From 094564c43cb6508909f4e969f5f08cc4f665c895 Mon Sep 17 00:00:00 2001 From: cschantz Date: Mon, 1 Dec 2025 18:40:58 -0500 Subject: [PATCH] Unified Security Hardening Menu - Simplified CT_LIMIT with intelligent recommendations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MAJOR UX IMPROVEMENT: Consolidated security hardening into single 'c' key menu REMOVED: - 'f' key (Auto-Fix menu) - merged into 'c' key - Scattered security recommendations across multiple menus - Confusing workflow with multiple entry points NEW UNIFIED MENU (Press 'c'): ┌─ Security Hardening & Firewall Optimization ─┐ │ Current Security Status: │ │ ✓ SYNFLOOD Protection: Enabled │ │ ✗ SSH Security: Default (LF_SSHD=5) │ │ ✓ Connection Tracking: Configured (200) │ │ │ │ Available Hardening Options: │ │ 1 - Enable SYNFLOOD Protection │ │ 2 - Harden SSH Security (Lower LF_SSHD) │ │ 3 - Optimize CT_LIMIT (Auto-analyze) │ │ 4 - Configure Port Knocking (Coming soon) │ │ a - Apply All Needed Fixes │ │ q - Return to Monitor │ └───────────────────────────────────────────────┘ FEATURES: 1. Status Display: - Shows current state of all security settings - ✓ green checkmark = already configured - ✗ red X = needs attention - Clear indication of what's already done 2. CT_LIMIT Auto Mode (--auto flag): - Runs analysis silently when called from menu - Automatically applies BALANCED recommendation - No user prompts - just analyzes and applies - Creates backup before making changes 3. Intelligent Recommendations: - Quick Actions panel checks current settings - Only recommends DDoS protection if SYNFLOOD disabled OR CT_LIMIT not set - Only recommends SSH hardening if LF_SSHD > 3 - Recommendations disappear after being applied - Clear actionable guidance 4. Apply All: - Option 'a' applies all needed fixes automatically - Skips already-configured settings - Shows count of fixes applied - One-click hardening for new servers WORKFLOW IMPROVEMENTS: Before: 1. See recommendation in Quick Actions 2. Press 'f' to open auto-fix menu 3. Select option from dynamic list 4. Different menu for CT_LIMIT ('c' key) After: 1. See recommendation: "Press 'c' for Security Hardening menu" 2. Press 'c' - see status of ALL security settings 3. Select what to fix or press 'a' for all 4. Everything in ONE place CT_LIMIT SIMPLIFICATION: - Added --auto flag to optimize-ct-limit.sh - When called with --auto: runs analysis + auto-applies BALANCED - No user prompts in auto mode - Perfect for automated workflows and menu integration SMART RECOMMENDATIONS: - DDoS recommendation only shows if: - SYNFLOOD = 0 OR CT_LIMIT not set/zero - SSH recommendation only shows if: - LF_SSHD > 3 - After applying fixes, recommendations disappear - No more "already configured" noise USER EXPERIENCE: - Single entry point for all security hardening - Clear visual status indicators - Actionable next steps - No redundant options - Professional menu layout --- modules/security/live-attack-monitor.sh | 199 +++++++++++++----------- modules/security/optimize-ct-limit.sh | 68 +++++--- 2 files changed, 160 insertions(+), 107 deletions(-) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index afff00d..7dad43d 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1184,18 +1184,28 @@ draw_quick_actions() { local recommendations=0 if [ "$has_ddos" -eq 1 ] || [ "$high_conn_count" -gt 0 ]; then - # Check if SYNFLOOD is already enabled + # Check current security settings local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2) + local ct_limit=$(grep "^CT_LIMIT\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1) - echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}" + local needs_config=0 - # Only show SYNFLOOD recommendation if not already enabled + # Check if SYNFLOOD needs enabling if [ "$synflood_status" != "1" ]; then - echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (enable SYNFLOOD