cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Unified Security Hardening Menu - Simplified CT_LIMIT with intelligent recommendations

Browse Source 
MAJOR UX IMPROVEMENT: Consolidated security hardening into single 'c' key menu

REMOVED:
- 'f' key (Auto-Fix menu) - merged into 'c' key
- Scattered security recommendations across multiple menus
- Confusing workflow with multiple entry points

NEW UNIFIED MENU (Press 'c'):
┌─ Security Hardening & Firewall Optimization ─┐
│ Current Security Status:                      │
│   ✓ SYNFLOOD Protection: Enabled             │
│   ✗ SSH Security: Default (LF_SSHD=5)        │
│   ✓ Connection Tracking: Configured (200)    │
│                                               │
│ Available Hardening Options:                 │
│   1 - Enable SYNFLOOD Protection             │
│   2 - Harden SSH Security (Lower LF_SSHD)   │
│   3 - Optimize CT_LIMIT (Auto-analyze)       │
│   4 - Configure Port Knocking (Coming soon)  │
│   a - Apply All Needed Fixes                 │
│   q - Return to Monitor                      │
└───────────────────────────────────────────────┘

FEATURES:

1. Status Display:
   - Shows current state of all security settings
   - ✓ green checkmark = already configured
   - ✗ red X = needs attention
   - Clear indication of what's already done

2. CT_LIMIT Auto Mode (--auto flag):
   - Runs analysis silently when called from menu
   - Automatically applies BALANCED recommendation
   - No user prompts - just analyzes and applies
   - Creates backup before making changes

3. Intelligent Recommendations:
   - Quick Actions panel checks current settings
   - Only recommends DDoS protection if SYNFLOOD disabled OR CT_LIMIT not set
   - Only recommends SSH hardening if LF_SSHD > 3
   - Recommendations disappear after being applied
   - Clear actionable guidance

4. Apply All:
   - Option 'a' applies all needed fixes automatically
   - Skips already-configured settings
   - Shows count of fixes applied
   - One-click hardening for new servers

WORKFLOW IMPROVEMENTS:

Before:
1. See recommendation in Quick Actions
2. Press 'f' to open auto-fix menu
3. Select option from dynamic list
4. Different menu for CT_LIMIT ('c' key)

After:
1. See recommendation: "Press 'c' for Security Hardening menu"
2. Press 'c' - see status of ALL security settings
3. Select what to fix or press 'a' for all
4. Everything in ONE place

CT_LIMIT SIMPLIFICATION:
- Added --auto flag to optimize-ct-limit.sh
- When called with --auto: runs analysis + auto-applies BALANCED
- No user prompts in auto mode
- Perfect for automated workflows and menu integration

SMART RECOMMENDATIONS:
- DDoS recommendation only shows if:
  - SYNFLOOD = 0 OR CT_LIMIT not set/zero
- SSH recommendation only shows if:
  - LF_SSHD > 3
- After applying fixes, recommendations disappear
- No more "already configured" noise

