diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 79283a6..f1612c7 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -316,8 +316,9 @@ write_ip_data_to_file() { local data="$2" # Use flock for thread-safe writes (with timeout to prevent deadlocks) + # 5-second timeout accommodates high-velocity attacks (70+ IPs/sec) ( - flock -w 2 200 || return 1 + flock -w 5 200 || return 1 # Read existing data local temp_file="$TEMP_DIR/ip_data.tmp" @@ -2613,11 +2614,12 @@ monitor_network_attacks() { # Increment hits hits=$((hits + 1)) - # Smart whitelisting: Skip IPs with successful established connections + # Smart whitelisting: Skip IPs with MANY successful established connections + # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l) [ -z "$established_conns" ] && established_conns=0 - if [ "$established_conns" -ge 5 ]; then - # IP has 5+ established connections = legitimate traffic + if [ "$established_conns" -ge 20 ]; then + # IP has 20+ established connections = highly likely legitimate user continue fi @@ -2926,7 +2928,7 @@ monitor_network_attacks() { done < <(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | awk '$1 > 5 {print $2, $1}') fi - sleep 15 # Check every 15 seconds + sleep 5 # Check every 5 seconds (faster detection during active attacks) done ) & fi @@ -3467,7 +3469,8 @@ auto_mitigation_engine() { fi # Sleep at END of loop to check immediately on startup - sleep 10 + # Faster checks during active attack scenarios (5 sec vs 10 sec) + sleep 5 done ) & }