From 56b8233790f95a67f4118f278f19e4dce6d964b3 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 14 Nov 2025 16:34:48 -0500 Subject: [PATCH] Implement progressive cumulative scoring for bruteforce attacks Changed from fixed scoring to progressive accumulation that tracks repeated attempts: Bruteforce Scoring (SSH, Email, FTP): - First attempt: 10 points - Each additional: +8 points - Reaches auto-block threshold (80pts) after 10 attempts Database Attack Scoring: - First SQL_INJECTION: +15 points - Each additional: +12 points Key Benefits: - IP reputation grows with each attack attempt - 18 SSH bruteforce attempts now = 82+ points (auto-blocked at 10th) - Cumulative across all attack types (SSH + Email + FTP = combined score) - More aggressive response to persistent attackers - Aligns with user expectation: more attempts = higher threat score Example: 8 SSH attempts = 66 points (was 10 before) Auto-block triggers at 10 attempts instead of never blocking --- modules/security/live-attack-monitor.sh | 41 ++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 55653bf..9e3a7a1 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -774,8 +774,16 @@ monitor_ssh_attacks() { fi fi - # Calculate new score - score=$(calculate_attack_score "$attacks") + # Progressive scoring for bruteforce: Each attempt adds points + # First attempt: 10 pts, subsequent attempts: +8 pts each + if [ $hits -eq 1 ]; then + score=10 + else + score=$((score + 8)) + fi + + # Cap at 100 + [ $score -gt 100 ] && score=100 # Update IP_DATA IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" @@ -1070,7 +1078,14 @@ monitor_email_attacks() { [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" fi - score=$(calculate_attack_score "$attacks") + # Progressive scoring: Each email bruteforce attempt adds points + if [ $hits -eq 1 ]; then + score=10 + else + score=$((score + 8)) + fi + [ $score -gt 100 ] && score=100 + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" # Log to reputation DB @@ -1121,7 +1136,14 @@ monitor_ftp_attacks() { [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" fi - score=$(calculate_attack_score "$attacks") + # Progressive scoring: Each FTP bruteforce attempt adds points + if [ $hits -eq 1 ]; then + score=10 + else + score=$((score + 8)) + fi + [ $score -gt 100 ] && score=100 + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" # Log to reputation DB @@ -1168,11 +1190,20 @@ monitor_database_attacks() { hits=$((hits + 1)) # Add SQL_INJECTION to attacks + local is_new_attack=0 if [[ ! "$attacks" =~ SQL_INJECTION ]]; then [ -z "$attacks" ] && attacks="SQL_INJECTION" || attacks="${attacks},SQL_INJECTION" + is_new_attack=1 fi - score=$(calculate_attack_score "$attacks") + # Progressive scoring: First DB attack = 15pts, each additional = 12pts + if [ $is_new_attack -eq 1 ]; then + score=$((score + 15)) + else + score=$((score + 12)) + fi + [ $score -gt 100 ] && score=100 + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" # Log to reputation DB