USER EXPERIENCE:
- Single entry point for all security hardening
- Clear visual status indicators
- Actionable next steps
- No redundant options
- Professional menu layout
This commit is contained in:
cschantz
2025-12-01 18:40:58 -05:00
parent ed0be27b54
commit 22bd97b06c
2 changed files with 160 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+109 -84
View File
@@ -1184,19 +1184,29 @@ draw_quick_actions() {
local recommendations=0 local recommendations=0
if [ "$has_ddos" -eq 1 ] || [ "$high_conn_count" -gt 0 ]; then if [ "$has_ddos" -eq 1 ] || [ "$high_conn_count" -gt 0 ]; then
# Check if SYNFLOOD is already enabled # Check current security settings
local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2) local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2)
local ct_limit=$(grep "^CT_LIMIT\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}" local needs_config=0
# Only show SYNFLOOD recommendation if not already enabled # Check if SYNFLOOD needs enabling
if [ "$synflood_status" != "1" ]; then if [ "$synflood_status" != "1" ]; then
echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (enable SYNFLOOD protection)${NC}" needs_config=1
fi fi
echo -e "${MEDIUM_COLOR} → Optimize CT_LIMIT: ${BOLD}Press 'c' to run CT_LIMIT optimizer${NC}" # Check if CT_LIMIT needs optimization (not set or set to 0)
if [ -z "$ct_limit" ] || [ "$ct_limit" -eq 0 ]; then
needs_config=1
fi
# Only show recommendation if something needs fixing
if [ $needs_config -eq 1 ]; then
echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
echo -e "${MEDIUM_COLOR} → Press 'c' for Security Hardening menu${NC}"
recommendations=1 recommendations=1
fi fi
fi
if [ "$has_ssh_bruteforce" -eq 1 ]; then if [ "$has_ssh_bruteforce" -eq 1 ]; then
local ssh_attacks=0 local ssh_attacks=0
@@ -1213,8 +1223,7 @@ draw_quick_actions() {
# Only show recommendation if not already hardened # Only show recommendation if not already hardened
if [ "$current_lf" -gt 3 ]; then if [ "$current_lf" -gt 3 ]; then
echo -e "${HIGH_COLOR} ⚠️ SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}" echo -e "${HIGH_COLOR} ⚠️ SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}"
echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (harden SSH to 3 attempts)${NC}" echo -e "${MEDIUM_COLOR} → Press 'c' for Security Hardening menu${NC}"
echo -e "${MEDIUM_COLOR} → Or enable PortKnocking or change SSH port${NC}"
recommendations=1 recommendations=1
fi fi
fi fi
@@ -1224,7 +1233,7 @@ draw_quick_actions() {
echo "" echo ""
fi fi
echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' CT_LIMIT | 'f' Auto-Fix | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}" echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' Security | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}" echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
} }
@@ -1341,109 +1350,132 @@ show_blocking_menu() {
fi fi
} }
show_autofix_menu() { show_security_hardening_menu() {
clear clear
print_banner "Auto-Fix Security Recommendations" print_banner "Security Hardening & Firewall Optimization"
echo "" echo ""
# Detect current attack patterns
local has_ddos=0
local has_ssh_bruteforce=0
local ssh_attacks=0
for ip in "${!IP_DATA[@]}"; do
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
[[ "$attacks" =~ DDOS ]] && has_ddos=1
[[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1
done
if [ -f "$TEMP_DIR/recent_events" ]; then
ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
fi
# Show available fixes
echo "Available security hardening fixes:"
echo ""
local fix_count=0
# Check if CSF is available # Check if CSF is available
if ! command -v csf &>/dev/null; then if ! command -v csf &>/dev/null; then
echo -e "${HIGH_COLOR}⚠️ CSF/LFD firewall not detected${NC}" echo -e "${HIGH_COLOR}⚠️ CSF/LFD firewall not detected${NC}"
echo " Most auto-fix options require CSF to be installed" echo " Security hardening options require CSF to be installed"
echo "" echo ""
read -p "Press Enter to return to monitor..." read -p "Press Enter to return to monitor..."
return return
fi fi
