cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Integrate advanced intelligence into Email, FTP, and Database monitoring

Browse Source 
Extended all 10 intelligence systems to cover all authentication attack vectors:

Email (SMTP/IMAP/POP3) Monitoring:
- Vector tracking: EMAIL
- Full intelligence integration (velocity, diversity, patterns, subnet, context)
- Progressive scoring: 10 + 8n per attempt
- Advanced bonuses can add 50-100+ points for sophisticated attacks

FTP Monitoring:
- Vector tracking: FTP
- Full intelligence integration
- Same progressive scoring and bonuses as SSH/Email
- Detects coordinated multi-service attacks

Database (MySQL) Monitoring:
- Vector tracking: DATABASE
- Full intelligence integration
- Higher base scoring: 15 + 12n per attempt (database = critical)
- Bonuses applied on top

Cross-Vector Detection Example:
IP attacks SSH (3 attempts) + Email (2 attempts) + FTP (1 attempt) = 6 total
- Base: 58 points
- Diversity bonus: +10 (DUAL_VECTOR) or +25 (3 vectors)
- Velocity bonus: +20 (if rapid)
- Pattern bonus: +20 (if automated)
- Subnet bonus: +25 (if part of botnet)
- Context bonus: +18 (night + residential ISP)
- TOTAL: Can reach 100+ (capped) very quickly

All monitoring sources now share same intelligence and contribute to unified threat assessment
This commit is contained in:
cschantz
2025-11-14 16:48:44 -05:00
parent c9bfa211c0
commit 44c3e9370c
1 changed files with 147 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+147
View File
@@ -1527,6 +1527,11 @@ monitor_email_attacks() {
hits=$((hits + 1))
# Record timestamp and vector for intelligence
record_attack_timestamp "$ip"
record_attack_vector "$ip" "EMAIL"
track_subnet_attack "$ip"
# Add BRUTEFORCE to attacks
if [[ ! "$attacks" =~ BRUTEFORCE ]]; then
[ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
@@ -1538,10 +1543,54 @@ monitor_email_attacks() {
else
score=$((score + 8))
fi
# Apply advanced intelligence bonuses
local block_reasons=""
local velocity_data=$(calculate_attack_velocity "$ip")
IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data"
[ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}"
local div_data=$(calculate_diversity_bonus "$ip")
IFS='|' read -r div_count div_bonus div_reason <<< "$div_data"
if [ "$div_bonus" -gt 0 ]; then
score=$((score + div_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${div_reason}"
fi
local pattern_data=$(detect_timing_pattern "$ip")
IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data"
if [ "$pat_bonus" -gt 0 ]; then
score=$((score + pat_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${pat_reason}"
fi
local subnet_data=$(calculate_subnet_bonus "$ip")
IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data"
if [ "$subnet_bonus" -gt 0 ]; then
score=$((score + subnet_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${subnet_reason}"
fi
local context_data=$(calculate_context_bonus "$ip")
IFS='|' read -r context_bonus context_reason <<< "$context_data"
if [ "$context_bonus" -gt 0 ]; then
score=$((score + context_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${context_reason}"
fi
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Store block reasons for CSF
if [ -n "$block_reasons" ]; then
echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}"
fi
# Log to reputation DB
flag_ip_attack "$ip" "BRUTEFORCE" 0 "Email authentication failure" >/dev/null 2>&1 &
@@ -1585,6 +1634,11 @@ monitor_ftp_attacks() {
hits=$((hits + 1))
# Record timestamp and vector for intelligence
record_attack_timestamp "$ip"
record_attack_vector "$ip" "FTP"
track_subnet_attack "$ip"
# Add BRUTEFORCE to attacks
if [[ ! "$attacks" =~ BRUTEFORCE ]]; then
[ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
@@ -1596,10 +1650,54 @@ monitor_ftp_attacks() {
else
score=$((score + 8))
fi
# Apply advanced intelligence bonuses
local block_reasons=""
local velocity_data=$(calculate_attack_velocity "$ip")
IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data"
[ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}"
local div_data=$(calculate_diversity_bonus "$ip")
IFS='|' read -r div_count div_bonus div_reason <<< "$div_data"
if [ "$div_bonus" -gt 0 ]; then
score=$((score + div_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${div_reason}"
fi
local pattern_data=$(detect_timing_pattern "$ip")
IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data"
if [ "$pat_bonus" -gt 0 ]; then
score=$((score + pat_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${pat_reason}"
fi
local subnet_data=$(calculate_subnet_bonus "$ip")
IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data"
if [ "$subnet_bonus" -gt 0 ]; then
score=$((score + subnet_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${subnet_reason}"
fi
local context_data=$(calculate_context_bonus "$ip")
IFS='|' read -r context_bonus context_reason <<< "$context_data"
if [ "$context_bonus" -gt 0 ]; then
score=$((score + context_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${context_reason}"
fi
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Store block reasons for CSF
if [ -n "$block_reasons" ]; then
echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}"
fi
# Log to reputation DB
flag_ip_attack "$ip" "BRUTEFORCE" 0 "FTP login failure" >/dev/null 2>&1 &
@@ -1643,6 +1741,11 @@ monitor_database_attacks() {
hits=$((hits + 1))
# Record timestamp and vector for intelligence
record_attack_timestamp "$ip"
record_attack_vector "$ip" "DATABASE"
track_subnet_attack "$ip"
# Add SQL_INJECTION to attacks
local is_new_attack=0
if [[ ! "$attacks" =~ SQL_INJECTION ]]; then
@@ -1656,10 +1759,54 @@ monitor_database_attacks() {
else
score=$((score + 12))
fi
# Apply advanced intelligence bonuses
local block_reasons=""
local velocity_data=$(calculate_attack_velocity "$ip")
IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data"
[ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}"
local div_data=$(calculate_diversity_bonus "$ip")
IFS='|' read -r div_count div_bonus div_reason <<< "$div_data"
if [ "$div_bonus" -gt 0 ]; then
score=$((score + div_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${div_reason}"
fi
local pattern_data=$(detect_timing_pattern "$ip")
IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data"
if [ "$pat_bonus" -gt 0 ]; then
score=$((score + pat_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${pat_reason}"
fi
local subnet_data=$(calculate_subnet_bonus "$ip")
IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data"
if [ "$subnet_bonus" -gt 0 ]; then
score=$((score + subnet_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${subnet_reason}"
fi
local context_data=$(calculate_context_bonus "$ip")
IFS='|' read -r context_bonus context_reason <<< "$context_data"
if [ "$context_bonus" -gt 0 ]; then
score=$((score + context_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${context_reason}"
fi
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Store block reasons for CSF
if [ -n "$block_reasons" ]; then
echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}"
fi
# Log to reputation DB
flag_ip_attack "$ip" "SQL_INJECTION" 0 "MySQL authentication failure" >/dev/null 2>&1 &