cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Email, FTP, and Database monitoring to use file-based IP storage

Browse Source 
All background monitoring functions had same subshell bug as SSH:
- Cannot access IP_DATA associative array from subshells
- Switched to file-based storage: individual ip_* files per IP
- Main loop consolidates files into ip_data for auto-mitigation
- Fixes Email bruteforce detection (dovecot auth failures)
- Fixes FTP bruteforce detection (vsftpd/xferlog)
- Fixes Database attack detection (MySQL auth failures)

Now ALL monitoring channels work properly:
- SSH: file-based ✓
- Email: file-based ✓
- FTP: file-based ✓
- Database: file-based ✓
- Web/Apache: direct display (no subshell) ✓
This commit is contained in:
cschantz
2025-11-14 20:52:07 -05:00
parent 6d2a7b7b9b
commit 0eca499a78
1 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+27 -6
View File
@@ -1550,7 +1550,12 @@ monitor_email_attacks() {
[[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue
# Process as BRUTEFORCE attack
local current_data="${IP_DATA[$ip]:-0|0|human||0|0}"
# Read from file (subshells can't access IP_DATA array)
local ip_file="$TEMP_DIR/ip_${ip//\./_}"
local current_data="0|0|human||0|0"
if [ -f "$ip_file" ]; then
current_data=$(cat "$ip_file")
fi
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
hits=$((hits + 1))
@@ -1612,7 +1617,9 @@ monitor_email_attacks() {
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Update ip_data file directly (subshells can't access IP_DATA array)
local ip_file="$TEMP_DIR/ip_${ip//\./_}"
echo "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" > "$ip_file"
# Store block reasons for CSF
if [ -n "$block_reasons" ]; then
@@ -1657,7 +1664,12 @@ monitor_ftp_attacks() {
[[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue
# Process as BRUTEFORCE attack
local current_data="${IP_DATA[$ip]:-0|0|human||0|0}"
# Read from file (subshells can't access IP_DATA array)
local ip_file="$TEMP_DIR/ip_${ip//\./_}"
local current_data="0|0|human||0|0"
if [ -f "$ip_file" ]; then
current_data=$(cat "$ip_file")
fi
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
hits=$((hits + 1))
@@ -1719,7 +1731,9 @@ monitor_ftp_attacks() {
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Update ip_data file directly (subshells can't access IP_DATA array)
local ip_file="$TEMP_DIR/ip_${ip//\./_}"
echo "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" > "$ip_file"
# Store block reasons for CSF
if [ -n "$block_reasons" ]; then
@@ -1764,7 +1778,12 @@ monitor_database_attacks() {
[[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue
# Process as SQL_INJECTION attack (database level)
local current_data="${IP_DATA[$ip]:-0|0|human||0|0}"
# Read from file (subshells can't access IP_DATA array)
local ip_file="$TEMP_DIR/ip_${ip//\./_}"
local current_data="0|0|human||0|0"
if [ -f "$ip_file" ]; then
current_data=$(cat "$ip_file")
fi
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
hits=$((hits + 1))
@@ -1828,7 +1847,9 @@ monitor_database_attacks() {
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Update ip_data file directly (subshells can't access IP_DATA array)
local ip_file="$TEMP_DIR/ip_${ip//\./_}"
echo "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" > "$ip_file"
# Store block reasons for CSF
if [ -n "$block_reasons" ]; then