cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comprehensive attack monitoring and auto-mitigation

Browse Source 
Extended live monitor with additional attack vectors and intelligent mitigation:

Attack Monitoring:
- Email/SMTP bruteforce (dovecot/exim authentication failures)
- FTP bruteforce (vsftpd login failures)
- Database bruteforce (MySQL authentication failures)
- Distributed attack detection (botnet identification via pattern analysis)

Automated Mitigation:
- Auto-blocking engine for IPs reaching critical threshold (score ≥80)
- 1-hour temporary blocks with automatic logging
- Prevents manual intervention for clear threats

Intelligence Enhancements:
- Cross-source attack correlation
- Distributed attack pattern recognition (5+ IPs, same attack)
- Automated threat response with audit trail

Coverage: Web, SSH, Email, FTP, Database, Firewall, cPHulk, Network (8 sources)
This commit is contained in:
cschantz
2025-11-14 15:48:50 -05:00
parent fef30e1781
commit 1aa9f41ae6
1 changed files with 232 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+232
View File
@@ -975,13 +975,245 @@ monitor_network_attacks() {
fi
}
################################################################################
# Email/SMTP Attack Monitoring
################################################################################
monitor_email_attacks() {
# Monitor mail logs for SMTP/IMAP/POP3 bruteforce
local mail_log="/var/log/maillog"
if [ ! -f "$mail_log" ]; then
mail_log="/var/log/mail.log"
fi
if [ -f "$mail_log" ]; then
tail -n 0 -F "$mail_log" 2>/dev/null | while read -r line; do
# Dovecot authentication failures
if echo "$line" | grep -qiE "auth.*failed|authentication failed|password mismatch"; then
local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1)
if [ -n "$ip" ]; then
# Skip local/private IPs
[[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue
# Process as BRUTEFORCE attack
local current_data="${IP_DATA[$ip]:-0|0|human||0|0}"
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
hits=$((hits + 1))
# Add BRUTEFORCE to attacks
if [[ ! "$attacks" =~ BRUTEFORCE ]]; then
[ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
fi
score=$(calculate_attack_score "$attacks")
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Log to reputation DB
flag_ip_attack "$ip" "BRUTEFORCE" 0 "Email authentication failure" >/dev/null 2>&1 &
# Log event
local time_str=$(date +"%H:%M:%S")
local level=$(get_threat_level "$score")
local color=$(get_threat_color "$level")
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 📧EMAIL_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events"
fi
fi
done &
fi
}
################################################################################
# FTP Attack Monitoring
################################################################################
monitor_ftp_attacks() {
# Monitor FTP logs for bruteforce attempts
local ftp_log="/var/log/vsftpd.log"
if [ ! -f "$ftp_log" ]; then
ftp_log="/var/log/xferlog"
fi
if [ -f "$ftp_log" ]; then
tail -n 0 -F "$ftp_log" 2>/dev/null | while read -r line; do
# FTP authentication failures
if echo "$line" | grep -qiE "FAIL LOGIN|authentication failed|530 Login incorrect"; then
local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1)
if [ -n "$ip" ]; then
# Skip local/private IPs
[[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue
# Process as BRUTEFORCE attack
local current_data="${IP_DATA[$ip]:-0|0|human||0|0}"
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
hits=$((hits + 1))
# Add BRUTEFORCE to attacks
if [[ ! "$attacks" =~ BRUTEFORCE ]]; then
[ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
fi
score=$(calculate_attack_score "$attacks")
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Log to reputation DB
flag_ip_attack "$ip" "BRUTEFORCE" 0 "FTP login failure" >/dev/null 2>&1 &
# Log event
local time_str=$(date +"%H:%M:%S")
local level=$(get_threat_level "$score")
local color=$(get_threat_color "$level")
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 📁FTP_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events"
fi
fi
done &
fi
}
