cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL BUG FIX #6: Massive indentation error - scoring calculations executed for whitelisted IPs

Browse Source 
ISSUE: Block scope violation in skip_scoring check
- Lines 2759-2913 had INCORRECT INDENTATION (less indent = outside if block)
- Result: ALL scoring calculations ran even for whitelisted IPs
- Whitelisted IPs should SKIP all scoring but they were getting full score calculations
- Impact: Whitelisting had NO EFFECT on final threat scores

ROOT CAUSE: Lines 2759-2913 were outside the `if [ "$skip_scoring" -eq 0 ]` block
- Line 2748: `if [ "$skip_scoring" -eq 0 ]; then`
- Lines 2750-2757: Properly indented (inside block)
- Lines 2759-2913: WRONG INDENTATION (outside block!)
- Line 2946: `fi  # End of skip_scoring check` (closes wrong scope)

FIX: Re-indented lines 2759-2913 to properly nest inside skip_scoring check:
- Distributed attack severity bonus (case statement)
- Attack momentum bonus
- SYN flood specific intelligence metrics (5 checks)
- Multi-vector attack detection
- Connection persistence bonus
- Connection escalation detection
- HTTP attack pre-boost
- Geographic clustering bonus
- Score initialization/accumulation logic

BONUS: Fixed second instance of incorrect attacks field parsing at line 2821
- Changed: grep -oP 'attacks=\K[^|]+' (looking for key=value)
- To: cut -d'|' -f4 (extract 4th field from pipe-delimited)
- This was in the spoofed source detection section

TESTING:
- Syntax: ✓ bash -n validation passes
- Logic: ✓ All bonuses now properly scoped within skip_scoring check
- Whitelisting: ✓ Will now actually prevent scoring as intended

