Add intelligent firewall recommendations to live monitor

PROBLEM: Live monitor detected attacks but didn't provide actionable recommendations for firewall configuration (CT_LIMIT, SYNFLOOD, etc.) BEFORE: Quick Actions panel only showed: - Number of IPs ready to block - Press 'b' to block No guidance on: - What to do about SYN floods - How to enable SYNFLOOD protection - When to adjust CT_LIMIT - How to strengthen SSH against bruteforce AFTER: Quick Actions now provides intelligent recommendations based on detected attacks: 1. DDoS/SYN Flood Detection: ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended → Enable SYNFLOOD protection: csf -e SYNFLOOD → Set CT_LIMIT: Edit /etc/csf/csf.conf → CT_LIMIT="100" → Apply changes: csf -r 2. SSH Bruteforce Detection (>5 attempts): ⚠️ SSH Bruteforce (X attempts) - Strengthen SSH Security → Lower LF_SSHD trigger: Edit /etc/csf/csf.conf → LF_SSHD="3" → Enable PortKnocking or change SSH port 3. IP Blocking (score >= 60): ⚠️ X high-threat IPs ready to block → Press 'b' to open blocking menu INTELLIGENCE: - Monitors IP_DATA for DDOS attacks - Counts HIGH_CONN_COUNT events (>20 SYN_RECV) - Counts SSH_BRUTEFORCE attempts in feed - Only shows recommendations when threats detected - Provides exact commands to run PANEL RENAMED: "QUICK ACTIONS" → "QUICK ACTIONS & RECOMMENDATIONS" USER BENEFIT: - Know exactly what to do when SYN flood happens - Get firewall config commands immediately - Proactive security hardening suggestions - No need to remember CSF syntax NAVIGATION VERIFIED: ✅ All menu back buttons (0) return properly ✅ Cleanup trap handles Ctrl+C correctly ✅ Keyboard controls work (b, s, r, h, q) ✅ Blocking menu has cancel option FILES MODIFIED: - modules/security/live-attack-monitor.sh - Enhanced draw_quick_actions() (lines 393-460) - Added attack pattern detection - Added firewall recommendation logic - Panel title updated
2025-11-14 15:22:20 -05:00
parent f2cd18f81f
commit 0c5f855acf
1 changed files with 46 additions and 8 deletions
@@ -391,16 +391,23 @@ draw_live_feed() {
 }

 draw_quick_actions() {
-    echo -e "${MEDIUM_COLOR}┌─ QUICK ACTIONS ────────────────────────────────────────────────────────────┐${NC}"
+    echo -e "${MEDIUM_COLOR}┌─ QUICK ACTIONS & RECOMMENDATIONS ─────────────────────────────────────────┐${NC}"

    # Get blockable IPs (score >= 60, not already blocked)
    local blockable_count=0
    local blockable_ips=""
+    local has_ddos=0
+    local has_ssh_bruteforce=0
+    local high_conn_count=0

    for ip in "${!IP_DATA[@]}"; do
        IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"

-        # Skip if score too low
+        # Check attack patterns
+        [[ "$attacks" =~ DDOS ]] && has_ddos=1
+        [[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1
+
+        # Skip if score too low for blocking
        [ "$score" -lt 60 ] && continue

        # Quick check - only verify if CSF/iptables commands available
@@ -409,14 +416,45 @@ draw_quick_actions() {
        blockable_ips+="$ip "
    done

-    if [ $blockable_count -gt 0 ]; then
-        echo -e "${HIGH_COLOR}  ⚠️  $blockable_count high-threat IPs ready to block${NC}"
-        echo -e "${MEDIUM_COLOR}  Press 'b' to open blocking menu${NC}"
-    else
-        echo -e "${SAFE_COLOR}  ✓ No immediate threats requiring blocks${NC}"
+    # Check for high connection counts
+    if [ -f "$TEMP_DIR/recent_events" ]; then
+        high_conn_count=$(grep -c "HIGH_CONN_COUNT" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
    fi

-    echo -e "${INFO_COLOR}  Press 'b' to block IPs | 'h' for help | 'q' to quit${NC}"
+    # IP Blocking Recommendations
+    if [ $blockable_count -gt 0 ]; then
+        echo -e "${HIGH_COLOR}  ⚠️  $blockable_count high-threat IPs ready to block${NC}"
+        echo -e "${MEDIUM_COLOR}     → Press 'b' to open blocking menu${NC}"
+    else
+        echo -e "${SAFE_COLOR}  ✓ No IPs requiring immediate blocks${NC}"
+    fi
+
+    # Intelligent Firewall Recommendations
+    local recommendations=0
+
+    if [ $has_ddos -eq 1 ] || [ $high_conn_count -gt 0 ]; then
+        echo -e "${HIGH_COLOR}  ⚠️  DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
+        echo -e "${MEDIUM_COLOR}     → Enable SYNFLOOD protection: ${BOLD}csf -e SYNFLOOD${NC}"
+        echo -e "${MEDIUM_COLOR}     → Set CT_LIMIT: ${BOLD}Edit /etc/csf/csf.conf → CT_LIMIT=\"100\"${NC}"
+        echo -e "${MEDIUM_COLOR}     → Apply changes: ${BOLD}csf -r${NC}"
+        recommendations=1
+    fi
+
+    if [ $has_ssh_bruteforce -eq 1 ]; then
+        local ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
+        if [ $ssh_attacks -gt 5 ]; then
+            echo -e "${HIGH_COLOR}  ⚠️  SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}"
+            echo -e "${MEDIUM_COLOR}     → Lower LF_SSHD trigger: ${BOLD}Edit /etc/csf/csf.conf → LF_SSHD=\"3\"${NC}"
+            echo -e "${MEDIUM_COLOR}     → Enable PortKnocking or change SSH port${NC}"
+            recommendations=1
+        fi
+    fi
+
+    if [ $recommendations -eq 0 ]; then
+        echo ""
+    fi
+
+    echo -e "${INFO_COLOR}  Keys: 'b' Block IPs | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"

    echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
 }