# DDoS/SYN Flood protection # Check current settings
if [ "$has_ddos" -eq 1 ]; then local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2)
fix_count=$((fix_count + 1)) local current_lf=$(grep "^LF_SSHD\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
echo -e "${HIGH_COLOR}[$fix_count] Enable SYNFLOOD Protection${NC}" [ -z "$current_lf" ] && current_lf="5"
echo " Current: DDoS/SYN flood attacks detected"
echo " Fix: Enable kernel-level SYN flood protection in CSF" echo "Current Security Status:"
echo "" echo ""
# SYNFLOOD status
if [ "$synflood_status" = "1" ]; then
echo -e " ${SAFE_COLOR}${NC} SYNFLOOD Protection: ${BOLD}Enabled${NC}"
else
echo -e " ${HIGH_COLOR}${NC} SYNFLOOD Protection: ${BOLD}Disabled${NC}"
fi fi
# SSH Bruteforce hardening # SSH hardening status
if [ "$ssh_attacks" -gt 5 ]; then if [ "$current_lf" -le 3 ]; then
fix_count=$((fix_count + 1)) echo -e " ${SAFE_COLOR}${NC} SSH Security: ${BOLD}Hardened${NC} (LF_SSHD=$current_lf)"
echo -e "${HIGH_COLOR}[$fix_count] Harden SSH Security (Lower LF_SSHD)${NC}" else
echo " Current: $ssh_attacks SSH bruteforce attempts detected" echo -e " ${HIGH_COLOR}${NC} SSH Security: ${BOLD}Default${NC} (LF_SSHD=$current_lf, recommend ≤3)"
echo " Fix: Lower SSH failure threshold from default to 3 attempts"
echo ""
fi fi
# Always offer CT_LIMIT optimization # CT_LIMIT status (basic check)
fix_count=$((fix_count + 1)) local ct_limit=$(grep "^CT_LIMIT\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
echo -e "${MEDIUM_COLOR}[$fix_count] Optimize Connection Tracking Limit${NC}" if [ -n "$ct_limit" ] && [ "$ct_limit" -gt 0 ]; then
echo " Fix: Run CT_LIMIT optimizer to prevent connection exhaustion" echo -e " ${SAFE_COLOR}${NC} Connection Tracking: ${BOLD}Configured${NC} (CT_LIMIT=$ct_limit)"
echo "" else
echo -e " ${HIGH_COLOR}${NC} Connection Tracking: ${BOLD}Not Optimized${NC}"
if [ "$fix_count" -eq 1 ]; then
echo -e "${SAFE_COLOR}✓ No critical security issues detected${NC}"
echo " You can still run CT_LIMIT optimizer (option 1)"
echo ""
fi fi
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Select fix to apply [1-$fix_count], 'a' for all, or 'q' to cancel:"
read -n 1 choice
echo "" echo ""
echo "Available Hardening Options:"
echo ""
echo " ${BOLD}1${NC} - Enable SYNFLOOD Protection (DDoS defense)"
echo " ${BOLD}2${NC} - Harden SSH Security (Lower LF_SSHD to 3)"
echo " ${BOLD}3${NC} - Optimize CT_LIMIT (Auto-analyze & apply)"
echo " ${BOLD}4${NC} - Configure Port Knocking (Coming soon)"
echo ""
echo " ${BOLD}a${NC} - Apply All Needed Fixes"
echo " ${BOLD}q${NC} - Return to Monitor"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
read -p "Select option: " choice
echo "" echo ""
case "$choice" in case "$choice" in
1) 1)
if [ "$has_ddos" -eq 1 ]; then if [ "$synflood_status" = "1" ]; then
apply_synflood_fix echo "✓ SYNFLOOD is already enabled"
elif [ "$ssh_attacks" -gt 5 ]; then echo ""
apply_ssh_hardening read -p "Press Enter to continue..."
else else
# CT_LIMIT is option 1 if no other fixes available apply_synflood_fix
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
fi fi
;; ;;
2) 2)
if [ "$has_ddos" -eq 1 ] && [ "$ssh_attacks" -gt 5 ]; then if [ "$current_lf" -le 3 ]; then
apply_ssh_hardening echo "✓ SSH is already hardened (LF_SSHD=$current_lf)"
echo ""
read -p "Press Enter to continue..."
else else
# CT_LIMIT is option 2 if only one other fix available apply_ssh_hardening
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
fi fi
;; ;;
3) 3)
# CT_LIMIT is option 3 if both other fixes available clear
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" "$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" --auto
echo ""
read -p "Press Enter to return to monitor..." read -p "Press Enter to return to monitor..."
;; ;;
4)
echo "Port Knocking configuration coming soon..."
echo ""
echo "For now, you can manually configure port knocking in CSF:"
echo "1. Edit /etc/csf/csf.conf"
echo "2. Set: PORTKNOCKING = \"1\""
echo "3. Define sequence: PORTKNOCKING_ALERT = \"1\""
echo "4. Restart: csf -r"
echo ""
read -p "Press Enter to continue..."
;;
a|A) a|A)
