From 90db6e6dcea977cacfb49c30cfa4c860527c2f07 Mon Sep 17 00:00:00 2001
From: Ali <gth@sunmail.uk>
Date: Mon, 7 Jul 2025 20:49:14 +0100
Subject: [PATCH 1/5] error handling for tailscale download

---
 du_setup.sh | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/du_setup.sh b/du_setup.sh
index 86c23ab..ca5e978 100644
--- a/du_setup.sh
+++ b/du_setup.sh
@@ -1168,6 +1168,8 @@ install_tailscale() {
         return 0
     fi
     print_section "Tailscale VPN Installation and Configuration"
+
+    # Check if Tailscale is already installed and active
     if command -v tailscale >/dev/null 2>&1; then
         if systemctl is-active --quiet tailscaled && tailscale ip >/dev/null 2>&1; then
             local TS_IPS TS_IPV4
@@ -1179,30 +1181,31 @@ install_tailscale() {
             print_warning "Service tailscaled is installed but not active or connected."
             FAILED_SERVICES+=("tailscaled")
             TS_COMMAND=$(grep "Tailscale connection failed: tailscale up" "$LOG_FILE" | tail -1 | sed 's/.*Tailscale connection failed: //')
-            TS_COMMAND=${TS_COMMAND:-""}  # Empty if no failure, not default command
+            TS_COMMAND=${TS_COMMAND:-""}
         fi
     else
         print_info "Installing Tailscale..."
-        curl -fsSL https://tailscale.com/install.sh -o /tmp/tailscale_install.sh
-        chmod +x /tmp/tailscale_install.sh
-        if ! grep -q "tailscale" /tmp/tailscale_install.sh; then
-            print_error "Downloaded Tailscale install script appears invalid."
-            rm -f /tmp/tailscale_install.sh
-            log "Tailscale installation failed: Invalid install script."
-            return 0
+        # Gracefully handle download failures
+        if ! curl -fsSL https://tailscale.com/install.sh -o /tmp/tailscale_install.sh; then
+            print_error "Failed to download the Tailscale installation script."
+            print_info "After setup completes, please try installing it manually: curl -fsSL https://tailscale.com/install.sh | sh"
+            rm -f /tmp/tailscale_install.sh # Clean up partial download
+            return 0 # Exit the function without exiting the main script
         fi
-        if ! /tmp/tailscale_install.sh; then
-            print_error "Failed to install Tailscale."
-            rm -f /tmp/tailscale_install.sh
+
+        # Execute the downloaded script with 'sh'
+        if ! sh /tmp/tailscale_install.sh; then
+            print_error "Tailscale installation script failed to execute."
             log "Tailscale installation failed."
-            return 0
+            rm -f /tmp/tailscale_install.sh # Clean up
+            return 0 # Exit the function gracefully
         fi
-        rm -f /tmp/tailscale_install.sh
+
+        rm -f /tmp/tailscale_install.sh # Clean up successful install
         print_success "Tailscale installation complete."
         log "Tailscale installation completed."
     fi
 
-    # --- Configure Tailscale Connection ---
     if systemctl is-active --quiet tailscaled && tailscale ip >/dev/null 2>&1; then
         local TS_IPS TS_IPV4
         TS_IPS=$(tailscale ip 2>/dev/null || echo "Unknown")

From 40bc730e5d51bf5d7bba7fcec6b23b4cae59d705 Mon Sep 17 00:00:00 2001
From: Ali <gth@sunmail.uk>
Date: Mon, 7 Jul 2025 21:08:21 +0100
Subject: [PATCH 2/5] enhanced fail2ban jail.local

