Unified Security Hardening Menu - Simplified CT_LIMIT with intelligent recommendations
MAJOR UX IMPROVEMENT: Consolidated security hardening into single 'c' key menu
REMOVED:
- 'f' key (Auto-Fix menu) - merged into 'c' key
- Scattered security recommendations across multiple menus
- Confusing workflow with multiple entry points
NEW UNIFIED MENU (Press 'c'):
┌─ Security Hardening & Firewall Optimization ─┐
│ Current Security Status: │
│ ✓ SYNFLOOD Protection: Enabled │
│ ✗ SSH Security: Default (LF_SSHD=5) │
│ ✓ Connection Tracking: Configured (200) │
│ │
│ Available Hardening Options: │
│ 1 - Enable SYNFLOOD Protection │
│ 2 - Harden SSH Security (Lower LF_SSHD) │
│ 3 - Optimize CT_LIMIT (Auto-analyze) │
│ 4 - Configure Port Knocking (Coming soon) │
│ a - Apply All Needed Fixes │
│ q - Return to Monitor │
└───────────────────────────────────────────────┘
FEATURES:
1. Status Display:
- Shows current state of all security settings
- ✓ green checkmark = already configured
- ✗ red X = needs attention
- Clear indication of what's already done
2. CT_LIMIT Auto Mode (--auto flag):
- Runs analysis silently when called from menu
- Automatically applies BALANCED recommendation
- No user prompts - just analyzes and applies
- Creates backup before making changes
3. Intelligent Recommendations:
- Quick Actions panel checks current settings
- Only recommends DDoS protection if SYNFLOOD disabled OR CT_LIMIT not set
- Only recommends SSH hardening if LF_SSHD > 3
- Recommendations disappear after being applied
- Clear actionable guidance
4. Apply All:
- Option 'a' applies all needed fixes automatically
- Skips already-configured settings
- Shows count of fixes applied
- One-click hardening for new servers
WORKFLOW IMPROVEMENTS:
Before:
1. See recommendation in Quick Actions
2. Press 'f' to open auto-fix menu
3. Select option from dynamic list
4. Different menu for CT_LIMIT ('c' key)
After:
1. See recommendation: "Press 'c' for Security Hardening menu"
2. Press 'c' - see status of ALL security settings
3. Select what to fix or press 'a' for all
4. Everything in ONE place
CT_LIMIT SIMPLIFICATION:
- Added --auto flag to optimize-ct-limit.sh
- When called with --auto: runs analysis + auto-applies BALANCED
- No user prompts in auto mode
- Perfect for automated workflows and menu integration
SMART RECOMMENDATIONS:
- DDoS recommendation only shows if:
- SYNFLOOD = 0 OR CT_LIMIT not set/zero
- SSH recommendation only shows if:
- LF_SSHD > 3
- After applying fixes, recommendations disappear
- No more "already configured" noise
USER EXPERIENCE:
- Single entry point for all security hardening
- Clear visual status indicators
- Actionable next steps
- No redundant options
- Professional menu layout
This commit is contained in:
cschantz
@@ -1184,18 +1184,28 @@ draw_quick_actions() {
|
||||
local recommendations=0
|
||||
|
||||
if [ "$has_ddos" -eq 1 ] || [ "$high_conn_count" -gt 0 ]; then
|
||||
# Check if SYNFLOOD is already enabled
|
||||
# Check current security settings
|
||||
local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2)
|
||||
local ct_limit=$(grep "^CT_LIMIT\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
|
||||
|
||||
echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
|
||||
local needs_config=0
|
||||
|
||||
# Only show SYNFLOOD recommendation if not already enabled
|
||||
# Check if SYNFLOOD needs enabling
|
||||
if [ "$synflood_status" != "1" ]; then
|
||||
echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (enable SYNFLOOD protection)${NC}"
|
||||
needs_config=1
|
||||
fi
|
||||
|
||||
echo -e "${MEDIUM_COLOR} → Optimize CT_LIMIT: ${BOLD}Press 'c' to run CT_LIMIT optimizer${NC}"
|
||||
recommendations=1
|
||||
# Check if CT_LIMIT needs optimization (not set or set to 0)
|
||||
if [ -z "$ct_limit" ] || [ "$ct_limit" -eq 0 ]; then
|
||||
needs_config=1
|
||||
fi
|
||||
|
||||
# Only show recommendation if something needs fixing
|
||||
if [ $needs_config -eq 1 ]; then
|
||||
echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Press 'c' for Security Hardening menu${NC}"
|
||||
recommendations=1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$has_ssh_bruteforce" -eq 1 ]; then
|
||||
@@ -1213,8 +1223,7 @@ draw_quick_actions() {
|
||||
# Only show recommendation if not already hardened
|
||||
if [ "$current_lf" -gt 3 ]; then
|
||||
echo -e "${HIGH_COLOR} ⚠️ SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (harden SSH to 3 attempts)${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Or enable PortKnocking or change SSH port${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Press 'c' for Security Hardening menu${NC}"
|
||||
recommendations=1
|
||||
fi
|
||||
fi
|
||||
@@ -1224,7 +1233,7 @@ draw_quick_actions() {
|
||||
echo ""
|
||||
fi
|
||||
|
||||
echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' CT_LIMIT | 'f' Auto-Fix | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
|
||||
echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' Security | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
|
||||
|
||||
echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
|
||||
}
|
||||
@@ -1341,109 +1350,132 @@ show_blocking_menu() {
|
||||
fi
|
||||
}
|
||||
|
||||
show_autofix_menu() {
|
||||
show_security_hardening_menu() {
|
||||
clear
|
||||
print_banner "Auto-Fix Security Recommendations"
|
||||
print_banner "Security Hardening & Firewall Optimization"
|
||||
echo ""
|
||||
|
||||
# Detect current attack patterns
|
||||
local has_ddos=0
|
||||
local has_ssh_bruteforce=0
|
||||
local ssh_attacks=0
|
||||
|
||||
for ip in "${!IP_DATA[@]}"; do
|
||||
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
|
||||
[[ "$attacks" =~ DDOS ]] && has_ddos=1
|
||||
[[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1
|
||||
done
|
||||
|
||||
if [ -f "$TEMP_DIR/recent_events" ]; then
|
||||
ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
|
||||
fi
|
||||
|
||||
# Show available fixes
|
||||
echo "Available security hardening fixes:"
|
||||
echo ""
|
||||
local fix_count=0
|
||||
|
||||
# Check if CSF is available
|
||||
if ! command -v csf &>/dev/null; then
|
||||
echo -e "${HIGH_COLOR}⚠️ CSF/LFD firewall not detected${NC}"
|
||||
echo " Most auto-fix options require CSF to be installed"
|
||||
echo " Security hardening options require CSF to be installed"
|
||||
echo ""
|
||||
read -p "Press Enter to return to monitor..."
|
||||
return
|
||||
fi
|
||||
|
||||
# DDoS/SYN Flood protection
|
||||
if [ "$has_ddos" -eq 1 ]; then
|
||||
fix_count=$((fix_count + 1))
|
||||
echo -e "${HIGH_COLOR}[$fix_count] Enable SYNFLOOD Protection${NC}"
|
||||
echo " Current: DDoS/SYN flood attacks detected"
|
||||
echo " Fix: Enable kernel-level SYN flood protection in CSF"
|
||||
echo ""
|
||||
fi
|
||||
# Check current settings
|
||||
local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2)
|
||||
local current_lf=$(grep "^LF_SSHD\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
