From 3e6ad6dabb8dbf91805b41d0e52c2dd664f177f2 Mon Sep 17 00:00:00 2001 From: Ali Date: Sat, 28 Jun 2025 22:13:17 +0100 Subject: [PATCH 1/6] adding tailscale auth --- README.md | 42 ++++++++- setup_harden_debian_ubuntu.sh | 161 +++++++++++++++++++++++++++++----- 2 files changed, 176 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 71e1417..83225b7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Debian & Ubuntu Server Setup & Hardening Script -**Version:** 4.0 +**Version:** 4.1 **Last Updated:** 2025-06-28 @@ -22,6 +22,7 @@ This script automates the initial setup and security hardening of a fresh Debian - **Automated Security Updates**: Enables `unattended-upgrades` for automatic security patches. - **System Stability**: Configures NTP time synchronization with `chrony` and optional swap file setup for low-RAM systems. - **Remote rsync Backups**: Configures automated `rsync` backups over SSH to any compatible server (e.g., Hetzner Storage Box), with SSH key automation (`sshpass` or manual), cron scheduling, ntfy/Discord notifications, and a customizable exclude file. +- **Tailscale VPN**: Installs Tailscale and connects to the standard Tailscale network (pre-auth key required) or a custom server (URL and key required). Configures optional flags (`--ssh`, `--advertise-exit-node`, `--accept-dns`, `--accept-routes`). - **Safety First**: Backs up critical configuration files before modification, stored in `/root/setup_harden_backup_*`. - **Optional Software**: Offers interactive installation of: - Docker & Docker Compose @@ -37,6 +38,7 @@ This script automates the initial setup and security hardening of a fresh Debian - Root or `sudo` privileges. - Internet access for package downloads. - For remote backups: An SSH-accessible server (e.g., Hetzner Storage Box) with credentials or SSH key access. +- For Tailscale: A pre-auth key from https://login.tailscale.com/admin (standard, starts with `tskey-auth-`) or from a custom server (e.g., `https://ts.mydomain.cloud`). ### 1. Download the Script @@ -59,7 +61,7 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet > **Warning**: The script pauses to verify SSH access on the new port before disabling old access methods. **Test the new SSH connection from a separate terminal before proceeding!** > -> Ensure your VPS provider’s firewall allows the custom SSH port and the backup server’s SSH port (e.g., 23 for Hetzner Storage Box). +> Ensure your VPS provider’s firewall allows the custom SSH port, backup server’s SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections). ## What It Does @@ -71,11 +73,11 @@ sudo ./setup_harden_debian_ubuntu.sh --quiet | **SSH Hardening** | Disables root login, enforces key-based auth, and sets a custom port. | | **Firewall Setup** | Configures UFW to deny incoming traffic by default, allowing specific ports. | | **Remote Backup Setup** | Configures `rsync` backups to an SSH server (e.g., `u457300-sub4@u457300.your-storagebox.de:23`). Creates `/root/run_backup.sh`, `/root/rsync_exclude.txt`, and schedules a cron job. Supports ntfy/Discord notifications. | +| **Tailscale Setup** | Installs Tailscale and connects to the standard Tailscale network (pre-auth key starting with `tskey-auth-`) or a custom server (any valid key). Configures optional flags (`--ssh`, `--advertise-exit-node`, `--accept-dns`, `--accept-routes`). | | **System Backups** | Saves timestamped configuration backups in `/root/setup_harden_backup_*`. | | **Swap File Setup** | Creates an optional swap file (e.g., 2G) with tuned settings. | | **Timezone & Locales** | Configures timezone and system locales interactively. | | **Docker Install** | Installs Docker Engine and adds the user to the `docker` group. | -| **Tailscale Install** | Installs the Tailscale client for Mesh VPN. | | **Final Cleanup** | Removes unused packages and reloads daemons. | ## Logs & Backups @@ -96,6 +98,11 @@ After rebooting, verify the setup: - **Hostname**: `hostnamectl` - **Docker Status** (if installed): `docker ps` - **Tailscale Status** (if installed): `tailscale status` +- **Tailscale Verification** (if configured): + - Check connection: `tailscale status` + - Test Tailscale SSH (if enabled): `tailscale ssh @` + - Verify exit node (if enabled): Check Tailscale admin console + - If not connected, run the `tailscale up` command shown in the script output - **Remote Backup** (if configured): - Verify SSH key: `cat /root/.ssh/id_ed25519.pub` - Copy key (if not done): `ssh-copy-id -p -s ` @@ -109,6 +116,7 @@ After rebooting, verify the setup: - Ubuntu 22.04, 24.04, 24.10 (experimental) - Cloud providers: DigitalOcean, Oracle Cloud, Hetzner, Netcup - Backup destinations: Hetzner Storage Box, custom SSH servers +- Tailscale: Standard network, custom self-hosted servers ## Important Notes @@ -117,6 +125,7 @@ After rebooting, verify the setup: - Test in a non-production environment (e.g., staging VM) first. - Maintain out-of-band console access in case of SSH lockout. - For Hetzner Storage Box, ensure `~/.ssh/` exists on the remote server: `ssh -p 23 "mkdir -p ~/.ssh && chmod 700 ~/.ssh"`. +- For Tailscale, generate a pre-auth key from https://login.tailscale.com/admin (standard, must start with `tskey-auth-`) or your custom server (any valid key). Ensure UDP 41641 is open for Tailscale traffic. ## Troubleshooting @@ -172,6 +181,33 @@ If backups fail: 6. **Summary Errors**: - If summary shows `Remote Backup: Not configured`, verify: `ls -l /root/run_backup.sh` +### Tailscale Issues + +If Tailscale fails to connect: + +1. **Verify Installation**: + - Check: `command -v tailscale` + - Service status: `systemctl status tailscaled` + +2. **Check Connection**: + - Run: `tailscale status` + - Verify server: `tailscale status --json | grep ControlURL` + - Check logs: `sudo journalctl -u tailscaled` + +3. **Test Pre-Auth Key**: + - Re-run the command shown in the script output (e.g., `sudo tailscale up --auth-key= --operator=` or with `--login-server=`). + - For custom servers, ensure the key is valid for the specified server (e.g., generated from `https://ts.mydomain.cloud`). + +4. **Additional Flags**: + - Verify SSH: `tailscale ssh @` + - Check exit node: Tailscale admin console + - Verify DNS: `cat /etc/resolv.conf` + - Check routes: `tailscale status` + +5. **Network Issues**: + - Ensure UDP 41641 is open: `nc -zvu 41641` + - Check VPS firewall for Tailscale traffic. + ## [MIT](https://github.com/buildplan/setup_harden_server/blob/main/LICENSE) License This script is open-source and provided "as is" without warranty. Use at your own risk. diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 7f5edaf..7999249 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,7 +1,7 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 4.0 | 2025-06-28 +# Version: 4.1 | 2025-06-28 # Changelog: # - v4.0: Added automated backup config. Mainly for Hetzner Storage Box but can be used for any rsync/SSH enabled remote solution. # - v3.*: Improvements to script flow and fixed bugs which were found in tests at Oracle Cloud @@ -82,7 +82,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v4.0 | 2025-06-28 ║${NC}" + echo -e "${CYAN}║ v4.1 | 2025-06-28 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo @@ -902,33 +902,124 @@ EOF } install_tailscale() { - if ! confirm "Install Tailscale VPN (Optional)?"; then + if ! confirm "Install and configure Tailscale VPN (Optional)?"; then print_info "Skipping Tailscale installation." + log "Tailscale installation skipped by user." return 0 fi - print_section "Tailscale VPN Installation" + print_section "Tailscale VPN Installation and Configuration" if command -v tailscale >/dev/null 2>&1; then print_info "Tailscale already installed." + if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1; then + print_success "Tailscale service is active and connected." + return 0 + else + print_warning "Tailscale installed but