FIX: Update threshold logic to use hits from persistent storage

The 'hits' variable is now loaded from central ip_data file, which survives monitor restarts. This is the persistent lifetime detection count we need for the adaptive threshold. Threshold adaptation now works correctly: - 10+ lifetime hits: threshold = 1 (auto-block any SYN activity) - 5-9 lifetime hits: threshold = 1 (lower from 3) - 3-4 lifetime hits: threshold = 2 (lower from 3) - 2 lifetime hits: threshold = 2 (lower from 3) - 1st detection: threshold = 3 (baseline) This enables tracking IPs that probe 5-10 times over days at low levels. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-06 23:04:10 -05:00
parent 244fd35e97
commit 4ea982b119
1 changed files with 8 additions and 7 deletions
@@ -2620,20 +2620,21 @@ monitor_network_attacks() {
                        [ "$threshold" -lt 3 ] && threshold=3

                        # CRITICAL FIX: Adaptive threshold based on LIFETIME detection history
-                        # Use persistent historical tracking (total_lifetime_hits) to catch repeat attackers
+                        # Use persistent hits from ip_data (central database) - survives monitor restarts
                        # An IP that attacks 5-10 times over days should be detected at lower threshold
-                        # This catches distributed/low-level probes that space out attempts
-                        local effective_hits="${total_lifetime_hits:-0}"
-                        if [ "$effective_hits" -ge 10 ]; then
+                        # This catches distributed/low-level probes that space out attempts over time
+                        # NOTE: hits variable now loaded from persistent ip_data storage
+                        local lifetime_hits="${hits:-0}"
+                        if [ "$lifetime_hits" -ge 10 ]; then
                            threshold=1  # Seen 10+ times across ALL TIME: auto-block even 1 connection
                            [ "$threshold" -lt 1 ] && threshold=1
-                        elif [ "$effective_hits" -ge 5 ]; then
+                        elif [ "$lifetime_hits" -ge 5 ]; then
                            threshold=$((threshold - 2))  # 5-9 times: lower threshold by 2 (from 3 to 1)
                            [ "$threshold" -lt 1 ] && threshold=1
-                        elif [ "$effective_hits" -ge 3 ]; then
+                        elif [ "$lifetime_hits" -ge 3 ]; then
                            threshold=$((threshold - 1))  # 3-4 times: lower threshold by 1
                            [ "$threshold" -lt 2 ] && threshold=2
-                        elif [ "$effective_hits" -ge 2 ]; then
+                        elif [ "$lifetime_hits" -ge 2 ]; then
                            threshold=$((threshold - 1))  # 2 times: lower threshold slightly
                            [ "$threshold" -lt 2 ] && threshold=2
                        fi