Add centralized IP reputation tracking system
Created a comprehensive IP reputation system that tracks IPs across all toolkit scripts with tags/attack types, scores, and detailed analytics. NEW FILES: - lib/ip-reputation.sh: Core reputation library with optimized database * Fast lookup using pipe-delimited file format * Attack type tagging system (bitmask: SQL, XSS, RCE, Bot, Scanner, etc.) * Reputation scoring (0-100) based on hits and attack severity * GeoIP country lookup integration * Automatic cleanup of old entries * Thread-safe with file locking - modules/security/ip-reputation-manager.sh: Interactive management tool * Query individual IPs with full details * View top malicious/active IPs * Database statistics and analytics * Manual IP flagging/whitelisting * Import IPs from logs * Export to readable reports * Live monitoring mode INTEGRATION: All security and analysis scripts now use the centralized reputation system: - modules/website/500-error-tracker.sh: * Tracks IPs generating 500 errors * Tags bots/scanners with BOT/SCANNER flags * Background processing for performance - modules/security/live-attack-monitor.sh: * Maps attack types to reputation flags * Tracks SSH bruteforce, SQL injection, XSS, DDoS, etc. * Real-time reputation updates - modules/website/website-error-analyzer.sh: * Tags filtered bots in error analysis * Builds IP reputation from website errors - launcher.sh: * Added IP Reputation Manager to Bot & Traffic Analysis menu * Menu option 4 in Security > Analysis > Bot & Traffic Analysis KEY FEATURES: ✓ Centralized IP tracking across ALL scripts ✓ Multi-tag system (IP can have multiple attack types) ✓ Reputation scores increase with more tags/attacks ✓ Country tracking via GeoIP ✓ Optimized for high-volume traffic (attacks with 1000s of IPs) ✓ Fast lookups even during DDoS ✓ Background processing doesn't slow down analysis ✓ Database cleanup/maintenance tools ✓ Export for reports and sharing BENEFITS: - Single source of truth for IP reputation - Scripts share intelligence (bot detected in one script = flagged for all) - Track IPs across time and multiple attack vectors - Identify repeat offenders with multiple attack types - Make blocking decisions based on comprehensive data - Performance optimized with file locking and background updates
This commit is contained in:
cschantz
@@ -20,6 +20,7 @@
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
source "$SCRIPT_DIR/lib/common-functions.sh"
|
||||
source "$SCRIPT_DIR/lib/system-detect.sh"
|
||||
source "$SCRIPT_DIR/lib/ip-reputation.sh"
|
||||
|
||||
# Require root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
@@ -341,6 +342,21 @@ process_threat_event() {
|
||||
local threat_level=$(classify_threat_level "${IP_COUNTER[$ip]}")
|
||||
IP_THREAT_LEVEL[$ip]="$threat_level"
|
||||
|
||||
# Track in centralized IP reputation database
|
||||
# Map attack types to reputation flags
|
||||
local rep_attack_type="SUSPICIOUS"
|
||||
case "$attack_type" in
|
||||
SSH_BRUTEFORCE) rep_attack_type="BRUTEFORCE" ;;
|
||||
SQL_INJECTION) rep_attack_type="SQL_INJECTION" ;;
|
||||
XSS_ATTACK) rep_attack_type="XSS" ;;
|
||||
PATH_TRAVERSAL) rep_attack_type="PATH_TRAVERSAL" ;;
|
||||
EXPLOIT) rep_attack_type="EXPLOIT" ;;
|
||||
DDOS) rep_attack_type="DDOS" ;;
|
||||
BOT) rep_attack_type="BOT" ;;
|
||||
*) rep_attack_type="SCANNER" ;;
|
||||
esac
|
||||
flag_ip_attack "$ip" "$rep_attack_type" 0 "$attack_type: $details" >/dev/null 2>&1 &
|
||||
|
||||
# Log to feed
|
||||
log_event "$ip" "$attack_type" "$(get_threat_color "$threat_level")" "$details"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user