From 4ea982b1195140de368ce70bbf6f8dac776ff928 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:04:10 -0500
Subject: [PATCH] FIX: Update threshold logic to use hits from persistent
 storage

The 'hits' variable is now loaded from central ip_data file,
which survives monitor restarts. This is the persistent lifetime
detection count we need for the adaptive threshold.

Threshold adaptation now works correctly:
- 10+ lifetime hits: threshold = 1 (auto-block any SYN activity)
- 5-9 lifetime hits: threshold = 1 (lower from 3)
- 3-4 lifetime hits: threshold = 2 (lower from 3)
- 2 lifetime hits: threshold = 2 (lower from 3)
- 1st detection: threshold = 3 (baseline)

This enables tracking IPs that probe 5-10 times over days at low levels.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 71d1c0a..0f9efd8 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2620,20 +2620,21 @@ monitor_network_attacks() {
                         [ "$threshold" -lt 3 ] && threshold=3
 
                         # CRITICAL FIX: Adaptive threshold based on LIFETIME detection history
-                        # Use persistent historical tracking (total_lifetime_hits) to catch repeat attackers
+                        # Use persistent hits from ip_data (central database) - survives monitor restarts
                         # An IP that attacks 5-10 times over days should be detected at lower threshold
-                        # This catches distributed/low-level probes that space out attempts
-                        local effective_hits="${total_lifetime_hits:-0}"
-                        if [ "$effective_hits" -ge 10 ]; then
+                        # This catches distributed/low-level probes that space out attempts over time
+                        # NOTE: hits variable now loaded from persistent ip_data storage
+                        local lifetime_hits="${hits:-0}"
+                        if [ "$lifetime_hits" -ge 10 ]; then
                             threshold=1  # Seen 10+ times across ALL TIME: auto-block even 1 connection
                             [ "$threshold" -lt 1 ] && threshold=1
-                        elif [ "$effective_hits" -ge 5 ]; then
+                        elif [ "$lifetime_hits" -ge 5 ]; then
                             threshold=$((threshold - 2))  # 5-9 times: lower threshold by 2 (from 3 to 1)
                             [ "$threshold" -lt 1 ] && threshold=1
-                        elif [ "$effective_hits" -ge 3 ]; then
+                        elif [ "$lifetime_hits" -ge 3 ]; then
                             threshold=$((threshold - 1))  # 3-4 times: lower threshold by 1
                             [ "$threshold" -lt 2 ] && threshold=2
-                        elif [ "$effective_hits" -ge 2 ]; then
+                        elif [ "$lifetime_hits" -ge 2 ]; then
                             threshold=$((threshold - 1))  # 2 times: lower threshold slightly
                             [ "$threshold" -lt 2 ] && threshold=2
                         fi