Auto SSH connection whitelist feat & whitelist deduplication.

du_setup.sh

@@ -3651,48 +3651,77 @@ configure_fail2ban() {
     print_section "Fail2Ban Configuration"
 
     # --- Collect User IPs to Ignore ---
-    local IGNORE_IPS="127.0.0.1/8 ::1"
+    local -a IGNORE_IPS=("127.0.0.1/8" "::1") # Array for easier dedup.
-    local INVALID_IPS=""
+    local prompt_change=""
 
-    if confirm "Add custom IP addresses or ranges to Fail2Ban ignore list (e.g., your IP, Tailscale)?"; then
+    # NEW: Auto-detect and offer to whitelist current SSH connection
-        print_info "Enter IP addresses or CIDR ranges to whitelist (space-separated)."
+    if [[ -n "$SSH_CONNECTION" ]]; then
-        print_info "Examples: 192.168.1.100 10.0.0.0/8 100.64.0.0/10"
+        local CURRENT_IP="${SSH_CONNECTION%% *}"
-        print_info "Tailscale range: 100.64.0.0/10"
+        print_info "Detected SSH connection from: $CURRENT_IP"
 
-        read -rp "$(printf '%s' "${CYAN}IPs to ignore: ${NC}")" CUSTOM_IPS
+        if confirm "Whitelist your current IP ($CURRENT_IP) in Fail2Ban?"; then
+            if validate_ip_or_cidr "$CURRENT_IP"; then
+                IGNORE_IPS+=("$CURRENT_IP")
+                print_success "Added your current IP to whitelist."
+                log "Auto-whitelisted SSH connection IP: $CURRENT_IP"
+            else
+                print_warning "Could not validate current IP. Please add it manually."
+            fi
+        fi
+        prompt_change=" additional" # Modifies following prompt based on presence of SSH connection.
+    fi
 
-        if [[ -n "$CUSTOM_IPS" ]]; then
+    if confirm "Add$prompt_change IP addresses or CIDR ranges to Fail2Ban ignore list (e.g., Tailscale)?"; then
-            # Validate each IP/CIDR in the input
+        while true; do
-            local VALID_IPS=""
+            local -a WHITELIST_IPS=()
-            local INVALID_COUNT=0
+            log "Prompting user for IP addresses or CIDR ranges to whitelist via Fail2Ban ignore list..."
-
+            printf '%s\n' "${CYAN}Enter IP addresses or CIDR ranges to whitelist, separated by spaces.${NC}"
-            for ip in $CUSTOM_IPS; do
+            printf '%s\n' "Examples:"
-                if validate_ip_or_cidr "$ip"; then
+            printf '  %-24s %s\n' "Single IP:" "192.168.1.100"
-                    VALID_IPS="$VALID_IPS $ip"
+            printf '  %-24s %s\n' "CIDR Range:" "10.0.0.0/8"
-                else
+            printf '  %-24s %s\n' "IPv6 Address:" "2606:4700::1111"
-                    print_error "Invalid format, skipping: $ip"
+            read -ra WHITELIST_IPS -p "  > "
-                    INVALID_IPS="$INVALID_IPS $ip"
+            if (( ${#WHITELIST_IPS[@]} == 0 )); then
-                    ((INVALID_COUNT++))
+                print_info "No IP addresses entered. Skipping."
+                break
+            fi
+            local valid=true
+            local -a INVALID_IPS=()
+            for ip in "${WHITELIST_IPS[@]}"; do
+                if ! validate_ip_or_cidr "$ip"; then
+                    valid=false
+                    INVALID_IPS+=("$ip")
                 fi
             done
-
+            if [[ "$valid" == true ]]; then
-            if [[ -n "$VALID_IPS" ]]; then
+                IGNORE_IPS+=( "${WHITELIST_IPS[@]}" )
-                IGNORE_IPS="$IGNORE_IPS $VALID_IPS"
+                break
-                print_success "Added ${VALID_IPS// /, } to ignore list."
+            else
-                log "Added custom Fail2Ban ignore IPs:$VALID_IPS"
+                local s
+                (( ${#INVALID_IPS[@]} > 1 )) && s="s" # Plural if > 1
+                print_error "Invalid IP$s: ${INVALID_IPS[*]}"
+                printf '%s\n' "Please try again. Leave blank to skip."
             fi
-
+        done
-            if [[ $INVALID_COUNT -gt 0 ]]; then
-                print_warning "$INVALID_COUNT invalid IP(s) were skipped:$INVALID_IPS"
-                print_info "Continuing with valid IPs only. You can add more IPs later."
-                log "Skipped invalid IPs:$INVALID_IPS"
-            fi
-        else
-            print_info "No custom IPs provided. Using defaults only."
-        fi
-    else
-        print_info "Using default ignore IPs only (localhost)."
     fi
+    # Deduplicate final IGNORE_IPS
+    if (( ${#IGNORE_IPS[@]} > 0 )); then
+        local -A seen=()
+        local -a unique=()
+        for ip in "${IGNORE_IPS[@]}"; do
+            [[ -z ${seen[$ip]} ]] && {
+                seen[$ip]=1
+                unique+=( "$ip" )
+            }
+        done
+        IGNORE_IPS=( "${unique[@]}" )
+    fi
+    local WHITELIST_STR
+    printf -v WHITELIST_STR "Whitelisting:\n"
+    for ip in "${IGNORE_IPS[@]:2}"; do # Skip first two entries in console output ("127.0.0.1/8" "::1").
+        printf -v WHITELIST_STR "%s  %s\n" "$WHITELIST_STR" "$ip"
+    done
+    print_info "$WHITELIST_STR"
 
     # --- Define Desired Configurations ---
     local UFW_PROBES_CONFIG
@@ -3707,7 +3736,7 @@ EOF
     local JAIL_LOCAL_CONFIG
     JAIL_LOCAL_CONFIG=$(cat <<EOF
 [DEFAULT]
-ignoreip = $IGNORE_IPS
+ignoreip = ${IGNORE_IPS[*]}
 bantime = 1d
 findtime = 10m
 maxretry = 5
@@ -3762,7 +3791,7 @@ EOF
         fail2ban-client status | tee -a "$LOG_FILE"
 
         # Show how to add IPs later
-        if [[ $INVALID_COUNT -gt 0 ]] || confirm "Show instructions for adding IPs later?" "n"; then
+        if (( ${#INVALID_IPS[@]} > 0 )) || confirm "Show instructions for adding IPs later?" "n"; then
             printf "\n"
             print_info "To add more IP addresses to Fail2Ban ignore list later:"
             printf "%s1. Edit the configuration file:%s\n" "$CYAN" "$NC"