---
 du_setup.sh | 74 +++++++++++++++++++++++++++++++----------------------
 1 file changed, 44 insertions(+), 30 deletions(-)

diff --git a/du_setup.sh b/du_setup.sh
index ca5e978..24a647b 100644
--- a/du_setup.sh
+++ b/du_setup.sh
@@ -3,6 +3,7 @@
 # Debian 12 and Ubuntu Server Hardening Interactive Script
 # Version: 0.57 | 2025-07-07
 # Changelog:
+# - v0.58: improved fail2ban to parse ufw logs
 # - v0.57: Fix for silent failure at test_backup()
 #	   Option to choose which directories to back up.
 # - v0.56: Make tailscale config optional
@@ -111,7 +112,7 @@ print_header() {
     echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
     echo -e "${CYAN}║                                                                 ║${NC}"
     echo -e "${CYAN}║       DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT           ║${NC}"
-    echo -e "${CYAN}║                      v0.57 | 2025-07-07                         ║${NC}"
+    echo -e "${CYAN}║                      v0.58 | 2025-07-07                         ║${NC}"
     echo -e "${CYAN}║                                                                 ║${NC}"
     echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
     echo
@@ -1036,45 +1037,58 @@ configure_firewall() {
 configure_fail2ban() {
     print_section "Fail2Ban Configuration"
 
-    # Set the SSH port for Fail2Ban to monitor.
-    local SSH_PORTS_TO_MONITOR="$SSH_PORT"
-    local NEW_FAIL2BAN_CONFIG
+    # --- Create UFW Probes Filter for Fail2ban ---
+    # This custom filter tells Fail2ban what to look for in UFW's log file.
+    print_info "Creating Fail2ban filter for UFW probes..."
+    mkdir -p /etc/fail2ban/filter.d
+    tee /etc/fail2ban/filter.d/ufw-probes.conf > /dev/null <<'EOF'
+[Definition]
+# This regex looks for the standard "[UFW BLOCK]" message in /var/log/ufw.log
+failregex = \[UFW BLOCK\] IN=.* OUT=.* SRC=<HOST>
+ignoreregex =
+EOF
 
-    NEW_FAIL2BAN_CONFIG=$(mktemp)
-    tee "$NEW_FAIL2BAN_CONFIG" > /dev/null <<EOF
+    # --- Create Enhanced jail.local Configuration ---
+    # This new configuration sets more robust defaults and adds the UFW monitoring jail.
+    print_info "Creating enhanced Fail2ban local jail configuration..."
+    tee /etc/fail2ban/jail.local > /dev/null <<EOF
 [DEFAULT]
-bantime = 1h
+# IPs to ignore. 127.0.0.1/8 is localhost.
+ignoreip = 127.0.0.1/8 ::1
+# Ban for 1 day, as 1 hour is often too short for persistent bots.
+bantime = 1d
 findtime = 10m
-maxretry = 3
-backend = auto
+maxretry = 5
+# Set the default banning action to use UFW.
+banaction = ufw
+
 [sshd]
 enabled = true
-port = $SSH_PORTS_TO_MONITOR
-logpath = %(sshd_log)s
-backend = %(sshd_backend)s
+port = $SSH_PORT
+
+# This jail monitors UFW logs for rejected packets (port scans, etc.).
+[ufw-probes]
+enabled = true
+port = all
+filter = ufw-probes
+logpath = /var/log/ufw.log
+maxretry = 3
 EOF
-    if [[ -f /etc/fail2ban/jail.local ]] && cmp -s "$NEW_FAIL2BAN_CONFIG" /etc/fail2ban/jail.local; then
-        print_info "Fail2Ban configuration already correct. Skipping."
-        rm -f "$NEW_FAIL2BAN_CONFIG"
-    elif [[ -f /etc/fail2ban/jail.local ]] && grep -q "\[sshd\]" /etc/fail2ban/jail.local; then
-        print_info "Fail2Ban jail.local exists. Updating SSH port..."
-        sed -i "s/^\(port\s*=\s*\).*/\1$SSH_PORTS_TO_MONITOR/" /etc/fail2ban/jail.local
-        rm -f "$NEW_FAIL2BAN_CONFIG"
-    else
-        print_info "Creating Fail2Ban local jail configuration..."
-        mv "$NEW_FAIL2BAN_CONFIG" /etc/fail2ban/jail.local
-        chmod 644 /etc/fail2ban/jail.local
-    fi
-    print_info "Enabling and restarting Fail2Ban..."
+
+    # --- Restart and Verify Fail2ban ---
+    print_info "Enabling and restarting Fail2Ban to apply new rules..."
     systemctl enable fail2ban
     systemctl restart fail2ban
-    sleep 2
+    sleep 2 # Give the service a moment to initialize.
+
     if systemctl is-active --quiet fail2ban; then
-        print_success "Fail2Ban is active and monitoring port(s) $SSH_PORTS_TO_MONITOR."
-        fail2ban-client status sshd | tee -a "$LOG_FILE"
+        print_success "Fail2Ban is active with the new configuration."
+        # Show the status of the enabled jails for confirmation.
+        fail2ban-client status | tee -a "$LOG_FILE"
     else
-        print_error "Fail2Ban service failed to start."
-        exit 1
+        print_error "Fail2Ban service failed to start. Check 'journalctl -u fail2ban' for errors."
+        # No longer exits the script, just reports the failure.
+        FAILED_SERVICES+=("fail2ban")
     fi
     log "Fail2Ban configuration completed."
 }