service is not active or not connected." + fi + else + print_info "Installing Tailscale..." + curl -fsSL https://tailscale.com/install.sh -o /tmp/tailscale_install.sh + chmod +x /tmp/tailscale_install.sh + if ! grep -q "tailscale" /tmp/tailscale_install.sh; then + print_error "Downloaded Tailscale install script appears invalid." + rm -f /tmp/tailscale_install.sh + log "Tailscale installation failed: Invalid install script." + return 0 + fi + if ! /tmp/tailscale_install.sh; then + print_error "Failed to install Tailscale." + rm -f /tmp/tailscale_install.sh + log "Tailscale installation failed." + return 0 + fi + rm -f /tmp/tailscale_install.sh + print_success "Tailscale installation complete." + log "Tailscale installation completed." + fi + + # --- Configure Tailscale Connection --- + if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1; then + print_info "Tailscale is already connected." return 0 fi - print_info "Installing Tailscale..." - curl -fsSL https://tailscale.com/install.sh -o /tmp/tailscale_install.sh - chmod +x /tmp/tailscale_install.sh - # Simple sanity check on the downloaded script - if ! grep -q "tailscale" /tmp/tailscale_install.sh; then - print_error "Downloaded Tailscale install script appears invalid." - rm -f /tmp/tailscale_install.sh - exit 1 + print_info "Configuring Tailscale connection..." + echo -e "${CYAN}Choose Tailscale connection method:${NC}" + echo -e " 1) Standard Tailscale (requires pre-auth key from https://login.tailscale.com/admin)" + echo -e " 2) Custom Tailscale server (requires server URL and pre-auth key)" + read -rp "$(echo -e "${CYAN}Enter choice (1-2) [1]: ${NC}")" TS_CONNECTION + TS_CONNECTION=${TS_CONNECTION:-1} + local AUTH_KEY LOGIN_SERVER="" + if [[ "$TS_CONNECTION" == "2" ]]; then + while true; do + read -rp "$(echo -e "${CYAN}Enter Tailscale server URL (e.g., https://ts.mydomain.cloud): ${NC}")" LOGIN_SERVER + if [[ "$LOGIN_SERVER" =~ ^https://[a-zA-Z0-9.-]+(:[0-9]+)?$ ]]; then break; else print_error "Invalid URL. Must start with https://. Try again."; fi + done fi - if ! /tmp/tailscale_install.sh; then - print_error "Failed to install Tailscale." - rm -f /tmp/tailscale_install.sh - exit 1 + while true; do + read -rp "$(echo -e "${CYAN}Enter Tailscale pre-auth key: ${NC}")" AUTH_KEY + if [[ "$TS_CONNECTION" == "1" && "$AUTH_KEY" =~ ^tskey-auth- ]]; then break + elif [[ "$TS_CONNECTION" == "2" && -n "$AUTH_KEY" ]]; then + print_warning "Ensure the pre-auth key is valid for your custom Tailscale server ($LOGIN_SERVER)." + break + else + print_error "Invalid key format. For standard connection, key must start with 'tskey-auth-'. For custom server, key cannot be empty." + fi + done + local TS_COMMAND="tailscale up" + if [[ "$TS_CONNECTION" == "2" ]]; then + TS_COMMAND="$TS_COMMAND --login-server=$LOGIN_SERVER" fi - rm -f /tmp/tailscale_install.sh - print_warning "ACTION REQUIRED: Run 'sudo tailscale up' after script finishes." - print_success "Tailscale installation complete." - log "Tailscale installation completed." + TS_COMMAND="$TS_COMMAND --auth-key=$AUTH_KEY --operator=$USERNAME" + print_info "Connecting to Tailscale with: $TS_COMMAND" + if ! $TS_COMMAND; then + print_warning "Failed to connect to Tailscale. Possible issues: invalid pre-auth key, network restrictions, or server unavailability." + print_info "Please run the following command manually after resolving the issue:" + echo -e "${CYAN} $TS_COMMAND${NC}" + log "Tailscale connection failed: $TS_COMMAND" + else + print_success "Tailscale connected successfully." + log "Tailscale connected: $TS_COMMAND" + fi + + # --- Configure Additional Flags --- + if confirm "Configure additional Tailscale options (SSH, exit node, DNS, routes)?"; then + local TS_FLAGS="" + if confirm "Enable Tailscale SSH (--ssh)?"; then + TS_FLAGS="$TS_FLAGS --ssh" + fi + if confirm "Advertise as an exit node (--advertise-exit-node)?"; then + TS_FLAGS="$TS_FLAGS --advertise-exit-node" + fi + if