diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 81b1e16..5f91889 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2652,23 +2652,30 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 - # Smart whitelisting: Skip IPs with MANY successful established connections + # Smart whitelisting: Skip SCORING for IPs with MANY successful established connections + # But still track them - don't skip the write! # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches) # Example: "1.1.1.1" should not match "11.1.1.1" or "119.1.1.1" local established_conns=$(ss -tn state established 2>/dev/null | grep -w "$ip" | wc -l) [ -z "$established_conns" ] && established_conns=0 + local skip_scoring=0 if [ "$established_conns" -ge 20 ]; then # IP has 20+ established connections = highly likely legitimate user - continue # Now safe - hits already persisted + # Skip scoring but STILL write/track (for historical hits) + skip_scoring=1 + fi + + # Check if whitelisted service + if [ "$skip_scoring" -eq 0 ] && [ "${hits:-0}" -eq 1 ]; then + # Only check whitelist on first detection, and only if not already skipped + if is_whitelisted_service "$ip" 2>/dev/null; then + skip_scoring=1 # Skip scoring but STILL write/track + fi fi # Enhanced threat intelligence on first detection - if [ "${hits:-0}" -eq 1 ]; then - # Check if whitelisted service first - if is_whitelisted_service "$ip" 2>/dev/null; then - continue # Now safe - hits already persisted - fi + if [ "$skip_scoring" -eq 0 ] && [ "${hits:-0}" -eq 1 ]; then # Get threat intelligence in background to avoid slowdown ( @@ -2737,15 +2744,17 @@ monitor_network_attacks() { http_attack_bonus=25 # Already known attacker, very suspicious fi - # Record attack intelligence - record_attack_timestamp "$ip" - record_attack_vector "$ip" "NETWORK" - track_subnet_attack "$ip" + # Only do scoring/tracking if not whitelisted + if [ "$skip_scoring" -eq 0 ]; then + # Record attack intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "NETWORK" + track_subnet_attack "$ip" - # Add SYN_FLOOD to attacks if not already present - if [[ ! "$attacks" =~ SYN_FLOOD ]]; then - [ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD" - fi + # Add SYN_FLOOD to attacks if not already present + if [[ ! "$attacks" =~ SYN_FLOOD ]]; then + [ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD" + fi # Progressive scoring based on connection count # 20-50 conns: +15 pts, 50-100: +25 pts, 100+: +40 pts @@ -2924,8 +2933,9 @@ monitor_network_attacks() { block_reasons="${block_reasons}${timing_reason}" fi - # Cap at 100 - [ "$score" -gt 100 ] && score=100 + # Cap at 100 + [ "$score" -gt 100 ] && score=100 + fi # End of skip_scoring check # INCREMENT HITS AFTER ALL SCORING # Moved from before whitelisting to ensure we have complete data