diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 1a862ae..244f690 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -68,6 +68,7 @@ echo "0" > "$TEMP_DIR/total_blocks" IPSET_NAME="" IPSET_AVAILABLE=0 IPSET_SUPPORTS_TIMEOUT=0 +IPSET_INIT_ERROR="" # Store initialization error message # Initialize IPset for fast blocking (if available) if command -v ipset &>/dev/null; then @@ -86,20 +87,62 @@ if command -v ipset &>/dev/null; then else # No CSF IPset found, create our own temporary one IPSET_NAME="live_monitor_$$" - if ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>/dev/null; then + + # Capture detailed error output + IPSET_CREATE_OUTPUT=$(ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>&1) + IPSET_CREATE_EXIT=$? + + if [ $IPSET_CREATE_EXIT -eq 0 ]; then IPSET_AVAILABLE=1 IPSET_SUPPORTS_TIMEOUT=1 # Add iptables rule to block IPs in the set - iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>/dev/null + IPTABLES_OUTPUT=$(iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>&1) + IPTABLES_EXIT=$? - echo "✓ IPset initialized: $IPSET_NAME (fast blocking enabled)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + if [ $IPTABLES_EXIT -ne 0 ]; then + # iptables rule failed - clean up ipset and report error + ipset destroy "$IPSET_NAME" 2>/dev/null + IPSET_AVAILABLE=0 + IPSET_INIT_ERROR="iptables rule creation failed: $IPTABLES_OUTPUT" + echo "✗ IPset created but iptables rule failed: $IPTABLES_OUTPUT" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + else + echo "✓ IPset initialized: $IPSET_NAME (fast blocking enabled)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi else - echo "✗ IPset creation failed - falling back to CSF" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + # IPset creation failed - capture why + IPSET_INIT_ERROR="ipset creation failed: $IPSET_CREATE_OUTPUT" + echo "✗ IPset creation failed: $IPSET_CREATE_OUTPUT" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + + # Check for common issues and provide helpful diagnostics + if echo "$IPSET_CREATE_OUTPUT" | grep -qi "module"; then + KERNEL_MODS=$(lsmod | grep -E "ip_set|xt_set" || echo "NOT LOADED") + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Kernel modules: $KERNEL_MODS" + echo " → Kernel module issue detected. Loaded modules: $KERNEL_MODS" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi + + if echo "$IPSET_CREATE_OUTPUT" | grep -qi "permission"; then + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Permission denied (need root)" + echo " → Permission denied. Current user: $(whoami), EUID: $EUID" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi fi fi else + # ipset command not found - provide diagnostic info + IPSET_INIT_ERROR="ipset command not found in PATH" echo "✗ IPset not available - using CSF for blocking" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + + # Check if ipset package is installed + if command -v rpm &>/dev/null && rpm -q ipset &>/dev/null; then + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Package installed but not in PATH" + echo " → ipset package IS installed but command not found" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + elif command -v dpkg &>/dev/null && dpkg -l ipset 2>/dev/null | grep -q "^ii"; then + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Package installed but not in PATH" + echo " → ipset package IS installed but command not found" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + else + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Package not installed" + echo " → ipset package NOT installed" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi fi # Initialize blocked IPs cache immediately on startup @@ -3272,6 +3315,49 @@ monitor_firewall_blocks monitor_cphulk_blocks monitor_network_attacks +# Display IPset initialization status +if [ -n "$IPSET_INIT_ERROR" ]; then + echo "" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo -e "${HIGH_COLOR}⚠️ IPset Initialization Warning${NC}" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo " IPset fast blocking is NOT available" + echo " Reason: $IPSET_INIT_ERROR" + echo "" + echo " ${BOLD}Impact:${NC}" + echo " • Blocking will use CSF (slower than IPset)" + echo " • Large-scale attacks (500+ IPs) will be slower to block" + echo " • Performance: ~50x slower blocking vs IPset" + echo "" + echo " ${BOLD}To enable IPset fast blocking:${NC}" + + if echo "$IPSET_INIT_ERROR" | grep -q "not found"; then + echo " 1. Install ipset: yum install ipset -y (or apt-get install ipset)" + echo " 2. Restart this script" + elif echo "$IPSET_INIT_ERROR" | grep -qi "module"; then + echo " 1. Load kernel modules: modprobe ip_set ip_set_hash_ip xt_set" + echo " 2. Restart this script" + elif echo "$IPSET_INIT_ERROR" | grep -qi "permission"; then + echo " 1. Run script as root: sudo $0" + elif echo "$IPSET_INIT_ERROR" | grep -q "iptables"; then + echo " 1. Check iptables: iptables -L -n" + echo " 2. Install iptables if missing: yum install iptables -y" + echo " 3. Ensure xt_set kernel module is loaded: modprobe xt_set" + else + echo " 1. Check debug log: $TEMP_DIR/debug.log" + echo " 2. Ensure ipset and iptables are installed" + echo " 3. Run as root" + fi + + echo "" + echo " Fallback: Using CSF for all blocking (still functional)" + echo "" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + sleep 3 # Give user time to read +fi + # Start intelligence engines detect_distributed_attacks auto_mitigation_engine diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 1a862ae..244f690 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -68,6 +68,7 @@ echo "0" > "$TEMP_DIR/total_blocks" IPSET_NAME="" IPSET_AVAILABLE=0 IPSET_SUPPORTS_TIMEOUT=0 +IPSET_INIT_ERROR="" # Store initialization error message # Initialize IPset for fast blocking (if available) if command -v ipset &>/dev/null; then @@ -86,20 +87,62 @@ if command -v ipset &>/dev/null; then else # No CSF IPset found, create our own temporary one IPSET_NAME="live_monitor_$$" - if ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>/dev/null; then + + # Capture detailed error output + IPSET_CREATE_OUTPUT=$(ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>&1) + IPSET_CREATE_EXIT=$? + + if [ $IPSET_CREATE_EXIT -eq 0 ]; then IPSET_AVAILABLE=1 IPSET_SUPPORTS_TIMEOUT=1 # Add iptables rule to block IPs in the set - iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>/dev/null + IPTABLES_OUTPUT=$(iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>&1) + IPTABLES_EXIT=$? - echo "✓ IPset initialized: $IPSET_NAME (fast blocking enabled)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + if [ $IPTABLES_EXIT -ne 0 ]; then + # iptables rule failed - clean up ipset and report error + ipset destroy "$IPSET_NAME" 2>/dev/null + IPSET_AVAILABLE=0 + IPSET_INIT_ERROR="iptables rule creation failed: $IPTABLES_OUTPUT" + echo "✗ IPset created but iptables rule failed: $IPTABLES_OUTPUT" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + else + echo "✓ IPset initialized: $IPSET_NAME (fast blocking enabled)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi else - echo "✗ IPset creation failed - falling back to CSF" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + # IPset creation failed - capture why + IPSET_INIT_ERROR="ipset creation failed: $IPSET_CREATE_OUTPUT" + echo "✗ IPset creation failed: $IPSET_CREATE_OUTPUT" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + + # Check for common issues and provide helpful diagnostics + if echo "$IPSET_CREATE_OUTPUT" | grep -qi "module"; then + KERNEL_MODS=$(lsmod | grep -E "ip_set|xt_set" || echo "NOT LOADED") + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Kernel modules: $KERNEL_MODS" + echo " → Kernel module issue detected. Loaded modules: $KERNEL_MODS" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi + + if echo "$IPSET_CREATE_OUTPUT" | grep -qi "permission"; then + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Permission denied (need root)" + echo " → Permission denied. Current user: $(whoami), EUID: $EUID" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi fi fi else + # ipset command not found - provide diagnostic info + IPSET_INIT_ERROR="ipset command not found in PATH" echo "✗ IPset not available - using CSF for blocking" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + + # Check if ipset package is installed + if command -v rpm &>/dev/null && rpm -q ipset &>/dev/null; then + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Package installed but not in PATH" + echo " → ipset package IS installed but command not found" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + elif command -v dpkg &>/dev/null && dpkg -l ipset 2>/dev/null | grep -q "^ii"; then + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Package installed but not in PATH" + echo " → ipset package IS installed but command not found" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + else + IPSET_INIT_ERROR="$IPSET_INIT_ERROR | Package not installed" + echo " → ipset package NOT installed" >> "$TEMP_DIR/debug.log" 2>/dev/null || true + fi fi # Initialize blocked IPs cache immediately on startup @@ -3272,6 +3315,49 @@ monitor_firewall_blocks monitor_cphulk_blocks monitor_network_attacks +# Display IPset initialization status +if [ -n "$IPSET_INIT_ERROR" ]; then + echo "" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo -e "${HIGH_COLOR}⚠️ IPset Initialization Warning${NC}" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo " IPset fast blocking is NOT available" + echo " Reason: $IPSET_INIT_ERROR" + echo "" + echo " ${BOLD}Impact:${NC}" + echo " • Blocking will use CSF (slower than IPset)" + echo " • Large-scale attacks (500+ IPs) will be slower to block" + echo " • Performance: ~50x slower blocking vs IPset" + echo "" + echo " ${BOLD}To enable IPset fast blocking:${NC}" + + if echo "$IPSET_INIT_ERROR" | grep -q "not found"; then + echo " 1. Install ipset: yum install ipset -y (or apt-get install ipset)" + echo " 2. Restart this script" + elif echo "$IPSET_INIT_ERROR" | grep -qi "module"; then + echo " 1. Load kernel modules: modprobe ip_set ip_set_hash_ip xt_set" + echo " 2. Restart this script" + elif echo "$IPSET_INIT_ERROR" | grep -qi "permission"; then + echo " 1. Run script as root: sudo $0" + elif echo "$IPSET_INIT_ERROR" | grep -q "iptables"; then + echo " 1. Check iptables: iptables -L -n" + echo " 2. Install iptables if missing: yum install iptables -y" + echo " 3. Ensure xt_set kernel module is loaded: modprobe xt_set" + else + echo " 1. Check debug log: $TEMP_DIR/debug.log" + echo " 2. Ensure ipset and iptables are installed" + echo " 3. Run as root" + fi + + echo "" + echo " Fallback: Using CSF for all blocking (still functional)" + echo "" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + sleep 3 # Give user time to read +fi + # Start intelligence engines detect_distributed_attacks auto_mitigation_engine