From 244fd35e9705cedb5290c6237ee616d945b535b8 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:03:44 -0500
Subject: [PATCH] FIX: Use existing persistent ip_data storage for historical
 hit tracking

Remove redundant ip_history_IPADDR files and leverage existing infrastructure:
- ip_data file already stores: IP=score|hits|bot_type|attacks|ban_count|rep_score
- hits field is already persistent across monitor restarts
- write_ip_data_to_file() already handles atomic updates with flock

Change: Load IP data from central ip_data file instead of temp ip_IPADDR files
Result: Historical hits now properly tracked and used for threshold adaptation

The existing 'hits' field in ip_data IS the lifetime detection counter we need.
Just need to load from the right file (central persistent storage, not temp files).

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 23 +++++++---------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index eea49f5..71d1c0a 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2643,28 +2643,19 @@ monitor_network_attacks() {
                             if [ -z "${ALERT_SENT[$ip]}" ]; then
                                 ALERT_SENT[$ip]=1
 
-                                # Update IP reputation via file (subshell can't access IP_DATA array)
-                                local ip_file="$TEMP_DIR/ip_${ip//\./_}"
+                                # Load IP reputation from PERSISTENT central database (ip_data)
+                                # This preserves hits across monitor restarts for historical tracking
                                 local current_data="0|0|human||0|0"
-                                if [ -f "$ip_file" ]; then
-                                    current_data=$(cat "$ip_file")
+                                if [ -f "$TEMP_DIR/ip_data" ]; then
+                                    # Extract this IP's data from central database
+                                    current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
                                 fi
                                 IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
 
-                                # Increment hits (this session)
+                                # Increment hits (persistent across monitor restarts)
+                                # This is the total lifetime detection count for this IP
                                 hits=$((hits + 1))
 
-                                # CRITICAL FIX: Persistent historical tracking across monitor restarts
-                                # Track total lifetime detections of each IP (not just current session)
-                                # This allows catching repeat attackers even if they space out attacks over time
-                                local history_file="$TEMP_DIR/ip_history_${ip//\./_}"
-                                local total_lifetime_hits=0
-                                if [ -f "$history_file" ]; then
-                                    total_lifetime_hits=$(cat "$history_file" 2>/dev/null || echo 0)
-                                fi
-                                total_lifetime_hits=$((total_lifetime_hits + 1))
-                                echo "$total_lifetime_hits" > "$history_file" 2>/dev/null
-
                                 # Smart whitelisting: Skip IPs with MANY successful established connections
                                 # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)
                                 # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches)