From 23a571fc0cff6dbad18497a66525a5985b678199 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 21:41:22 -0500 Subject: [PATCH] FIX: Increment block counter for all detected attack types Bug: Block counter (TOTAL_BLOCKS) remained at 0 despite detecting and logging multiple block events (FIREWALL_BLOCK, SUBNET_BLOCK, INSTANT_BLOCK_RCE, CPHULK_BLOCK, DISTRIBUTED_ATTACK). This caused the monitoring display to show "Blocks: 0" even when blocks were actively occurring. Root cause: Block event logging was performed at 6 locations but the increment_block_counter() function was never called to update the counter. Fixes applied (6 total): 1. Line 1951: Add counter increment after INSTANT_BLOCK_RCE logging 2. Line 2231: Add counter increment after FIREWALL_BLOCK logging 3. Line 2298: Add counter increment after CPHULK_BLOCK logging 4. Line 2525: Add counter increment after SUBNET_BLOCK (network attack) logging 5. Line 3314: Add counter increment after DISTRIBUTED_ATTACK logging 6. Line 3340: Add counter increment after SUBNET_BLOCK (distributed) logging Result: Block counter now properly increments when each block type is detected, providing accurate reflection of security action counts in the monitoring display. Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index cbc0188..54dd95c 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -1949,6 +1949,8 @@ monitor_apache_logs() { if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then # These are ALWAYS critical - block immediately regardless of score echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events" + # BUG FIX: Increment block counter for RCE blocks + increment_block_counter 1 if type quick_block_ip &>/dev/null; then quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" & fi @@ -2229,6 +2231,8 @@ monitor_firewall_blocks() { # Log firewall block local time_str=$(date +"%H:%M:%S") echo -e "${LOW_COLOR}[${time_str}] $ip | FIREWALL_BLOCK | Blocked by firewall${NC}" >> "$TEMP_DIR/recent_events" + # BUG FIX: Increment block counter when block is detected + increment_block_counter 1 fi fi done & @@ -2294,6 +2298,8 @@ monitor_cphulk_blocks() { local color=$(get_threat_color "$level") echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 🔐CPHULK_BLOCK | Blocked by cPHulk${NC}" >> "$TEMP_DIR/recent_events" + # BUG FIX: Increment block counter for cPHulk blocks + increment_block_counter 1 fi done sleep 10 # Poll every 10 seconds @@ -2519,6 +2525,8 @@ monitor_network_attacks() { ) & local time_str=$(date +"%H:%M:%S") echo -e "${CRITICAL_COLOR}[${time_str}] SUBNET_BLOCK | $subnet_cidr | IPs:${subnet_ip_count} | Severity:${attack_severity}${NC}" >> "$TEMP_DIR/recent_events" + # BUG FIX: Increment block counter when subnet block is detected + increment_block_counter 1 fi fi done @@ -3306,6 +3314,8 @@ detect_distributed_attacks() { if [ ${#batch_ips[@]} -gt 0 ]; then batch_block_ips "${batch_ips[@]}" echo -e "${CRITICAL_COLOR}[${time_str}] DISTRIBUTED_ATTACK | ${attack_type} from ${unique_ips} IPs | BLOCKED ALL${NC}" >> "$TEMP_DIR/recent_events" + # BUG FIX: Increment block counter for distributed attacks + increment_block_counter 1 fi # Check for subnet-level coordination (25+ IPs from same /24) @@ -3330,6 +3340,8 @@ detect_distributed_attacks() { if [ "$IPSET_AVAILABLE" -eq 1 ]; then ipset add "$IPSET_NAME" "$subnet_cidr" -exist 2>/dev/null echo -e "${CRITICAL_COLOR}[${time_str}] SUBNET_BLOCK | $subnet_cidr | ${attack_type} from ${subnet_ip_count} IPs | BLOCKED${NC}" >> "$TEMP_DIR/recent_events" + # BUG FIX: Increment block counter for subnet blocks + increment_block_counter 1 fi fi fi