External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

improved fail2ban jail

Browse Source
This commit is contained in:
buildplan
2025-07-07 21:31:43 +01:00
committed by GitHub
parent 87dec196c9 90832c9a43
commit 670f5848ef
3 changed files with 79 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -1,6 +1,6 @@
# Debian & Ubuntu Server Setup & Hardening Script # Debian & Ubuntu Server Setup & Hardening Script
**Version:** v0.57 **Version:** v0.58
**Last Updated:** 2025-07-07 **Last Updated:** 2025-07-07
@@ -75,12 +75,12 @@ sha256sum du_setup.sh
Compare the output hash to the one below. They must match exactly. Compare the output hash to the one below. They must match exactly.
`7d8fa1b1682018eb5d3470630b6b28b620f090f1066035b4c483737f2697d736` `9f08682bf23e847314be50ef5acd658770f6a91d5f45a30688c0eb7dcbf8a3ee`
Or echo the hash to check, it should output: `du_setup.sh: OK` Or echo the hash to check, it should output: `du_setup.sh: OK`
``` ```
echo 7d8fa1b1682018eb5d3470630b6b28b620f090f1066035b4c483737f2697d736 du_setup.sh | sha256sum --check - echo 9f08682bf23e847314be50ef5acd658770f6a91d5f45a30688c0eb7dcbf8a3ee du_setup.sh | sha256sum --check -
``` ```
### 3\. Run the Script ### 3\. Run the Script

118
du_setup.sh
View File

@@ -3,6 +3,7 @@
# Debian 12 and Ubuntu Server Hardening Interactive Script # Debian 12 and Ubuntu Server Hardening Interactive Script
# Version: 0.57 | 2025-07-07 # Version: 0.57 | 2025-07-07
# Changelog: # Changelog:
# - v0.58: improved fail2ban to parse ufw logs
# - v0.57: Fix for silent failure at test_backup() # - v0.57: Fix for silent failure at test_backup()
# Option to choose which directories to back up. # Option to choose which directories to back up.
# - v0.56: Make tailscale config optional # - v0.56: Make tailscale config optional
@@ -111,7 +112,7 @@ print_header() {
echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ ║${NC}"
echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}"
echo -e "${CYAN}║ v0.57 | 2025-07-07 ║${NC}" echo -e "${CYAN}║ v0.58 | 2025-07-07 ║${NC}"
echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ ║${NC}"
echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}"
echo echo
@@ -1036,45 +1037,73 @@ configure_firewall() {
configure_fail2ban() { configure_fail2ban() {
print_section "Fail2Ban Configuration" print_section "Fail2Ban Configuration"
# Set the SSH port for Fail2Ban to monitor. # --- Define Desired Configurations ---
local SSH_PORTS_TO_MONITOR="$SSH_PORT" # Define content of config file.
local NEW_FAIL2BAN_CONFIG local UFW_PROBES_CONFIG
UFW_PROBES_CONFIG=$(cat <<'EOF'
[Definition]
# This regex looks for the standard "[UFW BLOCK]" message in /var/log/ufw.log
failregex = \[UFW BLOCK\] IN=.* OUT=.* SRC=<HOST>
ignoreregex =
EOF
)
NEW_FAIL2BAN_CONFIG=$(mktemp) local JAIL_LOCAL_CONFIG
tee "$NEW_FAIL2BAN_CONFIG" > /dev/null <<EOF JAIL_LOCAL_CONFIG=$(cat <<EOF
[DEFAULT] [DEFAULT]
bantime = 1h ignoreip = 127.0.0.1/8 ::1
bantime = 1d
findtime = 10m findtime = 10m
maxretry = 3 maxretry = 5
backend = auto banaction = ufw
[sshd] [sshd]
enabled = true enabled = true
port = $SSH_PORTS_TO_MONITOR port = $SSH_PORT
logpath = %(sshd_log)s
backend = %(sshd_backend)s # This jail monitors UFW logs for rejected packets (port scans, etc.).
[ufw-probes]
enabled = true
port = all
filter = ufw-probes
logpath = /var/log/ufw.log
maxretry = 3
EOF EOF
if [[ -f /etc/fail2ban/jail.local ]] && cmp -s "$NEW_FAIL2BAN_CONFIG" /etc/fail2ban/jail.local; then )
print_info "Fail2Ban configuration already correct. Skipping."
rm -f "$NEW_FAIL2BAN_CONFIG" local UFW_FILTER_PATH="/etc/fail2ban/filter.d/ufw-probes.conf"
elif [[ -f /etc/fail2ban/jail.local ]] && grep -q "\[sshd\]" /etc/fail2ban/jail.local; then local JAIL_LOCAL_PATH="/etc/fail2ban/jail.local"
print_info "Fail2Ban jail.local exists. Updating SSH port..."
sed -i "s/^\(port\s*=\s*\).*/\1$SSH_PORTS_TO_MONITOR/" /etc/fail2ban/jail.local # --- Idempotency Check ---
rm -f "$NEW_FAIL2BAN_CONFIG" # This checks if the on-disk files are already identical to our desired configuration.
else if [[ -f "$UFW_FILTER_PATH" && -f "$JAIL_LOCAL_PATH" ]] && \
print_info "Creating Fail2Ban local jail configuration..." cmp -s "$UFW_FILTER_PATH" <<<"$UFW_PROBES_CONFIG" && \
mv "$NEW_FAIL2BAN_CONFIG" /etc/fail2ban/jail.local cmp -s "$JAIL_LOCAL_PATH" <<<"$JAIL_LOCAL_CONFIG"; then
chmod 644 /etc/fail2ban/jail.local print_info "Fail2Ban is already configured correctly. Skipping."
log "Fail2Ban configuration is already correct."
return 0
fi fi
print_info "Enabling and restarting Fail2Ban..."
# --- Apply Configuration ---
# If the check above fails, we write the correct configuration files.
print_info "Applying new Fail2Ban configuration..."
mkdir -p /etc/fail2ban/filter.d
echo "$UFW_PROBES_CONFIG" > "$UFW_FILTER_PATH"
echo "$JAIL_LOCAL_CONFIG" > "$JAIL_LOCAL_PATH"
# --- Restart and Verify Fail2ban ---
print_info "Enabling and restarting Fail2Ban to apply new rules..."
systemctl enable fail2ban systemctl enable fail2ban
systemctl restart fail2ban systemctl restart fail2ban
sleep 2 sleep 2 # Give the service a moment to initialize.
if systemctl is-active --quiet fail2ban; then if systemctl is-active --quiet fail2ban; then
print_success "Fail2Ban is active and monitoring port(s) $SSH_PORTS_TO_MONITOR." print_success "Fail2Ban is active with the new configuration."
fail2ban-client status sshd | tee -a "$LOG_FILE" # Show the status of the enabled jails for confirmation.
fail2ban-client status | tee -a "$LOG_FILE"
else else
print_error "Fail2Ban service failed to start." print_error "Fail2Ban service failed to start. Check 'journalctl -u fail2ban' for errors."
exit 1 FAILED_SERVICES+=("fail2ban")
fi fi
log "Fail2Ban configuration completed." log "Fail2Ban configuration completed."
} }
@@ -1168,6 +1197,8 @@ install_tailscale() {
return 0 return 0
fi fi
print_section "Tailscale VPN Installation and Configuration" print_section "Tailscale VPN Installation and Configuration"
# Check if Tailscale is already installed and active
if command -v tailscale >/dev/null 2>&1; then if command -v tailscale >/dev/null 2>&1; then
if systemctl is-active --quiet tailscaled && tailscale ip >/dev/null 2>&1; then if systemctl is-active --quiet tailscaled && tailscale ip >/dev/null 2>&1; then
local TS_IPS TS_IPV4 local TS_IPS TS_IPV4
@@ -1179,30 +1210,31 @@ install_tailscale() {
print_warning "Service tailscaled is installed but not active or connected." print_warning "Service tailscaled is installed but not active or connected."
FAILED_SERVICES+=("tailscaled") FAILED_SERVICES+=("tailscaled")
TS_COMMAND=$(grep "Tailscale connection failed: tailscale up" "$LOG_FILE" | tail -1 | sed 's/.*Tailscale connection failed: //') TS_COMMAND=$(grep "Tailscale connection failed: tailscale up" "$LOG_FILE" | tail -1 | sed 's/.*Tailscale connection failed: //')
TS_COMMAND=${TS_COMMAND:-""} # Empty if no failure, not default command TS_COMMAND=${TS_COMMAND:-""}
fi fi
else else
print_info "Installing Tailscale..." print_info "Installing Tailscale..."
curl -fsSL https://tailscale.com/install.sh -o /tmp/tailscale_install.sh # Gracefully handle download failures
chmod +x /tmp/tailscale_install.sh if ! curl -fsSL https://tailscale.com/install.sh -o /tmp/tailscale_install.sh; then
if ! grep -q "tailscale" /tmp/tailscale_install.sh; then print_error "Failed to download the Tailscale installation script."
print_error "Downloaded Tailscale install script appears invalid." print_info "After setup completes, please try installing it manually: curl -fsSL https://tailscale.com/install.sh | sh"
rm -f /tmp/tailscale_install.sh rm -f /tmp/tailscale_install.sh # Clean up partial download
log "Tailscale installation failed: Invalid install script." return 0 # Exit the function without exiting the main script
return 0
fi fi
if ! /tmp/tailscale_install.sh; then
print_error "Failed to install Tailscale." # Execute the downloaded script with 'sh'
rm -f /tmp/tailscale_install.sh if ! sh /tmp/tailscale_install.sh; then
print_error "Tailscale installation script failed to execute."
log "Tailscale installation failed." log "Tailscale installation failed."
return 0 rm -f /tmp/tailscale_install.sh # Clean up
return 0 # Exit the function gracefully
fi fi
rm -f /tmp/tailscale_install.sh
rm -f /tmp/tailscale_install.sh # Clean up successful install
print_success "Tailscale installation complete." print_success "Tailscale installation complete."
log "Tailscale installation completed." log "Tailscale installation completed."
fi fi
# --- Configure Tailscale Connection ---
if systemctl is-active --quiet tailscaled && tailscale ip >/dev/null 2>&1; then if systemctl is-active --quiet tailscaled && tailscale ip >/dev/null 2>&1; then
local TS_IPS TS_IPV4 local TS_IPS TS_IPV4
TS_IPS=$(tailscale ip 2>/dev/null || echo "Unknown") TS_IPS=$(tailscale ip 2>/dev/null || echo "Unknown")

2
du_setup.sh.sha256
View File

@@ -1 +1 @@
7d8fa1b1682018eb5d3470630b6b28b620f090f1066035b4c483737f2697d736 du_setup.sh 9f08682bf23e847314be50ef5acd658770f6a91d5f45a30688c0eb7dcbf8a3ee du_setup.sh