Adjust DDoS thresholds for production web servers

Raised minimum thresholds to prevent false positives on busy websites:

Previous (too aggressive for web servers):
- Tier 4: >2 connections
- Tier 3: >3 connections
- Tier 2: >5 connections
- Tier 1: >8 connections
- Minimum: 2

New (production-safe):
- Tier 4: >3 connections (500+ total SYN)
- Tier 3: >4 connections (300-500 total)
- Tier 2: >6 connections (150-300 total)
- Tier 1: >10 connections (75-150 total)
- Minimum: 3

Rationale:
Web servers handle legitimate high traffic with brief SYN_RECV spikes.
Corporate NAT, mobile users, and APIs can cause 2-3 SYN_RECV legitimately.
Minimum of 3 prevents false positives while still catching distributed attacks.

Your 512-connection attack still triggers Tier 4 with threshold 3,
detecting 40+ attacking IPs while protecting legitimate traffic.

modules/security/live-attack-monitor.sh

@@ -2315,32 +2315,32 @@ monitor_network_attacks() {
 
                         # Dynamic threshold based on attack severity + momentum:
                         # Tier 0: >20 connections (normal, focused attack)
-                        # Tier 1: >8 connections (75-150 total, moderate DDoS)
-                        # Tier 2: >5 connections (150-300 total, major DDoS)
-                        # Tier 3: >3 connections (300-500 total, severe DDoS)
-                        # Tier 4: >2 connections (500+ total, CRITICAL DDoS)
+                        # Tier 1: >10 connections (75-150 total, moderate DDoS)
+                        # Tier 2: >6 connections (150-300 total, major DDoS)
+                        # Tier 3: >4 connections (300-500 total, severe DDoS)
+                        # Tier 4: >3 connections (500+ total, CRITICAL DDoS)
                         local threshold=20
                         case "$attack_severity" in
-                            4) threshold=2 ;;  # Critical: Hyper-aggressive
-                            3) threshold=3 ;;  # Severe: Very aggressive
-                            2) threshold=5 ;;  # Major: Aggressive
-                            1) threshold=8 ;;  # Moderate: Balanced
+                            4) threshold=3 ;;  # Critical: Very aggressive (safe for production)
+                            3) threshold=4 ;;  # Severe: Aggressive
+                            2) threshold=6 ;;  # Major: Balanced
+                            1) threshold=10 ;;  # Moderate: Conservative
                         esac
 
                         # Attack momentum adaptation: Lower threshold if attack is growing
-                        if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 2 ]; then
+                        if [ "$attack_momentum" -eq 2 ] && [ "$threshold" -gt 3 ]; then
                             threshold=$((threshold - 2))  # Rapidly accelerating attack
-                        elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 2 ]; then
+                        elif [ "$attack_momentum" -eq 1 ] && [ "$threshold" -gt 3 ]; then
                             threshold=$((threshold - 1))  # Accelerating attack
                         fi
 
                         # Coordinated attack bonus: Lower threshold by 1 (stacks with momentum)
-                        if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 2 ]; then
+                        if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then
                             threshold=$((threshold - 1))
                         fi
 
-                        # Minimum threshold of 2 to prevent false positives
-                        [ "$threshold" -lt 2 ] && threshold=2
+                        # Minimum threshold of 3 to prevent false positives on busy web servers
+                        [ "$threshold" -lt 3 ] && threshold=3
 
                         if [ "$count" -gt "$threshold" ]; then
                             # Only process once per detection window