protection)${NC}" + needs_config=1 fi - echo -e "${MEDIUM_COLOR} → Optimize CT_LIMIT: ${BOLD}Press 'c' to run CT_LIMIT optimizer${NC}" - recommendations=1 + # Check if CT_LIMIT needs optimization (not set or set to 0) + if [ -z "$ct_limit" ] || [ "$ct_limit" -eq 0 ]; then + needs_config=1 + fi + + # Only show recommendation if something needs fixing + if [ $needs_config -eq 1 ]; then + echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}" + echo -e "${MEDIUM_COLOR} → Press 'c' for Security Hardening menu${NC}" + recommendations=1 + fi fi if [ "$has_ssh_bruteforce" -eq 1 ]; then @@ -1213,8 +1223,7 @@ draw_quick_actions() { # Only show recommendation if not already hardened if [ "$current_lf" -gt 3 ]; then echo -e "${HIGH_COLOR} ⚠️ SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}" - echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (harden SSH to 3 attempts)${NC}" - echo -e "${MEDIUM_COLOR} → Or enable PortKnocking or change SSH port${NC}" + echo -e "${MEDIUM_COLOR} → Press 'c' for Security Hardening menu${NC}" recommendations=1 fi fi @@ -1224,7 +1233,7 @@ draw_quick_actions() { echo "" fi - echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' CT_LIMIT | 'f' Auto-Fix | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}" + echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' Security | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}" echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}" } @@ -1341,109 +1350,132 @@ show_blocking_menu() { fi } -show_autofix_menu() { +show_security_hardening_menu() { clear - print_banner "Auto-Fix Security Recommendations" + print_banner "Security Hardening & Firewall Optimization" echo "" - # Detect current attack patterns - local has_ddos=0 - local has_ssh_bruteforce=0 - local ssh_attacks=0 - - for ip in "${!IP_DATA[@]}"; do - IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}" - [[ "$attacks" =~ DDOS ]] && has_ddos=1 - [[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1 - done - - if [ -f "$TEMP_DIR/recent_events" ]; then - ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0") - fi - - # Show available fixes - echo "Available security hardening fixes:" - echo "" - local fix_count=0 - # Check if CSF is available if ! command -v csf &>/dev/null; then echo -e "${HIGH_COLOR}⚠️ CSF/LFD firewall not detected${NC}" - echo " Most auto-fix options require CSF to be installed" + echo " Security hardening options require CSF to be installed" echo "" read -p "Press Enter to return to monitor..." return fi - # DDoS/SYN Flood protection - if [ "$has_ddos" -eq 1 ]; then - fix_count=$((fix_count + 1)) - echo -e "${HIGH_COLOR}[$fix_count] Enable SYNFLOOD Protection${NC}" - echo " Current: DDoS/SYN flood attacks detected" - echo " Fix: Enable kernel-level SYN flood protection in CSF" - echo "" - fi + # Check current settings + local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2) + local current_lf=$(grep "^LF_SSHD\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1) + [ -z "$current_lf" ] && current_lf="5" - # SSH Bruteforce hardening - if [ "$ssh_attacks" -gt 5 ]; then - fix_count=$((fix_count + 1)) - echo -e "${HIGH_COLOR}[$fix_count] Harden SSH Security (Lower LF_SSHD)${NC}" - echo " Current: $ssh_attacks SSH bruteforce attempts detected" - echo " Fix: Lower SSH failure threshold from default to 3 attempts" - echo "" - fi - - # Always offer CT_LIMIT optimization - fix_count=$((fix_count + 1)) - echo -e "${MEDIUM_COLOR}[$fix_count] Optimize Connection Tracking Limit${NC}" - echo " Fix: Run CT_LIMIT optimizer to prevent connection exhaustion" + echo "Current Security Status:" echo "" - if [ "$fix_count" -eq 1 ]; then - echo -e "${SAFE_COLOR}✓ No critical security issues detected${NC}" - echo " You can still run CT_LIMIT optimizer (option 1)" - echo "" + # SYNFLOOD status + if [ "$synflood_status" = "1" ]; then + echo -e " ${SAFE_COLOR}✓${NC} SYNFLOOD Protection: ${BOLD}Enabled${NC}" + else + echo -e " ${HIGH_COLOR}✗${NC} SYNFLOOD Protection: ${BOLD}Disabled${NC}" fi + # SSH hardening status + if [ "$current_lf" -le 3 ]; then + echo -e " ${SAFE_COLOR}✓${NC} SSH Security: ${BOLD}Hardened${NC} (LF_SSHD=$current_lf)" + else + echo -e " ${HIGH_COLOR}✗${NC} SSH Security: ${BOLD}Default${NC} (LF_SSHD=$current_lf, recommend ≤3)" + fi + + # CT_LIMIT status (basic check) + local ct_limit=$(grep "^CT_LIMIT\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1) + if [ -n "$ct_limit" ] && [ "$ct_limit" -gt 0 ]; then + echo -e " ${SAFE_COLOR}✓${NC} Connection Tracking: ${BOLD}Configured${NC} (CT_LIMIT=$ct_limit)" + else + echo -e " ${HIGH_COLOR}✗${NC} Connection Tracking: ${BOLD}Not Optimized${NC}" + fi + + echo "" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "Select fix to apply [1-$fix_count], 'a' for all, or 'q' to cancel:" - read -n 1 choice echo "" + echo "Available Hardening Options:" + echo "" + echo " ${BOLD}1${NC} - Enable SYNFLOOD Protection (DDoS defense)" + echo " ${BOLD}2${NC} - Harden SSH Security (Lower LF_SSHD to 3)" + echo " ${BOLD}3${NC} - Optimize CT_LIMIT (Auto-analyze & apply)" + echo " ${BOLD}4${NC} - Configure Port Knocking (Coming soon)" + echo "" + echo " ${BOLD}a${NC} - Apply All Needed Fixes" + echo " ${BOLD}q${NC} - Return to Monitor" + echo "" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + read -p "Select option: " choice echo "" case "$choice" in 1) - if [ "$has_ddos" -eq 1 ]; then - apply_synflood_fix - elif [ "$ssh_attacks" -gt 5 ]; then - apply_ssh_hardening + if [ "$synflood_status" = "1" ]; then + echo "✓ SYNFLOOD is already enabled" + echo "" + read -p "Press Enter to continue..." else - # CT_LIMIT is option 1 if no other fixes available - "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" - read -p "Press Enter to return to monitor..." + apply_synflood_fix fi ;; 2) - if [ "$has_ddos" -eq 1 ] && [ "$ssh_attacks" -gt 5 ]; then - apply_ssh_hardening + if [ "$current_lf" -le 3 ]; then + echo "✓ SSH is already hardened (LF_SSHD=$current_lf)" + echo "" + read -p "Press Enter to continue..." else - # CT_LIMIT is option 2 if only one other fix available - "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" - read -p "Press Enter to return to monitor..." + apply_ssh_hardening fi ;; 3) - # CT_LIMIT is option 3 if both other fixes available - "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" + clear + "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" --auto + echo "" read -p "Press Enter to return to monitor..." ;; + 4) + echo "Port Knocking configuration coming soon..." + echo "" + echo "For now, you can manually configure port knocking in CSF:" + echo "1. Edit /etc/csf/csf.conf" + echo "2. Set: PORTKNOCKING = \"1\"" + echo "3. Define sequence: PORTKNOCKING_ALERT = \"1\"" + echo "4. Restart: csf -r" + echo "" + read -p "Press Enter to continue..." + ;; a|A) - echo "Applying all recommended fixes..." + echo "Applying all needed fixes..." echo "" - [ "$has_ddos" -eq 1 ] && apply_synflood_fix - [ "$ssh_attacks" -gt 5 ] && apply_ssh_hardening + local applied=0 + + # Apply SYNFLOOD if needed + if [ "$synflood_status" != "1" ]; then + apply_synflood_fix + ((applied++)) + fi + + # Apply SSH hardening if needed + if [ "$current_lf" -gt 3 ]; then + apply_ssh_hardening + ((applied++)) + fi + + # Always offer CT_LIMIT echo "" - echo "✓ All fixes applied" + echo "Running CT_LIMIT optimizer..." + "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" --auto + ((applied++)) + + echo "" + if [ $applied -gt 0 ]; then + echo "✓ Applied $applied security fix(es)" + else + echo "✓ All security settings already optimized" + fi echo "" read -p "Press Enter to return to monitor..." ;; @@ -2653,14 +2685,8 @@ while true; do show_blocking_menu ;; c|C) - # Run CT_LIMIT optimizer - clear - "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" - read -p "Press Enter to return to monitor..." - ;; - f|F) - # Auto-fix recommendations - show_autofix_menu + # Security hardening menu + show_security_hardening_menu ;; i|I) # Show threat intelligence for specific IP @@ -2754,8 +2780,7 @@ while true; do echo "" echo "Available Commands:" echo " ${BOLD}b${NC} - Open IP blocking menu (batch or individual)" - echo " ${BOLD}c${NC} - Run CT_LIMIT optimizer (analyze traffic & recommend limit)" - echo " ${BOLD}f${NC} - Auto-fix recommended security hardening (SYNFLOOD, SSH, etc.)" + echo " ${BOLD}c${NC} - Security hardening menu (SYNFLOOD, SSH, CT_LIMIT, Port Knocking)" echo " ${BOLD}i${NC} - Threat intelligence lookup (AbuseIPDB, geo, incident reports)" echo " ${BOLD}p${NC} - Show performance impact monitor (server load)" echo " ${BOLD}s${NC} - Show IP reputation database statistics" diff --git a/modules/security/optimize-ct-limit.sh b/modules/security/optimize-ct-limit.sh index 5526a5b..754b214 100755 --- a/modules/security/optimize-ct-limit.sh +++ b/modules/security/optimize-ct-limit.sh @@ -802,18 +802,29 @@ apply_recommendation() { ################################################################################ main() { - clear - print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator" - echo "" - echo "This tool analyzes your actual traffic patterns to recommend" - echo "an optimal CT_LIMIT that protects against DDoS without blocking" - echo "legitimate users, bots, and CDNs." - echo "" - echo "Analysis period: Last $ANALYSIS_HOURS hours" - echo "" + # Check for auto mode + local AUTO_MODE=0 + if [ "$1" = "--auto" ] || [ "$1" = "-a" ]; then + AUTO_MODE=1 + fi - read -p "Press Enter to start analysis or Ctrl+C to cancel..." - echo "" + if [ $AUTO_MODE -eq 0 ]; then + clear + print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator" + echo "" + echo "This tool analyzes your actual traffic patterns to recommend" + echo "an optimal CT_LIMIT that protects against DDoS without blocking" + echo "legitimate users, bots, and CDNs." + echo "" + echo "Analysis period: Last $ANALYSIS_HOURS hours" + echo "" + + read -p "Press Enter to start analysis or Ctrl+C to cancel..." + echo "" + else + echo "Running CT_LIMIT analysis in auto mode..." + echo "" + fi # Check if sysref database exists, build if needed if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then @@ -830,27 +841,44 @@ main() { # Generate and show recommendations generate_recommendation - # Offer to apply - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - read -p "Would you like to apply the BALANCED recommendation automatically? (y/n): " apply - - if [[ "$apply" =~ ^[Yy] ]]; then + # Apply automatically in auto mode, otherwise ask + if [ $AUTO_MODE -eq 1 ]; then # Extract balanced value from recommendation local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+') if [ -n "$balanced" ]; then + echo "" + echo "Auto-applying BALANCED recommendation..." apply_recommendation "$balanced" else print_error "Could not determine balanced recommendation value" + return 1 fi else + # Offer to apply + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" - echo "No changes made. You can apply manually using the commands above." + read -p "Would you like to apply the BALANCED recommendation automatically? (y/n): " apply + + if [[ "$apply" =~ ^[Yy] ]]; then + # Extract balanced value from recommendation + local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+') + + if [ -n "$balanced" ]; then + apply_recommendation "$balanced" + else + print_error "Could not determine balanced recommendation value" + fi + else + echo "" + echo "No changes made. You can apply manually using the commands above." + fi fi echo "" - print_success "Analysis complete!" + if [ $AUTO_MODE -eq 0 ]; then + print_success "Analysis complete!" + fi } -main +main "$@"