FIX: Use existing persistent ip_data storage for historical hit tracking

Remove redundant ip_history_IPADDR files and leverage existing infrastructure: - ip_data file already stores: IP=score|hits|bot_type|attacks|ban_count|rep_score - hits field is already persistent across monitor restarts - write_ip_data_to_file() already handles atomic updates with flock Change: Load IP data from central ip_data file instead of temp ip_IPADDR files Result: Historical hits now properly tracked and used for threshold adaptation The existing 'hits' field in ip_data IS the lifetime detection counter we need. Just need to load from the right file (central persistent storage, not temp files). Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-06 23:03:44 -05:00
parent 4a9b449d60
commit 244fd35e97
1 changed files with 7 additions and 16 deletions
@@ -2643,28 +2643,19 @@ monitor_network_attacks() {
                            if [ -z "${ALERT_SENT[$ip]}" ]; then
                                ALERT_SENT[$ip]=1

-                                # Update IP reputation via file (subshell can't access IP_DATA array)
-                                local ip_file="$TEMP_DIR/ip_${ip//\./_}"
+                                # Load IP reputation from PERSISTENT central database (ip_data)
+                                # This preserves hits across monitor restarts for historical tracking
                                local current_data="0|0|human||0|0"
-                                if [ -f "$ip_file" ]; then
-                                    current_data=$(cat "$ip_file")
+                                if [ -f "$TEMP_DIR/ip_data" ]; then
+                                    # Extract this IP's data from central database
+                                    current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
                                fi
                                IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"

-                                # Increment hits (this session)
+                                # Increment hits (persistent across monitor restarts)
+                                # This is the total lifetime detection count for this IP
                                hits=$((hits + 1))

-                                # CRITICAL FIX: Persistent historical tracking across monitor restarts
-                                # Track total lifetime detections of each IP (not just current session)
-                                # This allows catching repeat attackers even if they space out attacks over time
-                                local history_file="$TEMP_DIR/ip_history_${ip//\./_}"
-                                local total_lifetime_hits=0
-                                if [ -f "$history_file" ]; then
-                                    total_lifetime_hits=$(cat "$history_file" 2>/dev/null || echo 0)
-                                fi
-                                total_lifetime_hits=$((total_lifetime_hits + 1))
-                                echo "$total_lifetime_hits" > "$history_file" 2>/dev/null
-
                                # Smart whitelisting: Skip IPs with MANY successful established connections
                                # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)
                                # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches)