cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add centralized IP reputation tracking system

Browse Source 
Created a comprehensive IP reputation system that tracks IPs across all
toolkit scripts with tags/attack types, scores, and detailed analytics.

NEW FILES:
- lib/ip-reputation.sh: Core reputation library with optimized database
  * Fast lookup using pipe-delimited file format
  * Attack type tagging system (bitmask: SQL, XSS, RCE, Bot, Scanner, etc.)
  * Reputation scoring (0-100) based on hits and attack severity
  * GeoIP country lookup integration
  * Automatic cleanup of old entries
  * Thread-safe with file locking

- modules/security/ip-reputation-manager.sh: Interactive management tool
  * Query individual IPs with full details
  * View top malicious/active IPs
  * Database statistics and analytics
  * Manual IP flagging/whitelisting
  * Import IPs from logs
  * Export to readable reports
  * Live monitoring mode

INTEGRATION:
All security and analysis scripts now use the centralized reputation system:

- modules/website/500-error-tracker.sh:
  * Tracks IPs generating 500 errors
  * Tags bots/scanners with BOT/SCANNER flags
  * Background processing for performance

- modules/security/live-attack-monitor.sh:
  * Maps attack types to reputation flags
  * Tracks SSH bruteforce, SQL injection, XSS, DDoS, etc.
  * Real-time reputation updates

- modules/website/website-error-analyzer.sh:
  * Tags filtered bots in error analysis
  * Builds IP reputation from website errors

- launcher.sh:
  * Added IP Reputation Manager to Bot & Traffic Analysis menu
  * Menu option 4 in Security > Analysis > Bot & Traffic Analysis

KEY FEATURES:
✓ Centralized IP tracking across ALL scripts
✓ Multi-tag system (IP can have multiple attack types)
✓ Reputation scores increase with more tags/attacks
✓ Country tracking via GeoIP
✓ Optimized for high-volume traffic (attacks with 1000s of IPs)
✓ Fast lookups even during DDoS
✓ Background processing doesn't slow down analysis
✓ Database cleanup/maintenance tools
✓ Export for reports and sharing

BENEFITS:
- Single source of truth for IP reputation
- Scripts share intelligence (bot detected in one script = flagged for all)
- Track IPs across time and multiple attack vectors
- Identify repeat offenders with multiple attack types
- Make blocking decisions based on comprehensive data
- Performance optimized with file locking and background updates
This commit is contained in:
cschantz
2025-11-05 18:45:55 -05:00
parent 8edaaa72fc
commit 526fb23ad0
6 changed files with 969 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/ip-reputation-manager.sh
Executable
+464
View File
@@ -0,0 +1,464 @@
#!/bin/bash
################################################################################
# IP Reputation Manager
################################################################################
# Purpose: View, query, and manage the centralized IP reputation database
# Features:
# - Query individual IPs
# - View top malicious IPs
# - View top active IPs
# - Export database
# - Database statistics
# - Cleanup old entries
# - Manual IP flagging/whitelisting
################################################################################
# Get script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
source "$SCRIPT_DIR/lib/common-functions.sh"
source "$SCRIPT_DIR/lib/system-detect.sh"
source "$SCRIPT_DIR/lib/ip-reputation.sh"
# Require root
if [ "$EUID" -ne 0 ]; then
print_error "This script must be run as root"
exit 1
fi
# Menu display
show_menu() {
clear
print_banner "IP Reputation Manager"
# Show quick stats
local total_ips=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
local db_size=$(du -h "$IP_REP_DB" 2>/dev/null | awk '{print $1}' || echo "0B")
echo ""
echo -e "${BLUE}${BOLD}Database Status:${NC} $total_ips IPs tracked | Size: $db_size"
echo ""
echo -e "${BOLD}Query & View:${NC}"
echo ""
echo -e " ${GREEN}1)${NC} Query IP Reputation - Look up specific IP"
echo -e " ${GREEN}2)${NC} Top Malicious IPs - Highest reputation scores"
echo -e " ${GREEN}3)${NC} Top Active IPs - Most hits/requests"
echo -e " ${GREEN}4)${NC} Database Statistics - Overview of tracked IPs"
echo -e " ${GREEN}5)${NC} Live Monitoring - Real-time reputation updates"
echo ""
echo -e "${BOLD}Database Management:${NC}"
echo ""
echo -e " ${BLUE}6)${NC} Export Database - Export to readable text file"
echo -e " ${BLUE}7)${NC} Cleanup Old Entries - Remove IPs not seen in X days"
echo -e " ${BLUE}8)${NC} Rebuild Index - Optimize database for speed"
echo ""
echo -e "${BOLD}Manual Actions:${NC}"
echo ""
echo -e " ${YELLOW}9)${NC} Flag IP as Malicious - Manually mark IP as threat"
echo -e " ${YELLOW}10)${NC} Mark IP as Legitimate - Whitelist/reduce score"
echo -e " ${YELLOW}11)${NC} Import IPs from Log - Batch import from file"
echo ""
echo -e " ${RED}0)${NC} Exit"
echo ""
echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
echo -n "Select option: "
}
# Query individual IP
query_ip_interactive() {
clear
print_banner "Query IP Reputation"
echo ""
echo -n "Enter IP address to query: "
read -r ip_address
if [ -z "$ip_address" ]; then
print_error "No IP address provided"
press_enter
return
fi
# Validate IP format (basic check)
if ! [[ "$ip_address" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
print_error "Invalid IP address format"
press_enter
return
fi
echo ""
query_ip_reputation "$ip_address"
echo ""
press_enter
}
# View top malicious IPs
view_top_malicious() {
clear
print_banner "Top Malicious IPs"
echo ""
echo -n "How many top IPs to show? [20]: "
read -r limit
limit="${limit:-20}"
echo ""
echo -e "${RED}${BOLD}Top $limit Most Malicious IPs (by Reputation Score)${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
"IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
get_top_malicious_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
local category=$(get_ip_reputation_category "$rep_score")
local attacks=$(decode_attack_flags "$attack_flags")
# Color code by reputation
local color="$NC"
case "$category" in
CRITICAL) color="$RED$BOLD" ;;
HIGH) color="$RED" ;;
MEDIUM) color="$YELLOW" ;;
LOW) color="$CYAN" ;;
esac
printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
"$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
done
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
press_enter
}
# View top active IPs
view_top_active() {
clear
print_banner "Top Active IPs"
echo ""
echo -n "How many top IPs to show? [20]: "
read -r limit
limit="${limit:-20}"
echo ""
echo -e "${YELLOW}${BOLD}Top $limit Most Active IPs (by Hit Count)${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
"IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
get_top_active_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
local category=$(get_ip_reputation_category "$rep_score")
local attacks=$(decode_attack_flags "$attack_flags")
# Color code by hit count
local color="$NC"
if [ $hit_count -gt 10000 ]; then
color="$RED$BOLD"
elif [ $hit_count -gt 1000 ]; then
color="$YELLOW"
fi
printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
"$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
done
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
press_enter
}
# Show statistics
view_statistics() {
clear
print_banner "Database Statistics"
echo ""
show_ip_statistics
echo ""
# Additional stats
echo "Recent Activity (Last 24 hours):"
local cutoff=$(($(date +%s) - 86400))
local recent_count=$(awk -F'|' -v cut="$cutoff" '$7 >= cut' "$IP_REP_DB" 2>/dev/null | wc -l)
echo " Active IPs: $recent_count"
echo ""
# Top countries
echo "Top Countries by IP Count:"
