From 02f697f4c1dd21c8dbefd17741edeb367ab7c22b Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 22:31:44 -0500 Subject: [PATCH] CRITICAL FIX: Resolve 3 bugs preventing SYN attack detection Issues Fixed: 1. Unanchored IP grep (line 2626): Changed 'grep "$ip"' to 'grep -w "$ip"' - Impact: Prevented false-positive whitelisting of legitimate IPs - Bug: "1.1.1.1" matched "11.1.1.1", "119.1.1.1", etc. 2. SYN count filter too strict (line 2935): Changed 'awk $1 > 5' to 'awk $1 >= 3' - Impact: Prevented detection of IPs with 3-5 SYN connections - Bug: Tier 4 attacks allow threshold 3, but filter required >5 connections - Result: IPs silently skipped from detection entirely 3. Double-increment of block counter (line 3350): Removed duplicate increment - Impact: Block count off-by-one high - Bug: batch_block_ips() incremented by N, then additional +1 applied - Result: 10 blocked IPs counted as 11 Testing Notes: - All three bugs would have prevented SYN detection during high-severity attacks - Fix #1 ensures legitimate users aren't accidentally whitelisted - Fix #2 enables detection at minimum 3 connections (critical for Tier 4) - Fix #3 ensures accurate block count reporting Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index de7d337..b524602 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2623,7 +2623,9 @@ monitor_network_attacks() { # Smart whitelisting: Skip IPs with MANY successful established connections # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) - local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l) + # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches) + # Example: "1.1.1.1" should not match "11.1.1.1" or "119.1.1.1" + local established_conns=$(ss -tn state established 2>/dev/null | grep -w "$ip" | wc -l) [ -z "$established_conns" ] && established_conns=0 if [ "$established_conns" -ge 20 ]; then # IP has 20+ established connections = highly likely legitimate user @@ -2932,7 +2934,10 @@ monitor_network_attacks() { # Reset alert if connections drop below threshold unset ALERT_SENT[$ip] fi - done < <(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | awk '$1 > 5 {print $2, $1}') + # CRITICAL FIX: Change awk filter from '$1 > 5' to '$1 >= 3' + # Reason: Minimum threshold is 3 connections (Tier 4 attacks), so IPs with 3-5 connections must be processed + # Before fix: IPs with <6 connections were silently skipped, preventing detection in high-severity attacks + done < <(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | awk '$1 >= 3 {print $2, $1}') fi sleep 5 # Check every 5 seconds (faster detection during active attacks) @@ -3346,8 +3351,10 @@ detect_distributed_attacks() { if [ ${#batch_ips[@]} -gt 0 ]; then batch_block_ips "${batch_ips[@]}" echo -e "${CRITICAL_COLOR}[${time_str}] DISTRIBUTED_ATTACK | ${attack_type} from ${unique_ips} IPs | BLOCKED ALL${NC}" >> "$TEMP_DIR/recent_events" - # BUG FIX: Increment block counter for distributed attacks - increment_block_counter 1 + # CRITICAL FIX: Removed duplicate increment_block_counter call + # batch_block_ips() already calls increment_block_counter with the actual count on line 1027 + # Adding another increment_block_counter 1 here causes double-counting + # (If 10 IPs blocked: would count as 11 instead of 10) fi # Check for subnet-level coordination (25+ IPs from same /24)