From 21da5cab2eeecb75b2f2c14bcee5f141450f401d Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 14 Nov 2025 15:22:20 -0500 Subject: [PATCH] Add intelligent firewall recommendations to live monitor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PROBLEM: Live monitor detected attacks but didn't provide actionable recommendations for firewall configuration (CT_LIMIT, SYNFLOOD, etc.) BEFORE: Quick Actions panel only showed: - Number of IPs ready to block - Press 'b' to block No guidance on: - What to do about SYN floods - How to enable SYNFLOOD protection - When to adjust CT_LIMIT - How to strengthen SSH against bruteforce AFTER: Quick Actions now provides intelligent recommendations based on detected attacks: 1. DDoS/SYN Flood Detection: ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended → Enable SYNFLOOD protection: csf -e SYNFLOOD → Set CT_LIMIT: Edit /etc/csf/csf.conf → CT_LIMIT="100" → Apply changes: csf -r 2. SSH Bruteforce Detection (>5 attempts): ⚠️ SSH Bruteforce (X attempts) - Strengthen SSH Security → Lower LF_SSHD trigger: Edit /etc/csf/csf.conf → LF_SSHD="3" → Enable PortKnocking or change SSH port 3. IP Blocking (score >= 60): ⚠️ X high-threat IPs ready to block → Press 'b' to open blocking menu INTELLIGENCE: - Monitors IP_DATA for DDOS attacks - Counts HIGH_CONN_COUNT events (>20 SYN_RECV) - Counts SSH_BRUTEFORCE attempts in feed - Only shows recommendations when threats detected - Provides exact commands to run PANEL RENAMED: "QUICK ACTIONS" → "QUICK ACTIONS & RECOMMENDATIONS" USER BENEFIT: - Know exactly what to do when SYN flood happens - Get firewall config commands immediately - Proactive security hardening suggestions - No need to remember CSF syntax NAVIGATION VERIFIED: ✅ All menu back buttons (0) return properly ✅ Cleanup trap handles Ctrl+C correctly ✅ Keyboard controls work (b, s, r, h, q) ✅ Blocking menu has cancel option FILES MODIFIED: - modules/security/live-attack-monitor.sh - Enhanced draw_quick_actions() (lines 393-460) - Added attack pattern detection - Added firewall recommendation logic - Panel title updated 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- modules/security/live-attack-monitor.sh | 54 +++++++++++++++++++++---- 1 file changed, 46 insertions(+), 8 deletions(-) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index fe27816..d2fcbf9 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -391,16 +391,23 @@ draw_live_feed() { } draw_quick_actions() { - echo -e "${MEDIUM_COLOR}┌─ QUICK ACTIONS ────────────────────────────────────────────────────────────┐${NC}" + echo -e "${MEDIUM_COLOR}┌─ QUICK ACTIONS & RECOMMENDATIONS ─────────────────────────────────────────┐${NC}" # Get blockable IPs (score >= 60, not already blocked) local blockable_count=0 local blockable_ips="" + local has_ddos=0 + local has_ssh_bruteforce=0 + local high_conn_count=0 for ip in "${!IP_DATA[@]}"; do IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}" - # Skip if score too low + # Check attack patterns + [[ "$attacks" =~ DDOS ]] && has_ddos=1 + [[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1 + + # Skip if score too low for blocking [ "$score" -lt 60 ] && continue # Quick check - only verify if CSF/iptables commands available @@ -409,14 +416,45 @@ draw_quick_actions() { blockable_ips+="$ip " done - if [ $blockable_count -gt 0 ]; then - echo -e "${HIGH_COLOR} ⚠️ $blockable_count high-threat IPs ready to block${NC}" - echo -e "${MEDIUM_COLOR} Press 'b' to open blocking menu${NC}" - else - echo -e "${SAFE_COLOR} ✓ No immediate threats requiring blocks${NC}" + # Check for high connection counts + if [ -f "$TEMP_DIR/recent_events" ]; then + high_conn_count=$(grep -c "HIGH_CONN_COUNT" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0") fi - echo -e "${INFO_COLOR} Press 'b' to block IPs | 'h' for help | 'q' to quit${NC}" + # IP Blocking Recommendations + if [ $blockable_count -gt 0 ]; then + echo -e "${HIGH_COLOR} ⚠️ $blockable_count high-threat IPs ready to block${NC}" + echo -e "${MEDIUM_COLOR} → Press 'b' to open blocking menu${NC}" + else + echo -e "${SAFE_COLOR} ✓ No IPs requiring immediate blocks${NC}" + fi + + # Intelligent Firewall Recommendations + local recommendations=0 + + if [ $has_ddos -eq 1 ] || [ $high_conn_count -gt 0 ]; then + echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}" + echo -e "${MEDIUM_COLOR} → Enable SYNFLOOD protection: ${BOLD}csf -e SYNFLOOD${NC}" + echo -e "${MEDIUM_COLOR} → Set CT_LIMIT: ${BOLD}Edit /etc/csf/csf.conf → CT_LIMIT=\"100\"${NC}" + echo -e "${MEDIUM_COLOR} → Apply changes: ${BOLD}csf -r${NC}" + recommendations=1 + fi + + if [ $has_ssh_bruteforce -eq 1 ]; then + local ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0") + if [ $ssh_attacks -gt 5 ]; then + echo -e "${HIGH_COLOR} ⚠️ SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}" + echo -e "${MEDIUM_COLOR} → Lower LF_SSHD trigger: ${BOLD}Edit /etc/csf/csf.conf → LF_SSHD=\"3\"${NC}" + echo -e "${MEDIUM_COLOR} → Enable PortKnocking or change SSH port${NC}" + recommendations=1 + fi + fi + + if [ $recommendations -eq 0 ]; then + echo "" + fi + + echo -e "${INFO_COLOR} Keys: 'b' Block IPs | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}" echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}" }