From 26d955967656900fc458573a875c7e1633f89dff Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 23:12:12 -0500 Subject: [PATCH] CRITICAL FIX: Skip scoring for whitelisted IPs but STILL write/track MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug #3 (CRITICAL): Whitelisting checks used 'continue' which skipped: - All scoring logic - hits increment - Final write to persistent storage Result: Legitimate IPs or IPs with 20+ established connections NEVER accumulate hits, breaking adaptive threshold system permanently. Fix: Instead of 'continue' (skip everything), use skip_scoring flag to: 1. Skip threat intelligence gathering 2. Skip SYN_FLOOD attack scoring 3. Skip reputation bonuses 4. BUT STILL increment hits 5. AND STILL write to persistent storage This way: - Whitelisted IPs don't get scored/blocked - But their hits still increment for historical tracking - On next attempt, if whitelist is removed, they're blocked with higher hits - Adaptive threshold still works Example: Legitimate IP with 25 established connections Scan 1: Load hits=0, passes threshold, skip_scoring=1 (whitelisted) Don't score, but increment hits 0→1, write hits=1 Scan 2: Load hits=1, passes threshold, skip_scoring=1 (still whitelisted) Don't score, but increment hits 1→2, write hits=2 ... Scan 5: Load hits=4, threshold now 2 (lowered), skip_scoring=1 Don't score, increment hits 4→5, write hits=5 If in scan 6 whitelist is removed: Load hits=5, threshold=1, DO score, and since hits=5, will be blocked! Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 44 +++++++++++++--------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 81b1e16..5f91889 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2652,23 +2652,30 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 - # Smart whitelisting: Skip IPs with MANY successful established connections + # Smart whitelisting: Skip SCORING for IPs with MANY successful established connections + # But still track them - don't skip the write! # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches) # Example: "1.1.1.1" should not match "11.1.1.1" or "119.1.1.1" local established_conns=$(ss -tn state established 2>/dev/null | grep -w "$ip" | wc -l) [ -z "$established_conns" ] && established_conns=0 + local skip_scoring=0 if [ "$established_conns" -ge 20 ]; then # IP has 20+ established connections = highly likely legitimate user - continue # Now safe - hits already persisted + # Skip scoring but STILL write/track (for historical hits) + skip_scoring=1 + fi + + # Check if whitelisted service + if [ "$skip_scoring" -eq 0 ] && [ "${hits:-0}" -eq 1 ]; then + # Only check whitelist on first detection, and only if not already skipped + if is_whitelisted_service "$ip" 2>/dev/null; then + skip_scoring=1 # Skip scoring but STILL write/track + fi fi # Enhanced threat intelligence on first detection - if [ "${hits:-0}" -eq 1 ]; then - # Check if whitelisted service first - if is_whitelisted_service "$ip" 2>/dev/null; then - continue # Now safe - hits already persisted - fi + if [ "$skip_scoring" -eq 0 ] && [ "${hits:-0}" -eq 1 ]; then # Get threat intelligence in background to avoid slowdown ( @@ -2737,15 +2744,17 @@ monitor_network_attacks() { http_attack_bonus=25 # Already known attacker, very suspicious fi - # Record attack intelligence - record_attack_timestamp "$ip" - record_attack_vector "$ip" "NETWORK" - track_subnet_attack "$ip" + # Only do scoring/tracking if not whitelisted + if [ "$skip_scoring" -eq 0 ]; then + # Record attack intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "NETWORK" + track_subnet_attack "$ip" - # Add SYN_FLOOD to attacks if not already present - if [[ ! "$attacks" =~ SYN_FLOOD ]]; then - [ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD" - fi + # Add SYN_FLOOD to attacks if not already present + if [[ ! "$attacks" =~ SYN_FLOOD ]]; then + [ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD" + fi # Progressive scoring based on connection count # 20-50 conns: +15 pts, 50-100: +25 pts, 100+: +40 pts @@ -2924,8 +2933,9 @@ monitor_network_attacks() { block_reasons="${block_reasons}${timing_reason}" fi - # Cap at 100 - [ "$score" -gt 100 ] && score=100 + # Cap at 100 + [ "$score" -gt 100 ] && score=100 + fi # End of skip_scoring check # INCREMENT HITS AFTER ALL SCORING # Moved from before whitelisting to ensure we have complete data