|
||||
[ -z "$current_lf" ] && current_lf="5"
|
||||
|
||||
# SSH Bruteforce hardening
|
||||
if [ "$ssh_attacks" -gt 5 ]; then
|
||||
fix_count=$((fix_count + 1))
|
||||
echo -e "${HIGH_COLOR}[$fix_count] Harden SSH Security (Lower LF_SSHD)${NC}"
|
||||
echo " Current: $ssh_attacks SSH bruteforce attempts detected"
|
||||
echo " Fix: Lower SSH failure threshold from default to 3 attempts"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
# Always offer CT_LIMIT optimization
|
||||
fix_count=$((fix_count + 1))
|
||||
echo -e "${MEDIUM_COLOR}[$fix_count] Optimize Connection Tracking Limit${NC}"
|
||||
echo " Fix: Run CT_LIMIT optimizer to prevent connection exhaustion"
|
||||
echo "Current Security Status:"
|
||||
echo ""
|
||||
|
||||
if [ "$fix_count" -eq 1 ]; then
|
||||
echo -e "${SAFE_COLOR}✓ No critical security issues detected${NC}"
|
||||
echo " You can still run CT_LIMIT optimizer (option 1)"
|
||||
echo ""
|
||||
# SYNFLOOD status
|
||||
if [ "$synflood_status" = "1" ]; then
|
||||
echo -e " ${SAFE_COLOR}✓${NC} SYNFLOOD Protection: ${BOLD}Enabled${NC}"
|
||||
else
|
||||
echo -e " ${HIGH_COLOR}✗${NC} SYNFLOOD Protection: ${BOLD}Disabled${NC}"
|
||||
fi
|
||||
|
||||
# SSH hardening status
|
||||
if [ "$current_lf" -le 3 ]; then
|
||||
echo -e " ${SAFE_COLOR}✓${NC} SSH Security: ${BOLD}Hardened${NC} (LF_SSHD=$current_lf)"
|
||||
else
|
||||
echo -e " ${HIGH_COLOR}✗${NC} SSH Security: ${BOLD}Default${NC} (LF_SSHD=$current_lf, recommend ≤3)"
|
||||
fi
|
||||
|
||||
# CT_LIMIT status (basic check)
|
||||
local ct_limit=$(grep "^CT_LIMIT\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
|
||||
if [ -n "$ct_limit" ] && [ "$ct_limit" -gt 0 ]; then
|
||||
echo -e " ${SAFE_COLOR}✓${NC} Connection Tracking: ${BOLD}Configured${NC} (CT_LIMIT=$ct_limit)"
|
||||
else
|
||||
echo -e " ${HIGH_COLOR}✗${NC} Connection Tracking: ${BOLD}Not Optimized${NC}"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
echo "Select fix to apply [1-$fix_count], 'a' for all, or 'q' to cancel:"
|
||||
read -n 1 choice
|
||||
echo ""
|
||||
echo "Available Hardening Options:"
|
||||
echo ""
|
||||
echo " ${BOLD}1${NC} - Enable SYNFLOOD Protection (DDoS defense)"
|
||||
echo " ${BOLD}2${NC} - Harden SSH Security (Lower LF_SSHD to 3)"
|
||||
echo " ${BOLD}3${NC} - Optimize CT_LIMIT (Auto-analyze & apply)"
|
||||
echo " ${BOLD}4${NC} - Configure Port Knocking (Coming soon)"
|
||||
echo ""
|
||||
echo " ${BOLD}a${NC} - Apply All Needed Fixes"
|
||||
echo " ${BOLD}q${NC} - Return to Monitor"
|
||||
echo ""
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
read -p "Select option: " choice
|
||||
echo ""
|
||||
|
||||
case "$choice" in
|
||||
1)
|
||||
if [ "$has_ddos" -eq 1 ]; then
|
||||
apply_synflood_fix
|
||||
elif [ "$ssh_attacks" -gt 5 ]; then
|
||||
apply_ssh_hardening
|
||||
if [ "$synflood_status" = "1" ]; then
|
||||
echo "✓ SYNFLOOD is already enabled"
|
||||
echo ""
|
||||
read -p "Press Enter to continue..."
|
||||
else
|
||||
# CT_LIMIT is option 1 if no other fixes available
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
|
||||
read -p "Press Enter to return to monitor..."
|
||||
apply_synflood_fix
|
||||
fi
|
||||
;;
|
||||
2)
|
||||
if [ "$has_ddos" -eq 1 ] && [ "$ssh_attacks" -gt 5 ]; then
|
||||
apply_ssh_hardening
|
||||
if [ "$current_lf" -le 3 ]; then
|
||||
echo "✓ SSH is already hardened (LF_SSHD=$current_lf)"
|
||||
echo ""
|
||||
read -p "Press Enter to continue..."
