Add intelligent firewall recommendations to live monitor

PROBLEM: Live monitor detected attacks but didn't provide actionable
recommendations for firewall configuration (CT_LIMIT, SYNFLOOD, etc.)

BEFORE:
Quick Actions panel only showed:
- Number of IPs ready to block
- Press 'b' to block

No guidance on:
- What to do about SYN floods
- How to enable SYNFLOOD protection
- When to adjust CT_LIMIT
- How to strengthen SSH against bruteforce

AFTER:
Quick Actions now provides intelligent recommendations based on detected attacks:

1. DDoS/SYN Flood Detection:
   ⚠️  DDoS/SYN Flood Detected - Firewall Protection Recommended
   → Enable SYNFLOOD protection: csf -e SYNFLOOD
   → Set CT_LIMIT: Edit /etc/csf/csf.conf → CT_LIMIT="100"
   → Apply changes: csf -r

2. SSH Bruteforce Detection (>5 attempts):
   ⚠️  SSH Bruteforce (X attempts) - Strengthen SSH Security
   → Lower LF_SSHD trigger: Edit /etc/csf/csf.conf → LF_SSHD="3"
   → Enable PortKnocking or change SSH port

3. IP Blocking (score >= 60):
   ⚠️  X high-threat IPs ready to block
   → Press 'b' to open blocking menu

INTELLIGENCE:
- Monitors IP_DATA for DDOS attacks
- Counts HIGH_CONN_COUNT events (>20 SYN_RECV)
- Counts SSH_BRUTEFORCE attempts in feed
- Only shows recommendations when threats detected
- Provides exact commands to run

PANEL RENAMED:
"QUICK ACTIONS" → "QUICK ACTIONS & RECOMMENDATIONS"

USER BENEFIT:
- Know exactly what to do when SYN flood happens
- Get firewall config commands immediately
- Proactive security hardening suggestions
- No need to remember CSF syntax

NAVIGATION VERIFIED:
✅ All menu back buttons (0) return properly
✅ Cleanup trap handles Ctrl+C correctly
✅ Keyboard controls work (b, s, r, h, q)
✅ Blocking menu has cancel option

FILES MODIFIED:
- modules/security/live-attack-monitor.sh
  - Enhanced draw_quick_actions() (lines 393-460)
  - Added attack pattern detection
  - Added firewall recommendation logic
  - Panel title updated

modules/security/live-attack-monitor.sh

@@ -391,16 +391,23 @@ draw_live_feed() {
 }
 
 draw_quick_actions() {
-    echo -e "${MEDIUM_COLOR}┌─ QUICK ACTIONS ────────────────────────────────────────────────────────────┐${NC}"
+    echo -e "${MEDIUM_COLOR}┌─ QUICK ACTIONS & RECOMMENDATIONS ─────────────────────────────────────────┐${NC}"
 
     # Get blockable IPs (score >= 60, not already blocked)
     local blockable_count=0
     local blockable_ips=""
+    local has_ddos=0
+    local has_ssh_bruteforce=0
+    local high_conn_count=0
 
     for ip in "${!IP_DATA[@]}"; do
         IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
 
-        # Skip if score too low
+        # Check attack patterns
+        [[ "$attacks" =~ DDOS ]] && has_ddos=1
+        [[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1
+
+        # Skip if score too low for blocking
         [ "$score" -lt 60 ] && continue
 
         # Quick check - only verify if CSF/iptables commands available
@@ -409,14 +416,45 @@ draw_quick_actions() {
         blockable_ips+="$ip "
     done
 
-    if [ $blockable_count -gt 0 ]; then
+    # Check for high connection counts
-        echo -e "${HIGH_COLOR}  ⚠️  $blockable_count high-threat IPs ready to block${NC}"
+    if [ -f "$TEMP_DIR/recent_events" ]; then
-        echo -e "${MEDIUM_COLOR}  Press 'b' to open blocking menu${NC}"
+        high_conn_count=$(grep -c "HIGH_CONN_COUNT" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
-    else
-        echo -e "${SAFE_COLOR}  ✓ No immediate threats requiring blocks${NC}"
     fi
 
-    echo -e "${INFO_COLOR}  Press 'b' to block IPs | 'h' for help | 'q' to quit${NC}"
+    # IP Blocking Recommendations
+    if [ $blockable_count -gt 0 ]; then
+        echo -e "${HIGH_COLOR}  ⚠️  $blockable_count high-threat IPs ready to block${NC}"
+        echo -e "${MEDIUM_COLOR}     → Press 'b' to open blocking menu${NC}"
+    else
+        echo -e "${SAFE_COLOR}  ✓ No IPs requiring immediate blocks${NC}"
+    fi
+
+    # Intelligent Firewall Recommendations
+    local recommendations=0
+
+    if [ $has_ddos -eq 1 ] || [ $high_conn_count -gt 0 ]; then
+        echo -e "${HIGH_COLOR}  ⚠️  DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
+        echo -e "${MEDIUM_COLOR}     → Enable SYNFLOOD protection: ${BOLD}csf -e SYNFLOOD${NC}"
+        echo -e "${MEDIUM_COLOR}     → Set CT_LIMIT: ${BOLD}Edit /etc/csf/csf.conf → CT_LIMIT=\"100\"${NC}"
+        echo -e "${MEDIUM_COLOR}     → Apply changes: ${BOLD}csf -r${NC}"
+        recommendations=1
+    fi
+
+    if [ $has_ssh_bruteforce -eq 1 ]; then
+        local ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
+        if [ $ssh_attacks -gt 5 ]; then
+            echo -e "${HIGH_COLOR}  ⚠️  SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}"
+            echo -e "${MEDIUM_COLOR}     → Lower LF_SSHD trigger: ${BOLD}Edit /etc/csf/csf.conf → LF_SSHD=\"3\"${NC}"
+            echo -e "${MEDIUM_COLOR}     → Enable PortKnocking or change SSH port${NC}"
+            recommendations=1
+        fi
+    fi
+
+    if [ $recommendations -eq 0 ]; then
+        echo ""
+    fi
+
+    echo -e "${INFO_COLOR}  Keys: 'b' Block IPs | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
 
     echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
 }