################################################################################
# Database Attack Monitoring
################################################################################
monitor_database_attacks() {
# Monitor MySQL logs for authentication failures
local mysql_log="/var/log/mysqld.log"
if [ ! -f "$mysql_log" ]; then
mysql_log="/var/log/mysql/error.log"
fi
if [ -f "$mysql_log" ]; then
tail -n 0 -F "$mysql_log" 2>/dev/null | while read -r line; do
# MySQL authentication failures
if echo "$line" | grep -qiE "Access denied for user|Failed password for"; then
local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1)
if [ -n "$ip" ]; then
# Skip local/private IPs
[[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue
# Process as SQL_INJECTION attack (database level)
local current_data="${IP_DATA[$ip]:-0|0|human||0|0}"
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
hits=$((hits + 1))
# Add SQL_INJECTION to attacks
if [[ ! "$attacks" =~ SQL_INJECTION ]]; then
[ -z "$attacks" ] && attacks="SQL_INJECTION" || attacks="${attacks},SQL_INJECTION"
fi
score=$(calculate_attack_score "$attacks")
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Log to reputation DB
flag_ip_attack "$ip" "SQL_INJECTION" 0 "MySQL authentication failure" >/dev/null 2>&1 &
# Log event
local time_str=$(date +"%H:%M:%S")
local level=$(get_threat_level "$score")
local color=$(get_threat_color "$level")
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 🗄️ DB_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events"
fi
fi
done &
fi
}
################################################################################
# Distributed Attack Detection
################################################################################
detect_distributed_attacks() {
# Run in background, check every 30 seconds
(
while true; do
sleep 30
# Look for same attack pattern from multiple IPs in short time
if [ -f "$TEMP_DIR/recent_events" ]; then
# Get recent attacks (last 2 minutes)
local recent=$(tail -200 "$TEMP_DIR/recent_events" 2>/dev/null)
# Check for same attack type from 5+ different IPs
for attack_type in RCE SQL_INJECTION XSS PATH_TRAVERSAL BRUTEFORCE; do
local attack_count=$(echo "$recent" | grep -c "$attack_type")
if [ "$attack_count" -ge 5 ]; then
local unique_ips=$(echo "$recent" | grep "$attack_type" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u | wc -l)
if [ "$unique_ips" -ge 5 ]; then
# Distributed attack detected!
local time_str=$(date +"%H:%M:%S")
echo -e "${CRITICAL_COLOR}[${time_str}] DISTRIBUTED_ATTACK | ${attack_type} from ${unique_ips} IPs in last 2min | Possible botnet${NC}" >> "$TEMP_DIR/recent_events"
# Mark in a file for Quick Actions to see
echo "${attack_type}|${unique_ips}|$(date +%s)" >> "$TEMP_DIR/distributed_attacks"
fi
fi
done
fi
done
) &
}
################################################################################
# Automatic Mitigation Engine
################################################################################
auto_mitigation_engine() {
# Run in background, check every 10 seconds
(
while true; do
sleep 10
# Auto-block IPs that reach CRITICAL threshold
for ip in "${!IP_DATA[@]}"; do
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
# Auto-block at score >= 80 (CRITICAL)
if [ "$score" -ge 80 ]; then
# Check if already blocked
if ! is_ip_blocked "$ip" 2>/dev/null; then
# Auto-block
local time_str=$(date +"%H:%M:%S")
echo -e "${CRITICAL_COLOR}[${time_str}] AUTO_BLOCK | $ip | Score:$score | ${attacks}${NC}" >> "$TEMP_DIR/recent_events"
# Block for 1 hour
block_ip_temporary "$ip" 1 "Auto-block: Critical threat score $score - ${attacks}" >/dev/null 2>&1 &
# Update ban count
ban_count=$((ban_count + 1))
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
fi
fi
done
done
) &
}
# Start all log monitoring sources
monitor_apache_logs
monitor_ssh_attacks
monitor_email_attacks
monitor_ftp_attacks
monitor_database_attacks
monitor_firewall_blocks
monitor_cphulk_blocks
monitor_network_attacks
# Start intelligence engines
detect_distributed_attacks
auto_mitigation_engine
# Periodic snapshot saving in background
(
while true; do