|
||||
else
|
||||
# CT_LIMIT is option 2 if only one other fix available
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
|
||||
read -p "Press Enter to return to monitor..."
|
||||
apply_ssh_hardening
|
||||
fi
|
||||
;;
|
||||
3)
|
||||
# CT_LIMIT is option 3 if both other fixes available
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
|
||||
clear
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" --auto
|
||||
echo ""
|
||||
read -p "Press Enter to return to monitor..."
|
||||
;;
|
||||
4)
|
||||
echo "Port Knocking configuration coming soon..."
|
||||
echo ""
|
||||
echo "For now, you can manually configure port knocking in CSF:"
|
||||
echo "1. Edit /etc/csf/csf.conf"
|
||||
echo "2. Set: PORTKNOCKING = \"1\""
|
||||
echo "3. Define sequence: PORTKNOCKING_ALERT = \"1\""
|
||||
echo "4. Restart: csf -r"
|
||||
echo ""
|
||||
read -p "Press Enter to continue..."
|
||||
;;
|
||||
a|A)
|
||||
echo "Applying all recommended fixes..."
|
||||
echo "Applying all needed fixes..."
|
||||
echo ""
|
||||
[ "$has_ddos" -eq 1 ] && apply_synflood_fix
|
||||
[ "$ssh_attacks" -gt 5 ] && apply_ssh_hardening
|
||||
local applied=0
|
||||
|
||||
# Apply SYNFLOOD if needed
|
||||
if [ "$synflood_status" != "1" ]; then
|
||||
apply_synflood_fix
|
||||
((applied++))
|
||||
fi
|
||||
|
||||
# Apply SSH hardening if needed
|
||||
if [ "$current_lf" -gt 3 ]; then
|
||||
apply_ssh_hardening
|
||||
((applied++))
|
||||
fi
|
||||
|
||||
# Always offer CT_LIMIT
|
||||
echo ""
|
||||
echo "✓ All fixes applied"
|
||||
echo "Running CT_LIMIT optimizer..."
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" --auto
|
||||
((applied++))
|
||||
|
||||
echo ""
|
||||
if [ $applied -gt 0 ]; then
|
||||
echo "✓ Applied $applied security fix(es)"
|
||||
else
|
||||
echo "✓ All security settings already optimized"
|
||||
fi
|
||||
echo ""
|
||||
read -p "Press Enter to return to monitor..."
|
||||
;;
|
||||
@@ -2653,14 +2685,8 @@ while true; do
|
||||
show_blocking_menu
|
||||
;;
|
||||
c|C)
|
||||
# Run CT_LIMIT optimizer
|
||||
clear
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
|
||||
read -p "Press Enter to return to monitor..."
|
||||
;;
|
||||
f|F)
|
||||
# Auto-fix recommendations
|
||||
show_autofix_menu
|
||||
# Security hardening menu
|
||||
show_security_hardening_menu
|
||||
;;
|
||||
i|I)
|
||||
# Show threat intelligence for specific IP
|
||||
@@ -2754,8 +2780,7 @@ while true; do
|
||||
echo ""
|
||||
echo "Available Commands:"
|
||||
echo " ${BOLD}b${NC} - Open IP blocking menu (batch or individual)"
|
||||
echo " ${BOLD}c${NC} - Run CT_LIMIT optimizer (analyze traffic & recommend limit)"
|
||||
echo " ${BOLD}f${NC} - Auto-fix recommended security hardening (SYNFLOOD, SSH, etc.)"
|
||||
echo " ${BOLD}c${NC} - Security hardening menu (SYNFLOOD, SSH, CT_LIMIT, Port Knocking)"
|
||||
echo " ${BOLD}i${NC} - Threat intelligence lookup (AbuseIPDB, geo, incident reports)"
|
||||
echo " ${BOLD}p${NC} - Show performance impact monitor (server load)"
|
||||
echo " ${BOLD}s${NC} - Show IP reputation database statistics"
|
||||
|
||||
Reference in New Issue
Block a user