cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FIX: Use existing persistent ip_data storage for historical hit tracking

Browse Source 
Remove redundant ip_history_IPADDR files and leverage existing infrastructure:
- ip_data file already stores: IP=score|hits|bot_type|attacks|ban_count|rep_score
- hits field is already persistent across monitor restarts
- write_ip_data_to_file() already handles atomic updates with flock

Change: Load IP data from central ip_data file instead of temp ip_IPADDR files
Result: Historical hits now properly tracked and used for threshold adaptation

The existing 'hits' field in ip_data IS the lifetime detection counter we need.
Just need to load from the right file (central persistent storage, not temp files).

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 23:03:44 -05:00
parent 4a9b449d60
commit 244fd35e97
1 changed files with 7 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+7 -16
View File
@@ -2643,28 +2643,19 @@ monitor_network_attacks() {
if [ -z "${ALERT_SENT[$ip]}" ]; then if [ -z "${ALERT_SENT[$ip]}" ]; then
ALERT_SENT[$ip]=1 ALERT_SENT[$ip]=1
# Update IP reputation via file (subshell can't access IP_DATA array) # Load IP reputation from PERSISTENT central database (ip_data)
local ip_file="$TEMP_DIR/ip_${ip//\./_}" # This preserves hits across monitor restarts for historical tracking
local current_data="0|0|human||0|0" local current_data="0|0|human||0|0"
if [ -f "$ip_file" ]; then if [ -f "$TEMP_DIR/ip_data" ]; then
current_data=$(cat "$ip_file") # Extract this IP's data from central database
current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
fi fi
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
# Increment hits (this session) # Increment hits (persistent across monitor restarts)
# This is the total lifetime detection count for this IP
hits=$((hits + 1)) hits=$((hits + 1))
# CRITICAL FIX: Persistent historical tracking across monitor restarts
# Track total lifetime detections of each IP (not just current session)
# This allows catching repeat attackers even if they space out attacks over time
local history_file="$TEMP_DIR/ip_history_${ip//\./_}"
local total_lifetime_hits=0
if [ -f "$history_file" ]; then
total_lifetime_hits=$(cat "$history_file" 2>/dev/null || echo 0)
fi
total_lifetime_hits=$((total_lifetime_hits + 1))
echo "$total_lifetime_hits" > "$history_file" 2>/dev/null
# Smart whitelisting: Skip IPs with MANY successful established connections # Smart whitelisting: Skip IPs with MANY successful established connections
# Only whitelist if IP has 20+ established connections (highly unlikely for attacker) # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)
# CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches) # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches)