diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index eea49f5..71d1c0a 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2643,28 +2643,19 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 - # Update IP reputation via file (subshell can't access IP_DATA array) - local ip_file="$TEMP_DIR/ip_${ip//\./_}" + # Load IP reputation from PERSISTENT central database (ip_data) + # This preserves hits across monitor restarts for historical tracking local current_data="0|0|human||0|0" - if [ -f "$ip_file" ]; then - current_data=$(cat "$ip_file") + if [ -f "$TEMP_DIR/ip_data" ]; then + # Extract this IP's data from central database + current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0") fi IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" - # Increment hits (this session) + # Increment hits (persistent across monitor restarts) + # This is the total lifetime detection count for this IP hits=$((hits + 1)) - # CRITICAL FIX: Persistent historical tracking across monitor restarts - # Track total lifetime detections of each IP (not just current session) - # This allows catching repeat attackers even if they space out attacks over time - local history_file="$TEMP_DIR/ip_history_${ip//\./_}" - local total_lifetime_hits=0 - if [ -f "$history_file" ]; then - total_lifetime_hits=$(cat "$history_file" 2>/dev/null || echo 0) - fi - total_lifetime_hits=$((total_lifetime_hits + 1)) - echo "$total_lifetime_hits" > "$history_file" 2>/dev/null - # Smart whitelisting: Skip IPs with MANY successful established connections # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches)