Implement progressive cumulative scoring for bruteforce attacks

Changed from fixed scoring to progressive accumulation that tracks repeated attempts: Bruteforce Scoring (SSH, Email, FTP): - First attempt: 10 points - Each additional: +8 points - Reaches auto-block threshold (80pts) after 10 attempts Database Attack Scoring: - First SQL_INJECTION: +15 points - Each additional: +12 points Key Benefits: - IP reputation grows with each attack attempt - 18 SSH bruteforce attempts now = 82+ points (auto-blocked at 10th) - Cumulative across all attack types (SSH + Email + FTP = combined score) - More aggressive response to persistent attackers - Aligns with user expectation: more attempts = higher threat score Example: 8 SSH attempts = 66 points (was 10 before) Auto-block triggers at 10 attempts instead of never blocking
2025-11-14 16:34:48 -05:00
parent da01bd33c3
commit 56b8233790
1 changed files with 36 additions and 5 deletions
@@ -774,8 +774,16 @@ monitor_ssh_attacks() {
                        fi
                    fi

-                    # Calculate new score
-                    score=$(calculate_attack_score "$attacks")
+                    # Progressive scoring for bruteforce: Each attempt adds points
+                    # First attempt: 10 pts, subsequent attempts: +8 pts each
+                    if [ $hits -eq 1 ]; then
+                        score=10
+                    else
+                        score=$((score + 8))
+                    fi
+
+                    # Cap at 100
+                    [ $score -gt 100 ] && score=100

                    # Update IP_DATA
                    IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
@@ -1070,7 +1078,14 @@ monitor_email_attacks() {
                        [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
                    fi

-                    score=$(calculate_attack_score "$attacks")
+                    # Progressive scoring: Each email bruteforce attempt adds points
+                    if [ $hits -eq 1 ]; then
+                        score=10
+                    else
+                        score=$((score + 8))
+                    fi
+                    [ $score -gt 100 ] && score=100
+
                    IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"

                    # Log to reputation DB
@@ -1121,7 +1136,14 @@ monitor_ftp_attacks() {
                        [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
                    fi

-                    score=$(calculate_attack_score "$attacks")
+                    # Progressive scoring: Each FTP bruteforce attempt adds points
+                    if [ $hits -eq 1 ]; then
+                        score=10
+                    else
+                        score=$((score + 8))
+                    fi
+                    [ $score -gt 100 ] && score=100
+
                    IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"

                    # Log to reputation DB
@@ -1168,11 +1190,20 @@ monitor_database_attacks() {
                    hits=$((hits + 1))

                    # Add SQL_INJECTION to attacks
+                    local is_new_attack=0
                    if [[ ! "$attacks" =~ SQL_INJECTION ]]; then
                        [ -z "$attacks" ] && attacks="SQL_INJECTION" || attacks="${attacks},SQL_INJECTION"
+                        is_new_attack=1
                    fi

-                    score=$(calculate_attack_score "$attacks")
+                    # Progressive scoring: First DB attack = 15pts, each additional = 12pts
+                    if [ $is_new_attack -eq 1 ]; then
+                        score=$((score + 15))
+                    else
+                        score=$((score + 12))
+                    fi
+                    [ $score -gt 100 ] && score=100
+
                    IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"

                    # Log to reputation DB