awk -F'|' '{print $4}' "$IP_REP_DB" 2>/dev/null | grep -v '^$' | sort | uniq -c | sort -rn | head -5 | \
while read count country; do
printf " %-4s: %s IPs\n" "$country" "$count"
done
echo ""
press_enter
}
# Export database
export_database_interactive() {
clear
print_banner "Export IP Reputation Database"
echo ""
echo -n "Enter output file path [/tmp/ip_reputation_export.txt]: "
read -r output_path
output_path="${output_path:-/tmp/ip_reputation_export.txt}"
echo ""
echo "Exporting database to $output_path..."
export_ip_reputation "$output_path"
echo ""
print_success "Database exported successfully!"
echo ""
echo "View with: cat $output_path"
echo "Or: less $output_path"
echo ""
press_enter
}
# Cleanup old entries
cleanup_database_interactive() {
clear
print_banner "Cleanup Old Entries"
echo ""
echo "Remove IPs that haven't been seen in how many days?"
echo ""
echo -n "Days [90]: "
read -r days
days="${days:-90}"
echo ""
echo "This will remove IPs not seen in the last $days days."
echo -n "Continue? (yes/no): "
read -r confirm
if [ "$confirm" != "yes" ]; then
echo "Cancelled"
press_enter
return
fi
echo ""
cleanup_old_ips "$days"
echo ""
print_success "Cleanup complete!"
echo ""
press_enter
}
# Rebuild index
rebuild_index_interactive() {
clear
print_banner "Rebuild Database Index"
echo ""
echo "Rebuilding index for optimized lookups..."
rebuild_index
echo ""
print_success "Index rebuilt successfully!"
echo ""
press_enter
}
# Flag IP as malicious
flag_ip_interactive() {
clear
print_banner "Flag IP as Malicious"
echo ""
echo -n "Enter IP address: "
read -r ip_address
if [ -z "$ip_address" ]; then
print_error "No IP address provided"
press_enter
return
fi
echo ""
echo "Attack Type:"
echo " 1) SQL Injection"
echo " 2) XSS"
echo " 3) Path Traversal"
echo " 4) RCE/Shell Upload"
echo " 5) Brute Force"
echo " 6) DDoS"
echo " 7) Bot/Scanner"
echo " 8) Exploit"
echo ""
echo -n "Select [1]: "
read -r attack_choice
attack_choice="${attack_choice:-1}"
case "$attack_choice" in
1) attack_type="SQL_INJECTION" ;;
2) attack_type="XSS" ;;
3) attack_type="PATH_TRAVERSAL" ;;
4) attack_type="RCE" ;;
5) attack_type="BRUTEFORCE" ;;
6) attack_type="DDOS" ;;
7) attack_type="SCANNER" ;;
8) attack_type="EXPLOIT" ;;
*) attack_type="SUSPICIOUS" ;;
esac
echo ""
echo -n "Notes/Description: "
read -r notes
echo ""
echo "Flagging $ip_address for $attack_type..."
flag_ip_attack "$ip_address" "$attack_type" 0 "$notes"
echo ""
print_success "IP flagged successfully!"
echo ""
query_ip_reputation "$ip_address"
echo ""
press_enter
}
# Mark IP as legitimate
whitelist_ip_interactive() {
clear
print_banner "Mark IP as Legitimate"
echo ""
echo -n "Enter IP address: "
read -r ip_address
if [ -z "$ip_address" ]; then
print_error "No IP address provided"
press_enter
return
fi
echo ""
echo -n "Reason/Notes: "
read -r notes
echo ""
echo "Marking $ip_address as legitimate..."
mark_ip_legitimate "$ip_address" "$notes"
echo ""
print_success "IP marked as legitimate!"
echo ""
query_ip_reputation "$ip_address"
echo ""
press_enter
}
# Import from log file
import_log_interactive() {
clear
print_banner "Import IPs from Log File"
echo ""
echo -n "Enter log file path: "
read -r log_path
if [ ! -f "$log_path" ]; then
print_error "File not found: $log_path"
press_enter
return
fi
echo ""
echo "Attack Type (will be applied to all IPs):"
echo " 1) Suspicious (default)"
echo " 2) SQL Injection"
echo " 3) XSS"
echo " 4) Bot/Scanner"
echo " 5) DDoS"
echo ""
echo -n "Select [1]: "
read -r attack_choice
attack_choice="${attack_choice:-1}"
case "$attack_choice" in
2) attack_type="SQL_INJECTION" ;;
3) attack_type="XSS" ;;
4) attack_type="SCANNER" ;;
5) attack_type="DDOS" ;;
*) attack_type="SUSPICIOUS" ;;
esac
echo ""
echo "Importing IPs from $log_path as $attack_type..."
import_ips_from_log "$log_path" "$attack_type" 5
echo ""
print_success "Import complete!"
echo ""
press_enter
}
# Live monitoring (real-time updates)
live_monitoring() {
clear
print_banner "Live IP Reputation Monitoring"
echo ""
echo "Watching database for changes... (Press Ctrl+C to exit)"
echo ""
local last_count=0
local last_update=0
while true; do
local current_count=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
local current_time=$(stat -c %Y "$IP_REP_DB" 2>/dev/null || echo 0)
if [ $current_count -ne $last_count ] || [ $current_time -ne $last_update ]; then
clear
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "LIVE IP REPUTATION MONITORING - $(date '+%H:%M:%S')"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
show_ip_statistics
echo ""
echo "Recent Top 10 Updates:"
get_top_malicious_ips 10 | head -10 | while IFS='|' read -r ip hit_count rep_score country attack_flags _ _ _ _; do
local category=$(get_ip_reputation_category "$rep_score")
local attacks=$(decode_attack_flags "$attack_flags")
printf "%-15s | %5s hits | %3s/100 | %-8s | %s\n" "$ip" "$hit_count" "$rep_score" "$category" "${attacks:0:40}"
done
echo ""
echo "Press Ctrl+C to exit | Refreshing every 2 seconds..."
last_count=$current_count
last_update=$current_time
fi
sleep 2
done
}
# Main loop
main() {
while true; do
show_menu
read -r choice
case $choice in
1) query_ip_interactive ;;
2) view_top_malicious ;;
3) view_top_active ;;
4) view_statistics ;;
5) live_monitoring ;;
6) export_database_interactive ;;
7) cleanup_database_interactive ;;
8) rebuild_index_interactive ;;
9) flag_ip_interactive ;;
10) whitelist_ip_interactive ;;
11) import_log_interactive ;;
0)
clear
echo "Exiting..."
exit 0
;;
*)
print_error "Invalid option"
sleep 1
;;
esac
done
}
# Run main
main