PHASE 2: InterWorx bot-analyzer support + firewall detection

BOT-ANALYZER INTERWORX SUPPORT:
This is the CRITICAL missing piece for InterWorx servers!

1. Log File Discovery (bot-analyzer.sh:1769-1830)
   - InterWorx stores logs at /home/user/var/domain.com/logs/access_log
   - NOT in centralized /var/log/apache2/domlogs like cPanel
   - Added special detection when SYS_CONTROL_PANEL=interworx
   - Searches for all access_log files across all domains

2. Parse Logs Function (bot-analyzer.sh:281-338)
   - Added INTERWORX_MODE flag for special handling
   - InterWorx: extract domain from path (/home/*/var/DOMAIN/logs/)
   - cPanel: extract domain from filename (domain.com or domain.com-ssl_log)
   - Unified log parsing with control panel-specific domain extraction

SYSTEM-DETECT.SH IMPROVEMENTS:

3. Fixed InterWorx Log Directory (system-detect.sh:70-73)
   - Old: SYS_LOG_DIR="/home" (WRONG - too generic!)
   - New: SYS_LOG_DIR="/home/*/var/*/logs" (marker path)
   - Tools recognize this pattern and apply special handling

4. Added Firewall Detection (system-detect.sh:268-337)
   - Detects: CSF/LFD, firewalld, iptables, UFW
   - Exports: SYS_FIREWALL, SYS_FIREWALL_VERSION, SYS_FIREWALL_ACTIVE
   - Special export: SYS_CSF_ACTIVE (for CSF-specific tools)
   - Integrated into initialize_system_detection()

IMPACT:
- bot-analyzer now works on InterWorx servers!
- Discovers per-domain logs correctly
- User filtering (-u flag) works with InterWorx
- Firewall detection enables future automation features

TESTING:
- All syntax validated with bash -n
- Ready for testing on actual InterWorx server

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

lib/system-detect.sh

@@ -67,7 +67,9 @@ detect_control_panel() {
         if [ -f "/usr/local/interworx/iworx/version.php" ]; then
             SYS_CONTROL_PANEL_VERSION=$(grep -oP "VERSION = '\K[^']+" /usr/local/interworx/iworx/version.php 2>/dev/null || echo "Unknown")
         fi
-        SYS_LOG_DIR="/home"
+        # InterWorx stores logs in /home/user/var/domain.com/logs/
+        # We set a marker path that tools will recognize needs special handling
+        SYS_LOG_DIR="/home/*/var/*/logs"
         SYS_USER_HOME_BASE="/home"
 
         print_success "Detected InterWorx v${SYS_CONTROL_PANEL_VERSION}"
@@ -263,6 +265,77 @@ detect_cloudflare() {
     fi
 }
 
+#############################################################################
+# FIREWALL DETECTION
+#############################################################################
+
+detect_firewall() {
+    print_info "Detecting firewall..."
+
+    # CSF/LFD
+    if [ -f "/etc/csf/csf.conf" ]; then
+        SYS_FIREWALL="csf"
+        SYS_FIREWALL_VERSION=$(csf -v 2>/dev/null | grep -oP 'v\K[\d.]+' | head -1 || echo "unknown")
+        if systemctl is-active --quiet lfd 2>/dev/null || service lfd status 2>/dev/null | grep -q running; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected CSF ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected CSF ${SYS_FIREWALL_VERSION} (inactive)"
+        fi
+        export SYS_CSF_ACTIVE="${SYS_FIREWALL_ACTIVE}"
+        return 0
+    fi
+
+    # firewalld
+    if command_exists firewall-cmd; then
+        SYS_FIREWALL="firewalld"
+        SYS_FIREWALL_VERSION=$(firewall-cmd --version 2>/dev/null || echo "unknown")
+        if systemctl is-active --quiet firewalld 2>/dev/null; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected firewalld ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected firewalld ${SYS_FIREWALL_VERSION} (inactive)"
+        fi
+        return 0
+    fi
+
+    # iptables
+    if command_exists iptables; then
+        SYS_FIREWALL="iptables"
+        SYS_FIREWALL_VERSION=$(iptables --version 2>/dev/null | grep -oP 'v\K[\d.]+' | head -1 || echo "unknown")
+        # Check if iptables has any rules
+        if [ "$(iptables -L -n 2>/dev/null | wc -l)" -gt 8 ]; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected iptables ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected iptables ${SYS_FIREWALL_VERSION} (no rules)"
+        fi
+        return 0
+    fi
+
+    # UFW
+    if command_exists ufw; then
+        SYS_FIREWALL="ufw"
+        SYS_FIREWALL_VERSION=$(ufw version 2>/dev/null | grep -oP '\d+\.\d+\.\d+' | head -1 || echo "unknown")
+        if ufw status 2>/dev/null | grep -q "Status: active"; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected UFW ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected UFW ${SYS_FIREWALL_VERSION} (inactive)"
+        fi
+        return 0
+    fi
+
+    SYS_FIREWALL="none"
+    SYS_FIREWALL_ACTIVE="no"
+    print_warning "No firewall detected"
+    return 1
+}
+
 #############################################################################
 # SYSTEM RESOURCES (Comprehensive - like user's example)
 #############################################################################
@@ -427,6 +500,7 @@ initialize_system_detection() {
     detect_database
     detect_php_versions
     detect_cloudflare
+    detect_firewall
     get_system_resources
 
     # Mark as initialized