Add intelligent CT_LIMIT optimizer - analyzes traffic to recommend optimal limit
PROBLEM: Live monitor showed static CT_LIMIT="100" recommendation - No analysis of actual site traffic - No consideration of legitimate high-connection users - Could block CDNs, bots, or legitimate traffic spikes - No way to know what's safe for the specific server SOLUTION: Created comprehensive CT_LIMIT optimizer script NEW SCRIPT: modules/security/optimize-ct-limit.sh WHAT IT DOES: 1. Analyzes Apache logs (last 24 hours by default) - Parses all domain logs in /var/log/apache2/domlogs/ - Tracks max concurrent connections per IP per domain - Identifies user agents and behavior patterns 2. Classifies IP behavior using bot-signatures.sh - Legitimate bots (Googlebot, Bingbot, etc.) - AI crawlers (GPT, Claude, etc.) - CDNs (Cloudflare, Akamai, etc.) - Normal users vs high-traffic users - Potential scrapers 3. Analyzes current active connections - Uses ss or netstat to check real-time connections - Identifies current highest connection counts 4. Calculates statistics - 95th percentile of legitimate user connections - 99th percentile for headroom - Max concurrent from single legitimate IP - Separates bot/CDN traffic from user traffic 5. Provides 3 recommendations: a) CONSERVATIVE (max_legit + 20) - For high-traffic sites b) BALANCED (max_legit + 10) - Recommended for most ⭐ c) AGGRESSIVE (max_legit + 5) - Only during active attack 6. Whitelist recommendations - Identifies bots/CDNs exceeding recommended limit - Suggests specific IPs to whitelist in CSF - Prevents blocking Googlebot, monitoring services, etc. 7. One-command application - Backs up csf.conf automatically - Updates CT_LIMIT to recommended value - Enables SYNFLOOD protection - Restarts CSF - Provides monitoring command EXAMPLE OUTPUT: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Connection Analysis Summary: Total unique IPs analyzed: 1,247 Legitimate users: 1,180 Bots/CDNs/Crawlers: 67 Legitimate User Connection Patterns: Max concurrent from single IP: 45 95th percentile: 12 concurrent connections 99th percentile: 28 concurrent connections Current Active Connections: Highest right now: 8 connections from 1.2.3.4 Current CSF Configuration: CT_LIMIT = 150 📊 RECOMMENDED CT_LIMIT VALUES ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1. CONSERVATIVE: CT_LIMIT = 65 • Allows headroom for traffic spikes • Won't block legitimate users 2. BALANCED: CT_LIMIT = 55 ⭐ • Based on 99th percentile + buffer • Blocks most attack traffic 3. AGGRESSIVE: CT_LIMIT = 50 • Maximum DDoS protection • May affect some legitimate users ⚠️ WHITELIST RECOMMENDATIONS Found bots/crawlers with high connection counts: • 66.249.72.38 (Googlebot) 82 connections • 40.77.167.88 (Bingbot) 65 connections • 157.55.39.183 (UptimeRobot) 48 connections To whitelist: csf -a <IP> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ INTEGRATION WITH LIVE MONITOR: - Press 'c' during live monitoring to run optimizer - Recommendation updates based on detected DDoS/SYN floods - Quick Actions panel shows: "Press 'c' to run CT_LIMIT optimizer" - Help screen updated with 'c' key USAGE: 1. Standalone: modules/security/optimize-ct-limit.sh 2. From live monitor: Press 'c' during monitoring 3. With custom period: optimize-ct-limit.sh 48 (48 hours) SAFETY: - Automatic backup of csf.conf before changes - Minimum thresholds (50/80/100) prevent too-aggressive limits - Option to apply or just view recommendations - Full report saved to /tmp for review INTELLIGENCE: - Uses actual traffic data, not guesses - Accounts for legitimate high-connection sources - Prevents blocking search engines and monitoring - Adapts to each server's unique traffic patterns FILES MODIFIED: - modules/security/optimize-ct-limit.sh (NEW - 650 lines) - modules/security/live-attack-monitor.sh - Added 'c' key handler (line 1019-1024) - Updated Quick Actions recommendation (line 438) - Updated help screen (line 1045) - Updated footer keys (line 457)
This commit is contained in:
cschantz
@@ -435,8 +435,8 @@ draw_quick_actions() {
|
||||
if [ $has_ddos -eq 1 ] || [ $high_conn_count -gt 0 ]; then
|
||||
echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Enable SYNFLOOD protection: ${BOLD}csf -e SYNFLOOD${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Set CT_LIMIT: ${BOLD}Edit /etc/csf/csf.conf → CT_LIMIT=\"100\"${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Apply changes: ${BOLD}csf -r${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Optimize CT_LIMIT: ${BOLD}Press 'c' to run CT_LIMIT optimizer${NC}"
|
||||
echo -e "${MEDIUM_COLOR} → Or manual: ${BOLD}modules/security/optimize-ct-limit.sh${NC}"
|
||||
recommendations=1
|
||||
fi
|
||||
|
||||
@@ -454,7 +454,7 @@ draw_quick_actions() {
|
||||
echo ""
|
||||
fi
|
||||
|
||||
echo -e "${INFO_COLOR} Keys: 'b' Block IPs | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
|
||||
echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' CT_LIMIT | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
|
||||
|
||||
echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
|
||||
}
|
||||
@@ -1016,6 +1016,12 @@ while true; do
|
||||
b|B)
|
||||
show_blocking_menu
|
||||
;;
|
||||
c|C)
|
||||
# Run CT_LIMIT optimizer
|
||||
clear
|
||||
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
|
||||
read -p "Press Enter to return to monitor..."
|
||||
;;
|
||||
q|Q)
|
||||
cleanup
|
||||
;;
|
||||
@@ -1036,6 +1042,7 @@ while true; do
|
||||
echo ""
|
||||
echo "Available Commands:"
|
||||
echo " ${BOLD}b${NC} - Open IP blocking menu (batch or individual)"
|
||||
echo " ${BOLD}c${NC} - Run CT_LIMIT optimizer (analyze traffic & recommend limit)"
|
||||
echo " ${BOLD}s${NC} - Show IP reputation database statistics"
|
||||
echo " ${BOLD}r${NC} - Force refresh display"
|
||||
echo " ${BOLD}h${NC} - Show this help screen"
|
||||
|
||||
Reference in New Issue
Block a user