cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve attack signature scoring for faster blocking

Browse Source 
Issues Fixed:
1. SUSPICIOUS_UA under-valued (+10 → +15)
   - Automation tools now block in 6 hits instead of 8
   - Matches severity of SQL injection and path traversal

2. BOT_FINGERPRINT under-valued (+8 → +15)
   - Headless browsers now properly scored as HIGH risk
   - Blocks in 6 hits instead of 10

3. Suspicious bot penalty increased (+10 → +15)
   - Consistent with new SUSPICIOUS_UA scoring
   - Faster blocking of malicious automation

4. Legit bot penalty exploit fixed
   - Score reduction (-5) now ONLY applies if NO attacks detected
   - Prevents spoofed Googlebot/legitimate UAs from avoiding blocks
   - Attack detection overrides bot classification

Impact:
Before:
- SUSPICIOUS_UA: 8 hits to auto-block (score 80)
- BOT_FINGERPRINT: 10 hits to auto-block
- Spoofed Googlebot with attacks: Could avoid blocking

After:
- SUSPICIOUS_UA: 6 hits to auto-block (score 90)
- BOT_FINGERPRINT: 6 hits to auto-block (score 90)
- Spoofed legitimate UAs: No penalty if attacks present
- Faster response to automation attacks

Real-World Example:
IP with python-requests UA making SQL injection attempts:
- Old: +10 (SUSPICIOUS_UA) +10 (suspicious bot) = 20 per hit
- New: +15 (SUSPICIOUS_UA) +15 (suspicious bot) = 30 per hit
- Result: Blocks in 3 hits instead of 4
This commit is contained in:
cschantz
2026-01-06 17:28:35 -05:00
parent 4a9f40ce53
commit 49b0bf3a90
2 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/attack-patterns.sh
+2 -2
View File
@@ -689,8 +689,8 @@ calculate_attack_score() {
[[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15))
[[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20))
[[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12))
[[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 10))
[[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 8))
[[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 15))
[[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 15))
[[ "$attacks" =~ (^|,)ANONYMIZER(,|$) ]] && score=$((score + 15))
[[ "$attacks" =~ (^|,)CREDENTIAL_STUFFING(,|$) ]] && score=$((score + 18))
[[ "$attacks" =~ (^|,)API_ABUSE(,|$) ]] && score=$((score + 12))
modules/security/live-attack-monitor-v2.sh
+7 -4
View File
@@ -450,13 +450,16 @@ update_ip_intelligence() {
# Adjust score based on bot type
case "$bot_type" in
legit|ai|monitor)
# Legitimate bots - reduce score
score=$((score - 5))
[ "${score:-0}" -lt 0 ] && score=0
# Legitimate bots - reduce score ONLY if no attacks detected
# (prevents spoofed user agents from avoiding blocks)
if [ -z "$attacks" ]; then
score=$((score - 5))
[ "${score:-0}" -lt 0 ] && score=0
fi
;;
suspicious)
# Suspicious bots - increase score
score=$((score + 10))
score=$((score + 15))
;;
esac