confirm "Accept Tailscale DNS settings (--accept-dns)?"; then + TS_FLAGS="$TS_FLAGS --accept-dns" + fi + if confirm "Accept advertised routes (--accept-routes)?"; then + TS_FLAGS="$TS_FLAGS --accept-routes" + fi + if [[ -n "$TS_FLAGS" ]]; then + TS_COMMAND="tailscale up" + if [[ "$TS_CONNECTION" == "2" ]]; then + TS_COMMAND="$TS_COMMAND --login-server=$LOGIN_SERVER" + fi + TS_COMMAND="$TS_COMMAND --auth-key=$AUTH_KEY --operator=$USERNAME $TS_FLAGS" + print_info "Reconfiguring Tailscale with additional options: $TS_COMMAND" + if ! $TS_COMMAND; then + print_warning "Failed to reconfigure Tailscale with additional options." + print_info "Please run the following command manually after resolving the issue:" + echo -e "${CYAN} $TS_COMMAND${NC}" + log "Tailscale reconfiguration failed: $TS_COMMAND" + else + print_success "Tailscale reconfigured with additional options." + log "Tailscale reconfigured: $TS_COMMAND" + fi + else + print_info "No additional Tailscale options selected." + log "No additional Tailscale options applied." + fi + fi + print_success "Tailscale setup complete." + print_info "Verify status: tailscale status" + log "Tailscale setup completed." } setup_backup() { @@ -1409,11 +1500,20 @@ generate_summary() { print_error "Service docker is NOT active." fi fi + local TS_COMMAND="" if command -v tailscale >/dev/null 2>&1; then - if systemctl is-active --quiet tailscaled; then - print_success "Service tailscaled is active." + if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1; then + print_success "Service tailscaled is active and connected." + local TS_SERVER=$(tailscale status --json 2>/dev/null | grep -o '"ControlURL":"[^"]*"' | cut -d'"' -f4 || echo "Unknown") + local TS_FLAGS=$(tailscale status --json 2>/dev/null | grep -o '"CurrentTailnet":{"MagicDNSSuffix":"[^"]*","Capabilities":\[[^]]*]}' | grep -o '"ssh":true\|"advertise-exit-node":true\|"accept-dns":true\|"accept-routes":true' | tr '\n' ',' | sed 's/,$//' | sed 's/"//g' | sed 's/:true//g' || echo "None") + TS_FLAGS=${TS_FLAGS:-None} else - print_error "Service tailscaled is NOT active." + print_error "Service tailscaled is NOT active or not connected." + local TS_SERVER="Not connected" + local TS_FLAGS="None" + # Check log for last attempted command + TS_COMMAND=$(grep "Tailscale connection failed: tailscale up" "$LOG_FILE" | tail -1 | sed 's/.*Tailscale connection failed: //') + TS_COMMAND=${TS_COMMAND:-"tailscale up --operator=$USERNAME"} fi fi echo -e "\n${GREEN}Server setup and hardening script has finished successfully.${NC}\n" @@ -1443,6 +1543,13 @@ generate_summary() { else echo -e " Remote Backup: ${RED}Not configured${NC}" fi + if command -v tailscale >/dev/null 2>&1; then + echo -e " Tailscale: ${GREEN}Enabled${NC}" + printf " %-16s%s\n" "- Server:" "$TS_SERVER" + printf " %-16s%s\n" "- Flags:" "$TS_FLAGS" + else + echo -e " Tailscale: ${RED}Not configured${NC}" + fi echo printf "${PURPLE}%-16s%s${NC}\n" "Log File:" "$LOG_FILE" printf "${PURPLE}%-16s%s${NC}\n" "Backups:" "$BACKUP_DIR" @@ -1459,6 +1566,9 @@ generate_summary() { fi if command -v tailscale >/dev/null 2>&1; then printf " %-20s${CYAN}%s${NC}\n" "- Tailscale status:" "tailscale status" + if [[ "$TS_SERVER" == "Not connected" && -n "$TS_COMMAND" ]]; then + printf " %-20s${CYAN}%s${NC}\n" "- Tailscale connect:" "$TS_COMMAND" + fi fi if [[ -f /root/run_backup.sh ]]; then echo -e " Remote Backup:" @@ -1468,10 +1578,13 @@ generate_summary() { printf " %-18s${CYAN}%s${NC}\n" "- Check logs:" "sudo less /var/log/backup_rsync.log" fi print_warning "\nACTION REQUIRED: If remote backup is enabled, ensure the root SSH key is copied to the destination server." + if [[ -n "$TS_COMMAND" ]]; then + print_warning "ACTION REQUIRED: Tailscale connection failed. Run the command above to connect manually." + fi print_warning "A reboot is required to apply all changes cleanly." if [[ $VERBOSE == true ]]; then if confirm "Reboot now?" "y"; then - print_info "Rebooting ..." + print_info "Rebooting now..." sleep 3 reboot else From 272329eec476d8f208400a525b6ff547d0c492ab Mon Sep 17 00:00:00 2001 From: Ali Date: Sat, 28 Jun 2025 22:44:03 +0100 Subject: [PATCH 2/6] more options for tailscale config --- setup_harden_debian_ubuntu.sh | 54 ++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 7999249..86c48a5 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,7 +1,7 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 4.1 | 2025-06-28 +# Version: 4.2 | 2025-06-28 # Changelog: # - v4.0: Added automated backup config. Mainly for Hetzner Storage Box but can be used for any rsync/SSH enabled remote solution. # - v3.*: Improvements to script flow and fixed bugs which were found in tests at Oracle Cloud @@ -82,7 +82,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v4.1 | 2025-06-28 ║${NC}" + echo -e "${CYAN}║ v4.2 | 2025-06-28 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo @@ -977,23 +977,38 @@ install_tailscale() { echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale connection failed: $TS_COMMAND" else - print_success "Tailscale connected successfully." - log "Tailscale connected: $TS_COMMAND" + # Verify connection status + if tailscale status --json 2>/dev/null | grep -q '"Online":true.*"Active":true'; then + print_success "Tailscale connected successfully." + log "Tailscale connected: $TS_COMMAND" + else + print_warning "Tailscale connection attempt succeeded, but node is not online or active." + print_info "Please verify with 'tailscale status' and run the following command manually if needed:" + echo -e "${CYAN} $TS_COMMAND${NC}" + log "Tailscale connection not verified: $TS_COMMAND" + fi fi # --- Configure Additional Flags --- - if confirm "Configure additional Tailscale options (SSH, exit node, DNS, routes)?"; then - local TS_FLAGS="" - if confirm "Enable Tailscale SSH (--ssh)?"; then + print_info "Select additional Tailscale options to configure (comma-separated, e.g., 1,3):" + echo -e "${CYAN} 1) SSH (--ssh) - WARNING: May restrict server access to Tailscale connections only${NC}" + echo -e "${CYAN} 2) Advertise as Exit Node (--advertise-exit-node)${NC}" + echo -e "${CYAN} 3) Accept DNS (--accept-dns)${NC}" + echo -e "${CYAN} 4) Accept Routes (--accept-routes)${NC}" + echo -e "${CYAN} Enter numbers (1-4) or leave blank to skip:${NC}" + read -rp " " TS_FLAG_CHOICES + local TS_FLAGS="" + if [[ -n "$TS_FLAG_CHOICES" ]]; then + if echo "$TS_FLAG_CHOICES" | grep -q "1"; then TS_FLAGS="$TS_FLAGS --ssh" fi - if confirm "Advertise as an exit node (--advertise-exit-node)?"; then + if echo "$TS_FLAG_CHOICES" | grep -q "2"; then TS_FLAGS="$TS_FLAGS --advertise-exit-node" fi - if confirm "Accept Tailscale DNS settings (--accept-dns)?"; then + if echo "$TS_FLAG_CHOICES" | grep -q "3"; then TS_FLAGS="$TS_FLAGS --accept-dns" fi - if confirm "Accept advertised routes (--accept-routes)?"; then + if echo "$TS_FLAG_CHOICES" | grep -q "4"; then TS_FLAGS="$TS_FLAGS --accept-routes" fi if [[ -n "$TS_FLAGS" ]]; then @@ -1009,13 +1024,24 @@ install_tailscale() { echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale reconfiguration failed: $TS_COMMAND" else - print_success "Tailscale reconfigured with additional options." - log "Tailscale reconfigured: $TS_COMMAND" + # Verify reconfiguration status + if tailscale status --json 2>/dev/null | grep -q '"Online":true.*"Active":true'; then + print_success "Tailscale reconfigured with additional options." + log "Tailscale reconfigured: $TS_COMMAND" + else + print_warning "Tailscale reconfiguration attempt succeeded, but node is not online or active." + print_info "Please verify with 'tailscale status' and run the following command manually if needed:" + echo -e "${CYAN} $TS_COMMAND${NC}" + log "Tailscale reconfiguration not verified: $TS_COMMAND" + fi fi else - print_info "No additional Tailscale options selected." - log "No additional Tailscale options applied." + print_info "No valid Tailscale options selected." + log "No valid Tailscale options selected." fi + else + print_info "No additional Tailscale options selected." + log "No additional Tailscale options applied." fi print_success "Tailscale setup complete." print_info "Verify status: tailscale status" From 2c3194ae749274961ed480e0b604594f827e4a66 Mon Sep 17 00:00:00 2001 From: Ali Date: Sat, 28 Jun 2025 23:12:54 +0100 Subject: [PATCH 3/6] updated tailscale function --- setup_harden_debian_ubuntu.sh | 57 +++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 13 deletions(-) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 86c48a5..0ff12f3 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,8 +1,9 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 4.2 | 2025-06-28 +# Version: 4.1-rc | 2025-06-28 # Changelog: +# - v4.1: Added tailscale config to connect to tailscale or headscale server # - v4.0: Added automated backup config. Mainly for Hetzner Storage Box but can be used for any rsync/SSH enabled remote solution. # - v3.*: Improvements to script flow and fixed bugs which were found in tests at Oracle Cloud # @@ -82,7 +83,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v4.2 | 2025-06-28 ║${NC}" + echo -e "${CYAN}║ v4.1-rc | 2025-06-28 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo @@ -977,15 +978,31 @@ install_tailscale() { echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale connection failed: $TS_COMMAND" else - # Verify connection status - if tailscale status --json 2>/dev/null | grep -q '"Online":true.*"Active":true'; then + # Verify connection status with retries + local RETRIES=3 + local DELAY=5 + local CONNECTED=false + for ((i=1; i<=RETRIES; i++)); do + if tailscale status --json 2>/dev/null | grep -q '"Self":.*"Online":true'; then + CONNECTED=true + break + fi + print_info "Waiting for Tailscale to connect ($i/$RETRIES)..." + sleep $DELAY + done + if $CONNECTED; then print_success "Tailscale connected successfully." log "Tailscale connected: $TS_COMMAND" + # Store connection details for summary + echo "$LOGIN_SERVER" > /tmp/tailscale_server + echo "None" > /tmp/tailscale_flags else - print_warning "Tailscale connection attempt succeeded, but node is not online or active." + print_warning "Tailscale connection attempt succeeded, but node is not online." print_info "Please verify with 'tailscale status' and run the following command manually if needed:" echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale connection not verified: $TS_COMMAND" + tailscale status --json > /tmp/tailscale_status.json 2>&1 + log "Tailscale status JSON saved to /tmp/tailscale_status.json for debugging" fi fi @@ -1024,15 +1041,30 @@ install_tailscale() { echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale reconfiguration failed: $TS_COMMAND" else - # Verify reconfiguration status - if tailscale status --json 2>/dev/null | grep -q '"Online":true.*"Active":true'; then + # Verify reconfiguration status with retries + local RETRIES=3 + local DELAY=5 + local CONNECTED=false + for ((i=1; i<=RETRIES; i++)); do + if tailscale status --json 2>/dev/null | grep -q '"Self":.*"Online":true'; then + CONNECTED=true + break + fi + print_info "Waiting for Tailscale to connect ($i/$RETRIES)..." + sleep $DELAY + done + if $CONNECTED; then print_success "Tailscale reconfigured with additional options." log "Tailscale reconfigured: $TS_COMMAND" + # Store flags for summary + echo "${TS_FLAGS// --/}" > /tmp/tailscale_flags else - print_warning "Tailscale reconfiguration attempt succeeded, but node is not online or active." + print_warning "Tailscale reconfiguration attempt succeeded, but node is not online." print_info "Please verify with 'tailscale status' and run the following command manually if needed:" echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale reconfiguration not verified: $TS_COMMAND" + tailscale status --json > /tmp/tailscale_status.json 2>&1 + log "Tailscale status JSON