From eb234968b35530c4462720d6ca9de4b2a9d947ab Mon Sep 17 00:00:00 2001
From: Ali <gth@sunmail.uk>
Date: Mon, 7 Jul 2025 21:08:41 +0100
Subject: [PATCH 3/5] update hash

---
 README.md          | 6 +++---
 du_setup.sh.sha256 | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 1bb50c6..672e8b9 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # Debian & Ubuntu Server Setup & Hardening Script
 
-**Version:** v0.57
+**Version:** v0.58
 
 **Last Updated:** 2025-07-07
 
@@ -75,12 +75,12 @@ sha256sum du_setup.sh
 
 Compare the output hash to the one below. They must match exactly.
 
-`7d8fa1b1682018eb5d3470630b6b28b620f090f1066035b4c483737f2697d736`
+`3f349e00ab134fbd82d87c6691832d25630174691dcd9ebfe946c4a2eb8f299f`
 
 Or echo the hash to check, it should output: `du_setup.sh: OK`
 
 ```
-echo 7d8fa1b1682018eb5d3470630b6b28b620f090f1066035b4c483737f2697d736 du_setup.sh | sha256sum --check -
+echo 3f349e00ab134fbd82d87c6691832d25630174691dcd9ebfe946c4a2eb8f299f du_setup.sh | sha256sum --check -
 ```
 
 ### 3\. Run the Script
diff --git a/du_setup.sh.sha256 b/du_setup.sh.sha256
index 2a3ab68..2e9d6c5 100644
--- a/du_setup.sh.sha256
+++ b/du_setup.sh.sha256
@@ -1 +1 @@
-7d8fa1b1682018eb5d3470630b6b28b620f090f1066035b4c483737f2697d736  du_setup.sh
+3f349e00ab134fbd82d87c6691832d25630174691dcd9ebfe946c4a2eb8f299f  du_setup.sh

From a424f5b88bd7387a3f15bd79be7728ff6117681b Mon Sep 17 00:00:00 2001
From: Ali <gth@sunmail.uk>
Date: Mon, 7 Jul 2025 21:22:47 +0100
Subject: [PATCH 4/5] enhanced fail2ban jail.local

---
 du_setup.sh | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/du_setup.sh b/du_setup.sh
index 24a647b..752ee7b 100644
--- a/du_setup.sh
+++ b/du_setup.sh
@@ -1037,29 +1037,24 @@ configure_firewall() {
 configure_fail2ban() {
     print_section "Fail2Ban Configuration"
 
-    # --- Create UFW Probes Filter for Fail2ban ---
-    # This custom filter tells Fail2ban what to look for in UFW's log file.
-    print_info "Creating Fail2ban filter for UFW probes..."
-    mkdir -p /etc/fail2ban/filter.d
-    tee /etc/fail2ban/filter.d/ufw-probes.conf > /dev/null <<'EOF'
+    # --- Define Desired Configurations ---
+    # Define content of config file.
+    local UFW_PROBES_CONFIG
+    UFW_PROBES_CONFIG=$(cat <<'EOF'
 [Definition]
 # This regex looks for the standard "[UFW BLOCK]" message in /var/log/ufw.log
 failregex = \[UFW BLOCK\] IN=.* OUT=.* SRC=<HOST>
 ignoreregex =
 EOF
+)
 
