BUG FIX #16: Missing error handling for critical system file backups

ISSUE:
Two locations in the code attempt to backup critical CSF (ConfigServer
Firewall) configuration files WITHOUT verifying the backup succeeds.
If the backup fails, the original file is still modified, risking data loss.

ROOT CAUSE:
Lines 1805 and 1861:
```
cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)
# ... then immediately modify the original file
```

If cp fails (no write permission, full disk, /etc/csf inaccessible, etc.),
bash continues to next command due to lack of error checking.
Original file is then modified WITHOUT a backup.

FAILURE SCENARIOS:
1. SYNFLOOD Protection Enablement (line 1805-1808):
   - cp fails due to permission denied
   - SYNFLOOD = "1" is still written to /etc/csf/csf.conf
   - No backup exists if something goes wrong
   - sed -i modifies original without safety net

2. SSH Hardening (line 1861-1864):
   - cp fails due to disk full
   - LF_SSHD = "3" is still written
   - No recovery mechanism if config becomes corrupt

IMPACT:
- HIGH: If any sed modification causes syntax error, config is corrupted
  with no backup to restore
- CSF service might fail to start
- Firewall rules become non-functional
- Manual intervention required on production server
- No audit trail of what the original value was

FIX:
Add explicit error checking:
1. Save backup filename to variable
2. Check if cp succeeds with: if ! cp ... 2>/dev/null
3. If backup fails: print error and return 1 early
4. Only proceed with sed modifications if backup confirmed

This ensures:
- Backup is verified before touching original file
- Clear error message if backup fails
- Function returns error code for caller to handle
- Original file remains unmodified if backup fails

LOCATIONS FIXED:
- Line 1805: SYNFLOOD protection setup
- Line 1861: SSH hardening configuration

VERIFICATION:
- Syntax: ✓ Pass
- Error handling: ✓ Proper early return on backup failure
- Safety: ✓ Original file untouched if backup fails
- Auditability: ✓ Error message logged to console

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

modules/security/live-attack-monitor-v2.sh

@@ -1802,7 +1802,15 @@ apply_synflood_fix() {
         echo "Enabling SYNFLOOD protection..."
 
         # Backup config
-        cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)
+        # CRITICAL FIX: Check if backup succeeds before modifying
+        # Bug: If cp fails (no write permission), script continues anyway
+        # Result: Original file modified without backup - data loss if something goes wrong
+        local backup_file="/etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)"
+        if ! cp /etc/csf/csf.conf "$backup_file" 2>/dev/null; then
+            echo "ERROR: Failed to backup /etc/csf/csf.conf to $backup_file"
+            echo "Aborting SYNFLOOD configuration to prevent data loss"
+            return 1
+        fi
 
         # Enable SYNFLOOD
         sed -i 's/^SYNFLOOD\s*=.*/SYNFLOOD = "1"/' /etc/csf/csf.conf
@@ -1850,7 +1858,15 @@ apply_ssh_hardening() {
         echo "Lowering threshold to 3 failed attempts..."
 
         # Backup config
-        cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)
+        # CRITICAL FIX: Check if backup succeeds before modifying
+        # Bug: If cp fails (no write permission), script continues anyway
+        # Result: Original file modified without backup - data loss if something goes wrong
+        local backup_file="/etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)"
+        if ! cp /etc/csf/csf.conf "$backup_file" 2>/dev/null; then
+            echo "ERROR: Failed to backup /etc/csf/csf.conf to $backup_file"
+            echo "Aborting SSH hardening configuration to prevent data loss"
+            return 1
+        fi
 
         # Update LF_SSHD
         sed -i 's/^LF_SSHD\s*=.*/LF_SSHD = "3"/' /etc/csf/csf.conf