saved to /tmp/tailscale_status.json for debugging" fi fi else @@ -1530,14 +1562,13 @@ generate_summary() { if command -v tailscale >/dev/null 2>&1; then if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1; then print_success "Service tailscaled is active and connected." - local TS_SERVER=$(tailscale status --json 2>/dev/null | grep -o '"ControlURL":"[^"]*"' | cut -d'"' -f4 || echo "Unknown") - local TS_FLAGS=$(tailscale status --json 2>/dev/null | grep -o '"CurrentTailnet":{"MagicDNSSuffix":"[^"]*","Capabilities":\[[^]]*]}' | grep -o '"ssh":true\|"advertise-exit-node":true\|"accept-dns":true\|"accept-routes":true' | tr '\n' ',' | sed 's/,$//' | sed 's/"//g' | sed 's/:true//g' || echo "None") - TS_FLAGS=${TS_FLAGS:-None} + local TS_SERVER=$(cat /tmp/tailscale_server 2>/dev/null || tailscale status --json 2>/dev/null | grep -o '"ControlURL":"[^"]*"' | cut -d'"' -f4 || echo "Unknown") + local TS_FLAGS=$(cat /tmp/tailscale_flags 2>/dev/null || echo "None") + TS_SERVER=${TS_SERVER:-"https://controlplane.tailscale.com"} else print_error "Service tailscaled is NOT active or not connected." local TS_SERVER="Not connected" local TS_FLAGS="None" - # Check log for last attempted command TS_COMMAND=$(grep "Tailscale connection failed: tailscale up" "$LOG_FILE" | tail -1 | sed 's/.*Tailscale connection failed: //') TS_COMMAND=${TS_COMMAND:-"tailscale up --operator=$USERNAME"} fi @@ -1610,7 +1641,7 @@ generate_summary() { print_warning "A reboot is required to apply all changes cleanly." if [[ $VERBOSE == true ]]; then if confirm "Reboot now?" "y"; then - print_info "Rebooting now..." + print_info "Rebooting, bye!..." sleep 3 reboot else From fb6baf278e932e8b28497348c5dd0bd7602ca4dd Mon Sep 17 00:00:00 2001 From: Ali Date: Sat, 28 Jun 2025 23:50:46 +0100 Subject: [PATCH 4/6] tailscale status fix --- setup_harden_debian_ubuntu.sh | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 0ff12f3..7726eeb 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,7 +1,7 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 4.1-rc | 2025-06-28 +# Version: 4.1-rc2 | 2025-06-29 # Changelog: # - v4.1: Added tailscale config to connect to tailscale or headscale server # - v4.0: Added automated backup config. Mainly for Hetzner Storage Box but can be used for any rsync/SSH enabled remote solution. @@ -83,7 +83,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v4.1-rc | 2025-06-28 ║${NC}" + echo -e "${CYAN}║ v4.1-rc2 | 2025-06-29 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo @@ -939,8 +939,8 @@ install_tailscale() { fi # --- Configure Tailscale Connection --- - if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1; then - print_info "Tailscale is already connected." + if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1 && tailscale status | grep -q "^[^ ]* \+${SERVER_NAME} \+"; then + print_info "Tailscale is already connected (hostname: $SERVER_NAME)." return 0 fi print_info "Configuring Tailscale connection..." @@ -983,7 +983,7 @@ install_tailscale() { local DELAY=5 local CONNECTED=false for ((i=1; i<=RETRIES; i++)); do - if tailscale status --json 2>/dev/null | grep -q '"Self":.*"Online":true'; then + if tailscale status 2>/dev/null | grep -q "^[^ ]* \+${SERVER_NAME} \+.*[^offline]$"; then CONNECTED=true break fi @@ -991,18 +991,18 @@ install_tailscale() { sleep $DELAY done if $CONNECTED; then - print_success "Tailscale connected successfully." + print_success "Tailscale connected successfully (hostname: $SERVER_NAME)." log "Tailscale connected: $TS_COMMAND" # Store connection details for summary - echo "$LOGIN_SERVER" > /tmp/tailscale_server + echo "${LOGIN_SERVER:-https://controlplane.tailscale.com}" > /tmp/tailscale_server echo "None" > /tmp/tailscale_flags else - print_warning "Tailscale connection attempt succeeded, but node is not online." + print_warning "Tailscale connection attempt succeeded, but hostname ($SERVER_NAME) not found in 'tailscale status'." print_info "Please