THIS FILE MAY CONTAIN SENSITIVE INFORMATION (IP ADDRESSES).
#
# Immediately after filling in your values, run:
#   chmod 600 .security
#
# NEVER commit this file to version control.
# =============================================================================

# =============================================================================
# [Upgrades]
#
# AUTO_UPGRADES : Controls automatic package upgrades:
#                 no          – do not configure any automatic upgrades
#                 unattended  – run apt-get upgrade once (first run only) + configure
#                               unattended-upgrades daemon [default]
#                 yes         – run apt-get upgrade every time harden.sh is invoked
#                               + configure unattended-upgrades daemon
#
# UPGRADE_PERIOD : How often the unattended-upgrades daemon runs (in days).
#                  Maps to APT::Periodic::Unattended-Upgrade.
#                  Default: 1 (daily).
# =============================================================================

AUTO_UPGRADES=yes
UPGRADE_PERIOD=1            # days between unattended upgrade runs

# =============================================================================
# [Fail2Ban]
#
# IGNORE_IPS    : Space-separated list of IPs to whitelist (IPv4 or IPv6).
#                 127.0.0.1/8 and ::1 are always whitelisted automatically.
#                 e.g. "1.2.3.4 2001:db8::1"
# BANTIME       : Duration of a ban in seconds (default: 3600 = 1h).
#                 Use -1 for a permanent ban.
# FINDTIME      : Time window in seconds in which MAXRETRY must occur (default: 600).
# MAXRETRY      : Number of failures before a ban is triggered (default: 3).
#
# Any IP banned twice across any jail is permanently banned on all ports
# (recidive jail). Per-service jails inherit BANTIME / FINDTIME / MAXRETRY.
#
# Per-service jails (set to "yes" to enable):
# VAULTWARDEN_JAIL
# CHHOTO_JAIL
# NEXTCLOUD_JAIL
# STOAT_JAIL

# =============================================================================

IGNORE_IPS=""           # e.g. "1.2.3.4 2001:db8::1"
BANTIME=3600            # 1 hour
FINDTIME=600            # 10 minutes
MAXRETRY=3
VAULTWARDEN_JAIL=yes
CHHOTO_JAIL=yes
NEXTCLOUD_JAIL=yes
STOAT_JAIL=yes