roles/common: minor configuration of Debian 13 SSH

Tweak some of the new OpenSSH per-source penalty settings on Debian
13. For now only adjusting the source network masks and reusing the
list of IPs to exempt from fail2ban.

These being built in makes them easier to use, but I think I will
end up sticking with fail2ban for the heavy lifting because it per-
sists across restarts of the daemon, whereas OpenSSH's doesn't. I
will monitor OpenSSH on Debian 13 to see how to best use it along
side fail2ban.

roles/common/defaults/main.yml

@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8
+fail2ban_ignoreip: 127.0.0.0/8
 
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.

roles/common/tasks/nftables.yml

@@ -9,7 +9,6 @@
     mode: "0644"
   notify:
     - Restart nftables
-    - Restart fail2ban
 
 - name: Create /etc/nftables extra config directory
   ansible.builtin.file:
@@ -20,17 +19,14 @@
 
 - name: Copy extra nftables configuration files
   ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: /etc/nftables/{{ item.src }}
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
     owner: root
     group: root
     mode: "0644"
-    force: "{{ item.force }}"
-  loop:
-    - { src: firehol_level1-ipv4.nft, force: false }
+    force: false
   notify:
     - Restart nftables
-    - Restart fail2ban
 
 - name: Copy nftables update scripts
   ansible.builtin.template:
@@ -40,27 +36,6 @@
     owner: root
     group: root
 
-- name: Remove deprecated data and scripts
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/nftables/spamhaus-ipv4.nft
-    - /etc/nftables/spamhaus-ipv6.nft
-    - /etc/nftables/abuseipdb-ipv4.nft
-    - /etc/nftables/abuseipdb-ipv6.nft
-    - /etc/nftables/abusech-ipv4.nft
-    - /usr/local/bin/update-abusech-nftables.sh
-    - /usr/local/bin/update-spamhaus-nftables.sh
-    - /etc/systemd/system/update-abusech-nftables.service
-    - /etc/systemd/system/update-abusech-nftables.timer
-    - /etc/systemd/system/update-spamhaus-nftables.service
-    - /etc/systemd/system/update-spamhaus-nftables.timer
-    - /usr/local/bin/aggregate-cidr-addresses.pl
-  notify:
-    - Restart nftables
-    - Restart fail2ban
-
 - name: Copy nftables systemd units
   ansible.builtin.copy:
     src: "{{ item }}"
@@ -81,11 +56,9 @@
 
 - name: Start and enable nftables update timers
   ansible.builtin.systemd_service:
-    name: "{{ item }}"
+    name: update-firehol-nftables.timer
     state: started
     enabled: true
-  loop:
-    - update-firehol-nftables.timer
 
 - name: Start and enable nftables
   ansible.builtin.systemd_service:

roles/common/tasks/sshd.yml

@@ -1,6 +1,7 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
+  when: ansible_distribution_version is version('12', '<=')
   ansible.builtin.template:
     src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
     dest: /etc/ssh/sshd_config
@@ -9,6 +10,18 @@
     mode: "0600"
   notify: Reload sshd
 
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_distribution_version is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
+
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
   block:

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56