verify with 'tailscale status' and run the following command manually if needed:" echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale connection not verified: $TS_COMMAND" - tailscale status --json > /tmp/tailscale_status.json 2>&1 - log "Tailscale status JSON saved to /tmp/tailscale_status.json for debugging" + tailscale status > /tmp/tailscale_status.txt 2>&1 + log "Tailscale status output saved to /tmp/tailscale_status.txt for debugging" fi fi @@ -1046,7 +1046,7 @@ install_tailscale() { local DELAY=5 local CONNECTED=false for ((i=1; i<=RETRIES; i++)); do - if tailscale status --json 2>/dev/null | grep -q '"Self":.*"Online":true'; then + if tailscale status 2>/dev/null | grep -q "^[^ ]* \+${SERVER_NAME} \+.*[^offline]$"; then CONNECTED=true break fi @@ -1059,12 +1059,12 @@ install_tailscale() { # Store flags for summary echo "${TS_FLAGS// --/}" > /tmp/tailscale_flags else - print_warning "Tailscale reconfiguration attempt succeeded, but node is not online." + print_warning "Tailscale reconfiguration attempt succeeded, but hostname ($SERVER_NAME) not found in 'tailscale status'." print_info "Please verify with 'tailscale status' and run the following command manually if needed:" echo -e "${CYAN} $TS_COMMAND${NC}" log "Tailscale reconfiguration not verified: $TS_COMMAND" - tailscale status --json > /tmp/tailscale_status.json 2>&1 - log "Tailscale status JSON saved to /tmp/tailscale_status.json for debugging" + tailscale status > /tmp/tailscale_status.txt 2>&1 + log "Tailscale status output saved to /tmp/tailscale_status.txt for debugging" fi fi else @@ -1560,11 +1560,10 @@ generate_summary() { fi local TS_COMMAND="" if command -v tailscale >/dev/null 2>&1; then - if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1; then + if systemctl is-active --quiet tailscaled && tailscale status >/dev/null 2>&1 && tailscale status | grep -q "^[^ ]* \+${SERVER_NAME} \+.*[^offline]$"; then print_success "Service tailscaled is active and connected." - local TS_SERVER=$(cat /tmp/tailscale_server 2>/dev/null || tailscale status --json 2>/dev/null | grep -o '"ControlURL":"[^"]*"' | cut -d'"' -f4 || echo "Unknown") + local TS_SERVER=$(cat /tmp/tailscale_server 2>/dev/null || echo "https://controlplane.tailscale.com") local TS_FLAGS=$(cat /tmp/tailscale_flags 2>/dev/null || echo "None") - TS_SERVER=${TS_SERVER:-"https://controlplane.tailscale.com"} else print_error "Service tailscaled is NOT active or not connected." local TS_SERVER="Not connected" From a2d14d64a997e684b97dfec383b35f70196f37ac Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 00:04:29 +0100 Subject: [PATCH 5/6] version bump after successful tests --- setup_harden_debian_ubuntu.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup_harden_debian_ubuntu.sh b/setup_harden_debian_ubuntu.sh index 7726eeb..ee2fbc9 100644 --- a/setup_harden_debian_ubuntu.sh +++ b/setup_harden_debian_ubuntu.sh @@ -1,7 +1,7 @@ #!/bin/bash # Debian 12 and Ubuntu Server Hardening Interactive Script -# Version: 4.1-rc2 | 2025-06-29 +# Version: 4.1 | 2025-06-29 # Changelog: # - v4.1: Added tailscale config to connect to tailscale or headscale server # - v4.0: Added automated backup config. Mainly for Hetzner Storage Box but can be used for any rsync/SSH enabled remote solution. @@ -83,7 +83,7 @@ print_header() { echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" - echo -e "${CYAN}║ v4.1-rc2 | 2025-06-29 ║${NC}" + echo -e "${CYAN}║ v4.1 | 2025-06-29 ║${NC}" echo -e "${CYAN}║ ║${NC}" echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" echo From bdea8313e232cef249c84dbb93f73edb8a6a9ab9 Mon Sep 17 00:00:00 2001 From: Ali Date: Sun, 29 Jun 2025 00:05:00 +0100 Subject: [PATCH 6/6] version bump after successful tests --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 83225b7..7272fca 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ **Version:** 4.1 -**Last Updated:** 2025-06-28 +**Last Updated:** 2025-06-29 **Compatible With:**