diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 71d1c0a..0f9efd8 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2620,20 +2620,21 @@ monitor_network_attacks() { [ "$threshold" -lt 3 ] && threshold=3 # CRITICAL FIX: Adaptive threshold based on LIFETIME detection history - # Use persistent historical tracking (total_lifetime_hits) to catch repeat attackers + # Use persistent hits from ip_data (central database) - survives monitor restarts # An IP that attacks 5-10 times over days should be detected at lower threshold - # This catches distributed/low-level probes that space out attempts - local effective_hits="${total_lifetime_hits:-0}" - if [ "$effective_hits" -ge 10 ]; then + # This catches distributed/low-level probes that space out attempts over time + # NOTE: hits variable now loaded from persistent ip_data storage + local lifetime_hits="${hits:-0}" + if [ "$lifetime_hits" -ge 10 ]; then threshold=1 # Seen 10+ times across ALL TIME: auto-block even 1 connection [ "$threshold" -lt 1 ] && threshold=1 - elif [ "$effective_hits" -ge 5 ]; then + elif [ "$lifetime_hits" -ge 5 ]; then threshold=$((threshold - 2)) # 5-9 times: lower threshold by 2 (from 3 to 1) [ "$threshold" -lt 1 ] && threshold=1 - elif [ "$effective_hits" -ge 3 ]; then + elif [ "$lifetime_hits" -ge 3 ]; then threshold=$((threshold - 1)) # 3-4 times: lower threshold by 1 [ "$threshold" -lt 2 ] && threshold=2 - elif [ "$effective_hits" -ge 2 ]; then + elif [ "$lifetime_hits" -ge 2 ]; then threshold=$((threshold - 1)) # 2 times: lower threshold slightly [ "$threshold" -lt 2 ] && threshold=2 fi