echo "Applying all recommended fixes..." echo "Applying all needed fixes..."
echo "" echo ""
[ "$has_ddos" -eq 1 ] && apply_synflood_fix local applied=0
[ "$ssh_attacks" -gt 5 ] && apply_ssh_hardening
# Apply SYNFLOOD if needed
if [ "$synflood_status" != "1" ]; then
apply_synflood_fix
((applied++))
fi
# Apply SSH hardening if needed
if [ "$current_lf" -gt 3 ]; then
apply_ssh_hardening
((applied++))
fi
# Always offer CT_LIMIT
echo "" echo ""
echo "✓ All fixes applied" echo "Running CT_LIMIT optimizer..."
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh" --auto
((applied++))
echo ""
if [ $applied -gt 0 ]; then
echo "✓ Applied $applied security fix(es)"
else
echo "✓ All security settings already optimized"
fi
echo "" echo ""
read -p "Press Enter to return to monitor..." read -p "Press Enter to return to monitor..."
;; ;;
@@ -2653,14 +2685,8 @@ while true; do
show_blocking_menu show_blocking_menu
;; ;;
c|C) c|C)
# Run CT_LIMIT optimizer # Security hardening menu
clear show_security_hardening_menu
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
;;
f|F)
# Auto-fix recommendations
show_autofix_menu
;; ;;
i|I) i|I)
# Show threat intelligence for specific IP # Show threat intelligence for specific IP
@@ -2754,8 +2780,7 @@ while true; do
echo "" echo ""
echo "Available Commands:" echo "Available Commands:"
echo " ${BOLD}b${NC} - Open IP blocking menu (batch or individual)" echo " ${BOLD}b${NC} - Open IP blocking menu (batch or individual)"
echo " ${BOLD}c${NC} - Run CT_LIMIT optimizer (analyze traffic & recommend limit)" echo " ${BOLD}c${NC} - Security hardening menu (SYNFLOOD, SSH, CT_LIMIT, Port Knocking)"
echo " ${BOLD}f${NC} - Auto-fix recommended security hardening (SYNFLOOD, SSH, etc.)"
echo " ${BOLD}i${NC} - Threat intelligence lookup (AbuseIPDB, geo, incident reports)" echo " ${BOLD}i${NC} - Threat intelligence lookup (AbuseIPDB, geo, incident reports)"
echo " ${BOLD}p${NC} - Show performance impact monitor (server load)" echo " ${BOLD}p${NC} - Show performance impact monitor (server load)"
echo " ${BOLD}s${NC} - Show IP reputation database statistics" echo " ${BOLD}s${NC} - Show IP reputation database statistics"
modules/security/optimize-ct-limit.sh
+29 -1
View File
@@ -802,6 +802,13 @@ apply_recommendation() {
################################################################################ ################################################################################
main() { main() {
# Check for auto mode
local AUTO_MODE=0
if [ "$1" = "--auto" ] || [ "$1" = "-a" ]; then
AUTO_MODE=1
fi
if [ $AUTO_MODE -eq 0 ]; then
clear clear
print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator" print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator"
echo "" echo ""
@@ -814,6 +821,10 @@ main() {
read -p "Press Enter to start analysis or Ctrl+C to cancel..." read -p "Press Enter to start analysis or Ctrl+C to cancel..."
echo "" echo ""
else
echo "Running CT_LIMIT analysis in auto mode..."
echo ""
fi
# Check if sysref database exists, build if needed # Check if sysref database exists, build if needed
if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then
@@ -830,6 +841,20 @@ main() {
# Generate and show recommendations # Generate and show recommendations
generate_recommendation generate_recommendation
# Apply automatically in auto mode, otherwise ask
if [ $AUTO_MODE -eq 1 ]; then
# Extract balanced value from recommendation
local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+')
if [ -n "$balanced" ]; then
echo ""
echo "Auto-applying BALANCED recommendation..."
apply_recommendation "$balanced"
else
print_error "Could not determine balanced recommendation value"
return 1
fi
else
# Offer to apply # Offer to apply
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "" echo ""
@@ -848,9 +873,12 @@ main() {
echo "" echo ""
echo "No changes made. You can apply manually using the commands above." echo "No changes made. You can apply manually using the commands above."
fi fi
fi
echo "" echo ""
if [ $AUTO_MODE -eq 0 ]; then
print_success "Analysis complete!" print_success "Analysis complete!"
fi
} }
main main "$@"