-    # --- Create Enhanced jail.local Configuration ---
-    # This new configuration sets more robust defaults and adds the UFW monitoring jail.
-    print_info "Creating enhanced Fail2ban local jail configuration..."
-    tee /etc/fail2ban/jail.local > /dev/null <<EOF
+    local JAIL_LOCAL_CONFIG
+    JAIL_LOCAL_CONFIG=$(cat <<EOF
 [DEFAULT]
-# IPs to ignore. 127.0.0.1/8 is localhost.
 ignoreip = 127.0.0.1/8 ::1
-# Ban for 1 day, as 1 hour is often too short for persistent bots.
 bantime = 1d
 findtime = 10m
 maxretry = 5
-# Set the default banning action to use UFW.
 banaction = ufw
 
 [sshd]
@@ -1074,6 +1069,27 @@ filter = ufw-probes
 logpath = /var/log/ufw.log
 maxretry = 3
 EOF
+)
+
+    local UFW_FILTER_PATH="/etc/fail2ban/filter.d/ufw-probes.conf"
+    local JAIL_LOCAL_PATH="/etc/fail2ban/jail.local"
+
+    # --- Idempotency Check ---
+    # This checks if the on-disk files are already identical to our desired configuration.
+    if [[ -f "$UFW_FILTER_PATH" && -f "$JAIL_LOCAL_PATH" ]] && \
+       cmp -s "$UFW_FILTER_PATH" <<<"$UFW_PROBES_CONFIG" && \
+       cmp -s "$JAIL_LOCAL_PATH" <<<"$JAIL_LOCAL_CONFIG"; then
+        print_info "Fail2Ban is already configured correctly. Skipping."
+        log "Fail2Ban configuration is already correct."
+        return 0
+    fi
+
+    # --- Apply Configuration ---
+    # If the check above fails, we write the correct configuration files.
+    print_info "Applying new Fail2Ban configuration..."
+    mkdir -p /etc/fail2ban/filter.d
+    echo "$UFW_PROBES_CONFIG" > "$UFW_FILTER_PATH"
+    echo "$JAIL_LOCAL_CONFIG" > "$JAIL_LOCAL_PATH"
 
     # --- Restart and Verify Fail2ban ---
     print_info "Enabling and restarting Fail2Ban to apply new rules..."
@@ -1087,7 +1103,6 @@ EOF
         fail2ban-client status | tee -a "$LOG_FILE"
     else
         print_error "Fail2Ban service failed to start. Check 'journalctl -u fail2ban' for errors."
-        # No longer exits the script, just reports the failure.
         FAILED_SERVICES+=("fail2ban")
     fi
     log "Fail2Ban configuration completed."

From 90832c9a43d3d1e0cc0f396c0af07bc191516dda Mon Sep 17 00:00:00 2001
From: Ali <gth@sunmail.uk>
Date: Mon, 7 Jul 2025 21:24:02 +0100
Subject: [PATCH 5/5] update hash

---
 README.md          | 4 ++--
 du_setup.sh.sha256 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 672e8b9..af72f69 100644
--- a/README.md
+++ b/README.md
@@ -75,12 +75,12 @@ sha256sum du_setup.sh
 
 Compare the output hash to the one below. They must match exactly.
 
-`3f349e00ab134fbd82d87c6691832d25630174691dcd9ebfe946c4a2eb8f299f`
+`9f08682bf23e847314be50ef5acd658770f6a91d5f45a30688c0eb7dcbf8a3ee`
 
 Or echo the hash to check, it should output: `du_setup.sh: OK`
 
 ```
-echo 3f349e00ab134fbd82d87c6691832d25630174691dcd9ebfe946c4a2eb8f299f du_setup.sh | sha256sum --check -
+echo 9f08682bf23e847314be50ef5acd658770f6a91d5f45a30688c0eb7dcbf8a3ee du_setup.sh | sha256sum --check -
 ```
 
 ### 3\. Run the Script
diff --git a/du_setup.sh.sha256 b/du_setup.sh.sha256
index 2e9d6c5..c68dfc5 100644
--- a/du_setup.sh.sha256
+++ b/du_setup.sh.sha256
@@ -1 +1 @@
-3f349e00ab134fbd82d87c6691832d25630174691dcd9ebfe946c4a2eb8f299f  du_setup.sh
+9f08682bf23e847314be50ef5acd658770f6a91d5f45a30688c0eb7dcbf8a3ee  du_setup.sh