cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FIX: Increment block counter for all detected attack types

Browse Source 
Bug: Block counter (TOTAL_BLOCKS) remained at 0 despite detecting and
logging multiple block events (FIREWALL_BLOCK, SUBNET_BLOCK, INSTANT_BLOCK_RCE,
CPHULK_BLOCK, DISTRIBUTED_ATTACK). This caused the monitoring display to show
"Blocks: 0" even when blocks were actively occurring.

Root cause: Block event logging was performed at 6 locations but the
increment_block_counter() function was never called to update the counter.

Fixes applied (6 total):
1. Line 1951: Add counter increment after INSTANT_BLOCK_RCE logging
2. Line 2231: Add counter increment after FIREWALL_BLOCK logging
3. Line 2298: Add counter increment after CPHULK_BLOCK logging
4. Line 2525: Add counter increment after SUBNET_BLOCK (network attack) logging
5. Line 3314: Add counter increment after DISTRIBUTED_ATTACK logging
6. Line 3340: Add counter increment after SUBNET_BLOCK (distributed) logging

Result: Block counter now properly increments when each block type is detected,
providing accurate reflection of security action counts in the monitoring display.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 21:41:22 -05:00
parent 1235d25b12
commit 23a571fc0c
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+12
View File
@@ -1949,6 +1949,8 @@ monitor_apache_logs() {
if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then
# These are ALWAYS critical - block immediately regardless of score
echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events"
# BUG FIX: Increment block counter for RCE blocks
increment_block_counter 1
if type quick_block_ip &>/dev/null; then
quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" &
fi
@@ -2229,6 +2231,8 @@ monitor_firewall_blocks() {
# Log firewall block
local time_str=$(date +"%H:%M:%S")
echo -e "${LOW_COLOR}[${time_str}] $ip | FIREWALL_BLOCK | Blocked by firewall${NC}" >> "$TEMP_DIR/recent_events"
# BUG FIX: Increment block counter when block is detected
increment_block_counter 1
fi
fi
done &
@@ -2294,6 +2298,8 @@ monitor_cphulk_blocks() {
local color=$(get_threat_color "$level")
echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 🔐CPHULK_BLOCK | Blocked by cPHulk${NC}" >> "$TEMP_DIR/recent_events"
# BUG FIX: Increment block counter for cPHulk blocks
increment_block_counter 1
fi
done
sleep 10 # Poll every 10 seconds
@@ -2519,6 +2525,8 @@ monitor_network_attacks() {
) &
local time_str=$(date +"%H:%M:%S")
echo -e "${CRITICAL_COLOR}[${time_str}] SUBNET_BLOCK | $subnet_cidr | IPs:${subnet_ip_count} | Severity:${attack_severity}${NC}" >> "$TEMP_DIR/recent_events"
# BUG FIX: Increment block counter when subnet block is detected
increment_block_counter 1
fi
fi
done
@@ -3306,6 +3314,8 @@ detect_distributed_attacks() {
if [ ${#batch_ips[@]} -gt 0 ]; then
batch_block_ips "${batch_ips[@]}"
echo -e "${CRITICAL_COLOR}[${time_str}] DISTRIBUTED_ATTACK | ${attack_type} from ${unique_ips} IPs | BLOCKED ALL${NC}" >> "$TEMP_DIR/recent_events"
# BUG FIX: Increment block counter for distributed attacks
increment_block_counter 1
fi
# Check for subnet-level coordination (25+ IPs from same /24)
@@ -3330,6 +3340,8 @@ detect_distributed_attacks() {
if [ "$IPSET_AVAILABLE" -eq 1 ]; then
ipset add "$IPSET_NAME" "$subnet_cidr" -exist 2>/dev/null
echo -e "${CRITICAL_COLOR}[${time_str}] SUBNET_BLOCK | $subnet_cidr | ${attack_type} from ${subnet_ip_count} IPs | BLOCKED${NC}" >> "$TEMP_DIR/recent_events"
# BUG FIX: Increment block counter for subnet blocks
increment_block_counter 1
fi
fi
fi