diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index b6c72c2..81b1e16 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2652,17 +2652,6 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 - # Data already loaded earlier (before threshold calculation) - # Just increment hits (persistent across monitor restarts) - # This is the total lifetime detection count for this IP - hits=$((hits + 1)) - - # CRITICAL FIX: Always write incremented hits to persistent storage BEFORE whitelisting - # Bug: If continue executes after incrementing hits, the incremented value is lost - # This causes hits counter to never increase for whitelisted/legitimate IPs - # Solution: Persist the increment immediately, then check whitelist - write_ip_data_to_file "$ip" "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" 2>/dev/null & - # Smart whitelisting: Skip IPs with MANY successful established connections # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches) @@ -2938,9 +2927,15 @@ monitor_network_attacks() { # Cap at 100 [ "$score" -gt 100 ] && score=100 + # INCREMENT HITS AFTER ALL SCORING + # Moved from before whitelisting to ensure we have complete data + # Now hits is incremented with full score calculated and ready to persist + hits=$((hits + 1)) + # CRITICAL FIX: Write to centralized ip_data file (not individual ip_*.files) # auto_mitigation_engine() reads from $TEMP_DIR/ip_data, not individual files # Without this, SYN-detected IPs are never auto-blocked! + # SINGLE WRITE: Complete data with correct score and incremented hits write_ip_data_to_file "$ip" "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" 2>/dev/null & # Also write to individual file for debugging/tracking