The script below will help you install and setup ufw firewall and Fail2Ban. As far as your machine goes, it sounds like it gets overloaded, but that shouldnât make it crash. It is possible, but more likely your server is struggling with too many connection requests and ufw and Fail2Ban should help to resolve this. Let me know how it works.
#!/bin/bash
#if not root, run as root
if (( $EUID != 0 )); then
echo âTry Running As Root!â
exit
fi
###Function to get input with a default value
echo âUpdating system and installing necessary packagesâŚâ
##Update the system and install necessary packages
apt update && apt upgrade -y
apt install -y ufw fail2ban rsyslog
##Prompt for necessary variables with default values
get_input_with_default() {
local prompt=$1
local default=$2
read -p "$prompt [$default]: " input
echo â${input:-$default}â
}
SSHPORT=$(get_input_with_default âEnter SSH Portâ â22â)
ControlPort=$(get_input_with_default âEnter Control Portâ â9051â)
ORPort=$(get_input_with_default âEnter OR Portâ â9001â)
DirPort=$(get_input_with_default âEnter Directory Portâ â9030â)
SocksPort=$(get_input_with_default âEnter Tor SOCKS Portâ â0â)
echo âSetting up and enabling firewallâŚâ
##Set up and enable UFW
ufw default deny incoming
ufw default allow outgoing
ufw allow $SSHPORT/tcp
ufw allow $ORPort/tcp
ufw allow $DirPort/tcp
if [ â$SocksPortâ != 0 ];
then
ufw allow $SocksPort/tcp
fi
ufw enable
echo âWe now need to set up the SSHD and its fail2ban jailâŚâ
##Function to configure root login and SSH port for SSHD
configure_sshd_settings() {
local sshd_config=â/etc/ssh/sshd_configâ
local temp_file=$(mktemp)
##Prompt for allowing root login
echo "Do you want to allow root to SSH? [yes/no]"
read allow_root_ssh
case "$allow_root_ssh" in
yes|YES|y|Y) permit_root_login="yes";;
no|NO|n|N) permit_root_login="no";;
*) echo "Invalid input. Defaulting to 'no'."; permit_root_login="no";;
esac
##Update sshd_config
awk -v permit_root_login="$permit_root_login" -v ssh_port="$SSHPORT" '
/^#?Port/ { print "Port " ssh_port; next }
/^#?PermitRootLogin/ { print "PermitRootLogin " permit_root_login; next }
{ print }
' "$sshd_config" > "$temp_file" && mv "$temp_file" "$sshd_config"
##Restart the SSH service to apply changes
systemctl restart sshd
}
##Run the function to configure SSHD settings
configure_sshd_settings
##Function to configure sshd in jail.conf with defaults
configure_sshd_in_jail_conf() {
local jail_conf_path=â/etc/fail2ban/jail.confâ
local temp_file=$(mktemp)
##Get user inputs with defaults
local ignoreip=$(get_input_with_default "Enter ignoreip" "127.0.0.1")
local maxretry=$(get_input_with_default "Enter maxretry" "5")
local findtime=$(get_input_with_default "Enter findtime (e.g., 1w)" "1w")
local bantime=$(get_input_with_default "Enter bantime (e.g., 52w)" "52w")
awk -v ignoreip="$ignoreip" -v maxretry="$maxretry" -v findtime="$findtime" -v bantime="$bantime" '
/^\[sshd\]$/ {
print;
print "enabled = true";
print "maxretry = " maxretry;
print "findtime = " findtime;
print "bantime = " bantime;
print "ignoreip = " ignoreip;
next;
}
{ print }
' "$jail_conf_path" > "$temp_file" && mv "$temp_file" "$jail_conf_path"
}
##Configure sshd in jail.conf with defaults
configure_sshd_in_jail_conf
##Function to configure fail2ban settings
configure_fail2ban_settings() {
local fail2ban_config=â/etc/fail2ban/fail2ban.confâ
local temp_file=$(mktemp)
##Prompt for allowing ipv6
echo "Do you want fail2ban to allow IPv6? [yes/no/auto]"
read -r allowipv6
case "$allowipv6" in
yes|YES|y|Y) allowipv6="yes";;
no|NO|n|N) allowipv6="no";;
auto|AUTO|a|A) allowipv6="auto";;
*) echo "Invalid input. Defaulting to 'auto'."; allowipv6="auto";;
esac
##Prompt for dbpurgeage
local dbpurgeage
dbpurgeage=$(get_input_with_default "Enter dbpurgeage" "1000d")
##Update fail2ban config
awk -v allowipv6="$allowipv6" -v dbpurgeage="$dbpurgeage" '
/^#?allowipv6/ { print "allowipv6 = " allowipv6; next }
/^#?dbpurgeage/ { print "dbpurgeage = " dbpurgeage; next }
{ print }
' "$fail2ban_config" > "$temp_file" && mv "$temp_file" "$fail2ban_config"
}
##Call the function
configure_fail2ban_settings
##Copy fail2ban config files to *.local files
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
echo âStarting system servicesâŚâ
##Start rsyslog service
systemctl enable rsyslog
systemctl start rsyslog
##Start Fail2Ban service
systemctl enable fail2ban
systemctl start fail2ban
systemctl restart tor