cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL FIX: Load persistent IP data BEFORE threshold calculation

Browse Source 
Bug: Threshold calculation used undefined 'hits' variable.
Code tried to use lifetime_hits at line 2622, but hits wasn't loaded until line 2652.
Result: Adaptive threshold never actually worked - always used default threshold.

Fix: Load IP data (score|hits|bot_type|attacks|ban_count|rep_score) from persistent
ip_data file BEFORE calculating threshold, so we have accurate lifetime hit count.

Now the flow is:
1. Load persistent IP data from ip_data (includes current lifetime hits)
2. Calculate threshold based on CURRENT lifetime hits
3. Check if count > threshold
4. If yes, increment hits and process
5. Write back to ip_data with incremented hits

Example: IP with 5 detections in 3 minutes
- Detection 1: hits=1, threshold=3, needs 3+ connections
- Detection 2: hits=2, threshold=2, needs 2+ connections
- Detection 3: hits=3, threshold=2, needs 2+ connections
- Detection 4: hits=4, threshold=2, needs 2+ connections
- Detection 5: hits=5, threshold=1, needs 1+ connection ✓

If IP has 2+ connections on each scan, detected on scans 2-5+.
If IP has 1+ connection on each scan, detected on scan 5+ (or earlier if more connections).

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 23:05:52 -05:00
parent 4ea982b119
commit 0fec5f1081
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+10 -10
View File
@@ -2586,6 +2586,14 @@ monitor_network_attacks() {
# Track connection count for this IP # Track connection count for this IP
CONNECTION_COUNT[$ip]=$count CONNECTION_COUNT[$ip]=$count
# Load IP's persistent data FIRST (before threshold calculation)
# This gets the current lifetime hits count from ip_data
local current_data="0|0|human||0|0"
if [ -f "$TEMP_DIR/ip_data" ]; then
current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
fi
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
# Dynamic threshold based on attack severity + momentum: # Dynamic threshold based on attack severity + momentum:
# CRITICAL FIX: Changed Tier 0 threshold from 20 to 3 # CRITICAL FIX: Changed Tier 0 threshold from 20 to 3
# Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks
@@ -2644,16 +2652,8 @@ monitor_network_attacks() {
if [ -z "${ALERT_SENT[$ip]}" ]; then if [ -z "${ALERT_SENT[$ip]}" ]; then
ALERT_SENT[$ip]=1 ALERT_SENT[$ip]=1
# Load IP reputation from PERSISTENT central database (ip_data) # Data already loaded earlier (before threshold calculation)
# This preserves hits across monitor restarts for historical tracking # Just increment hits (persistent across monitor restarts)
local current_data="0|0|human||0|0"
if [ -f "$TEMP_DIR/ip_data" ]; then
# Extract this IP's data from central database
current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
fi
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
# Increment hits (persistent across monitor restarts)
# This is the total lifetime detection count for this IP # This is the total lifetime detection count for this IP
hits=$((hits + 1)) hits=$((hits + 1))