From 1ee883aa4d6b2316e8cb01c16dc2d7b0f8f19f44 Mon Sep 17 00:00:00 2001 From: cschantz Date: Wed, 24 Dec 2025 19:21:55 -0500 Subject: [PATCH] Fix auto-blocking: Add missing quick_block_ip() + instant block for score 100 USER REPORT: - IPs hitting reputation 100 not being auto-blocked - Auto-blocking appears completely broken ROOT CAUSE ANALYSIS: 1. Missing quick_block_ip() function (called at line 1758 but never defined) 2. Auto-mitigation engine lacked score validation (empty/non-numeric scores failed silently) 3. No differentiation between score 80-99 vs 100 (instant block) FIXES APPLIED: 1. Added quick_block_ip() function (lines 888-901) - Wrapper around block_ip_temporary() - Used by ET detection and auto-mitigation engine - Background-compatible, IPset-optimized 2. Added score validation in auto_mitigation_engine() (lines 2687-2689) - Validates score is not empty - Validates score is numeric - Defaults to 0 if invalid - Prevents silent failures in integer comparison 3. Added INSTANT blocking for score 100 (lines 2694-2713) - Score 100 = immediate IPset block - Labeled as "INSTANT_BLOCK" in logs - Uses quick_block_ip() for speed - Separate from regular auto-block (score 80-99) 4. Maintained existing auto-block for score >= 80 (lines 2715-2734) - Regular 1-hour temporary block - Labeled as "AUTO_BLOCK" in logs - Uses block_ip_temporary() BLOCKING TIERS NOW: - Score 100: INSTANT_BLOCK (immediate IPset, highest priority) - Score 80-99: AUTO_BLOCK (1-hour temp block) - Score 60-79: Manual blocking recommended (user presses 'b') - Score < 60: Monitoring only This restores the original auto-blocking behavior that was broken. --- modules/security/live-attack-monitor.sh | 48 ++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 9ddb290..c3dbb7f 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -885,6 +885,21 @@ block_ip_temporary() { return 1 } +# Quick block IP (wrapper for background auto-blocking) +# Used by ET detection and auto-mitigation engine +quick_block_ip() { + local ip="$1" + local reason="${2:-Auto-block: Critical threat}" + + # Validate IP + if ! is_valid_ip "$ip"; then + return 1 + fi + + # Block for 1 hour using IPset or CSF + block_ip_temporary "$ip" 1 "$reason" >/dev/null 2>&1 +} + # Block IP permanently with CSF block_ip_permanent() { local ip="$1" @@ -2669,11 +2684,36 @@ auto_mitigation_engine() { IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$data" - # Auto-block at score >= 80 (CRITICAL) - if [ "$score" -ge 80 ]; then - # Skip if already blocked in this session - [ -n "${BLOCKED_THIS_SESSION[$ip]}" ] && continue + # Validate score is numeric + [ -z "$score" ] && score=0 + [[ ! "$score" =~ ^[0-9]+$ ]] && score=0 + # Skip if already blocked in this session + [ -n "${BLOCKED_THIS_SESSION[$ip]}" ] && continue + + # INSTANT block at score 100 (MAXIMUM threat via IPset) + if [ "${score:-0}" -ge 100 ]; then + # Mark as blocked + BLOCKED_THIS_SESSION[$ip]=1 + + # Instant IPset block + local time_str=$(date +"%H:%M:%S") + echo -e "${CRITICAL_COLOR}[${time_str}] INSTANT_BLOCK | $ip | Score:100 | ${attacks}${NC}" >> "$TEMP_DIR/recent_events" + + # Get detailed block reason + local block_reason="INSTANT AUTO-BLOCK: Score=100 Attacks=${attacks}" + if [ -f "$TEMP_DIR/block_reason_${ip//\./_}" ]; then + local intel_reason=$(cat "$TEMP_DIR/block_reason_${ip//\./_}") + block_reason="${block_reason} Intel:${intel_reason}" + fi + + # Instant block via quick_block_ip (uses IPset for speed) + quick_block_ip "$ip" "$block_reason" & + continue + fi + + # Auto-block at score >= 80 (CRITICAL) + if [ "${score:-0}" -ge 80 ]; then # Mark as blocked to prevent duplicate attempts BLOCKED_THIS_SESSION[$ip]=1