From 2a0f7d0c64f20a0b5f1730daacb1f0ea85c4736a Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 14 Nov 2025 16:53:43 -0500
Subject: [PATCH] Fix critical bug: Add missing is_ip_blocked function

CRITICAL BUG FIX: Auto-blocking and Quick Actions were not working

Problem:
- Code called is_ip_blocked() function that didn't exist
- Function failures caused silent errors (2>/dev/null)
- Result: IPs with score 100 were NOT auto-blocked
- Result: Quick Actions never showed any IPs to block
- Auto-mitigation engine was completely broken

Solution:
- Added is_ip_blocked() function with dual checking:
  1. CSF deny list check (csf -g)
  2. iptables direct check (iptables -L)
- Returns 0 (blocked) or 1 (not blocked)

Impact:
- Auto-blocking now works at score >= 80
- Quick Actions now shows IPs with score >= 60
- Users can see and manually block medium threats
- Auto-mitigation engine now functional

This was preventing ALL blocking functionality from working
---
 modules/security/live-attack-monitor.sh | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index fcee20f..69521ad 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -690,6 +690,27 @@ calculate_context_bonus() {
     echo "${bonus}|${reasons}"
 }
 
+# Check if IP is currently blocked in CSF/iptables
+is_ip_blocked() {
+    local ip="$1"
+
+    # Check CSF deny list
+    if command -v csf &>/dev/null; then
+        if csf -g "$ip" 2>/dev/null | grep -q "DENY"; then
+            return 0
+        fi
+    fi
+
+    # Check iptables directly
+    if command -v iptables &>/dev/null; then
+        if iptables -L -n 2>/dev/null | grep -q "$ip"; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
 # Get threat level from score
 get_threat_level() {
     local score="$1"