cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement progressive cumulative scoring for bruteforce attacks

Browse Source 
Changed from fixed scoring to progressive accumulation that tracks repeated attempts:

Bruteforce Scoring (SSH, Email, FTP):
- First attempt: 10 points
- Each additional: +8 points
- Reaches auto-block threshold (80pts) after 10 attempts

Database Attack Scoring:
- First SQL_INJECTION: +15 points
- Each additional: +12 points

Key Benefits:
- IP reputation grows with each attack attempt
- 18 SSH bruteforce attempts now = 82+ points (auto-blocked at 10th)
- Cumulative across all attack types (SSH + Email + FTP = combined score)
- More aggressive response to persistent attackers
- Aligns with user expectation: more attempts = higher threat score

Example: 8 SSH attempts = 66 points (was 10 before)
Auto-block triggers at 10 attempts instead of never blocking
This commit is contained in:
cschantz
2025-11-14 16:34:48 -05:00
parent da01bd33c3
commit 56b8233790
1 changed files with 36 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+36 -5
View File
@@ -774,8 +774,16 @@ monitor_ssh_attacks() {
fi fi
fi fi
# Calculate new score # Progressive scoring for bruteforce: Each attempt adds points
score=$(calculate_attack_score "$attacks") # First attempt: 10 pts, subsequent attempts: +8 pts each
if [ $hits -eq 1 ]; then
score=10
else
score=$((score + 8))
fi
# Cap at 100
[ $score -gt 100 ] && score=100
# Update IP_DATA # Update IP_DATA
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
@@ -1070,7 +1078,14 @@ monitor_email_attacks() {
[ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
fi fi
score=$(calculate_attack_score "$attacks") # Progressive scoring: Each email bruteforce attempt adds points
if [ $hits -eq 1 ]; then
score=10
else
score=$((score + 8))
fi
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Log to reputation DB # Log to reputation DB
@@ -1121,7 +1136,14 @@ monitor_ftp_attacks() {
[ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE"
fi fi
score=$(calculate_attack_score "$attacks") # Progressive scoring: Each FTP bruteforce attempt adds points
if [ $hits -eq 1 ]; then
score=10
else
score=$((score + 8))
fi
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Log to reputation DB # Log to reputation DB
@@ -1168,11 +1190,20 @@ monitor_database_attacks() {
hits=$((hits + 1)) hits=$((hits + 1))
# Add SQL_INJECTION to attacks # Add SQL_INJECTION to attacks
local is_new_attack=0
if [[ ! "$attacks" =~ SQL_INJECTION ]]; then if [[ ! "$attacks" =~ SQL_INJECTION ]]; then
[ -z "$attacks" ] && attacks="SQL_INJECTION" || attacks="${attacks},SQL_INJECTION" [ -z "$attacks" ] && attacks="SQL_INJECTION" || attacks="${attacks},SQL_INJECTION"
is_new_attack=1
fi fi
score=$(calculate_attack_score "$attacks") # Progressive scoring: First DB attack = 15pts, each additional = 12pts
if [ $is_new_attack -eq 1 ]; then
score=$((score + 15))
else
score=$((score + 12))
fi
[ $score -gt 100 ] && score=100
IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score"
# Log to reputation DB # Log to reputation DB