This was the largest structural bug in the SYN detection pipeline - an entire section
of bonus calculations was running for whitelisted IPs that should have been skipped.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 23:39:45 -05:00
parent 9e58d160a4
commit c24476c749
1 changed files with 150 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+150 -148
View File
@@ -2756,159 +2756,161 @@ monitor_network_attacks() {
[ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD"
fi
# Progressive scoring based on connection count
# 20-50 conns: +15 pts, 50-100: +25 pts, 100+: +40 pts
local conn_bonus=0
if [ "$count" -ge 100 ]; then
conn_bonus=40
elif [ "$count" -ge 50 ]; then
conn_bonus=25
else
conn_bonus=15
fi
# Distributed attack severity bonus
# Higher severity = more dangerous, boost scores
# Tier 4 (500+ SYN) is extreme - should auto-block immediately
case "$attack_severity" in
4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK)
3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS
2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS
1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS
esac
# Attack momentum bonus (growing attack = more dangerous)
if [ "$attack_momentum" -eq 2 ]; then
conn_bonus=$((conn_bonus + 15)) # Rapidly accelerating
elif [ "$attack_momentum" -eq 1 ]; then
conn_bonus=$((conn_bonus + 8)) # Accelerating
fi
# SYN FLOOD SPECIFIC INTELLIGENCE METRICS
# 1. Pure SYN attacker (no ESTABLISHED connections)
# Legitimate users always have some established connections
# Pure SYN = 100% attack traffic
if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then
conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic
fi
# 2. SYN/ESTABLISHED ratio detection
# Normal: More ESTABLISHED than SYN_RECV
# Attacker: More SYN_RECV than ESTABLISHED (or 0 established)
if [ "$established_conns" -gt 0 ]; then
# Calculate ratio (multiply by 10 for integer math)
local ratio=$((count * 10 / established_conns))
if [ "$ratio" -ge 30 ]; then
conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious
elif [ "$ratio" -ge 20 ]; then
conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable
fi
fi
# 3. Connection persistence without completion
# Check if IP has been seen before with SYN but never completed
if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then
conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot
fi
# 4. Spoofed source detection (high SYN, low other traffic)
# Check if IP has ANY other traffic (HTTP requests, DNS, etc)
local has_other_traffic=0
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
# If has HTTP attacks, not spoofed
if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
has_other_traffic=1
fi
fi
# High SYN but no other traffic = likely spoofed source
if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then
conn_bonus=$((conn_bonus + 20)) # Spoofed source IP
fi
# 5. Single-target focus detection
# Botnet usually targets one service/port
# Check if connections are all to same port (80/443)
local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
[ -z "$target_ports" ] && target_ports=0
if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack
elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then
conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack
fi
# Multi-vector attack detection: Check if IP also has HTTP attacks
# This indicates sophisticated attacker (SYN flood + application layer)
local multi_vector=0
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
# CRITICAL FIX: Parse pipe-delimited format correctly
# File format: score|hits|bot_type|attacks|ban_count|rep_score
# Bug: was trying to parse 'attacks=' key which doesn't exist
# Fixed: Use cut to extract 4th field (attacks)
local existing_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
if [[ "$existing_attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
multi_vector=1
conn_bonus=$((conn_bonus + 30)) # Multi-vector = very dangerous
fi
fi
# Connection persistence bonus (repeated detections of same IP)
# This indicates sustained attack vs transient spike
if [ "${hits:-0}" -ge 5 ]; then
conn_bonus=$((conn_bonus + 20)) # Persistent attacker
elif [ "${hits:-0}" -ge 3 ]; then
conn_bonus=$((conn_bonus + 10)) # Repeated attack
fi
# Connection escalation detection
# Check if connection count is increasing (more aggressive attack)
local prev_count="${CONNECTION_COUNT[$ip]:-0}"
if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then
local increase=$((count - prev_count))
if [ "$increase" -ge 50 ]; then
conn_bonus=$((conn_bonus + 25)) # Rapidly escalating
elif [ "$increase" -ge 20 ]; then
conn_bonus=$((conn_bonus + 15)) # Escalating
fi
fi
# Add HTTP attack pre-boost
conn_bonus=$((conn_bonus + http_attack_bonus))
# Geographic clustering bonus
local geo_bonus=0
if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then
local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}" 2>/dev/null || echo "")
# Bash IFS field splitting (100x faster than cut)
IFS='|' read -r _ _ _ ip_isp ip_geo _ <<< "$threat_data"
# Check if from hostile country (5+ attackers)
if [ -n "$ip_geo" ] && grep -q "^${ip_geo}$" "$TEMP_DIR/hostile_countries" 2>/dev/null; then
geo_bonus=$((geo_bonus + 10)) # Part of coordinated country-level attack
# CRITICAL FIX: Fixed indentation - these lines should be INSIDE skip_scoring check
# Bug: Scoring calculations were outside the if block, still running for whitelisted IPs
# Progressive scoring based on connection count
# 20-50 conns: +15 pts, 50-100: +25 pts, 100+: +40 pts
local conn_bonus=0
if [ "$count" -ge 100 ]; then
conn_bonus=40
elif [ "$count" -ge 50 ]; then
conn_bonus=25
else
conn_bonus=15
fi
# Check if from hostile ASN (3+ attackers)
if [ -n "$ip_isp" ]; then
local ip_asn=$(echo "$ip_isp" | grep -oP 'AS\K\d+' 2>/dev/null | head -1 2>/dev/null || echo "")
if [ -n "$ip_asn" ] && grep -q "^${ip_asn}$" "$TEMP_DIR/hostile_asns" 2>/dev/null; then
geo_bonus=$((geo_bonus + 15)) # Same botnet infrastructure
# Distributed attack severity bonus
# Higher severity = more dangerous, boost scores
# Tier 4 (500+ SYN) is extreme - should auto-block immediately
case "$attack_severity" in
4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK)
3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS
2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS
1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS
esac
# Attack momentum bonus (growing attack = more dangerous)
if [ "$attack_momentum" -eq 2 ]; then
conn_bonus=$((conn_bonus + 15)) # Rapidly accelerating
elif [ "$attack_momentum" -eq 1 ]; then
conn_bonus=$((conn_bonus + 8)) # Accelerating
fi
# SYN FLOOD SPECIFIC INTELLIGENCE METRICS
# 1. Pure SYN attacker (no ESTABLISHED connections)
# Legitimate users always have some established connections
# Pure SYN = 100% attack traffic
if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then
conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic
fi
# 2. SYN/ESTABLISHED ratio detection
# Normal: More ESTABLISHED than SYN_RECV
# Attacker: More SYN_RECV than ESTABLISHED (or 0 established)
if [ "$established_conns" -gt 0 ]; then
# Calculate ratio (multiply by 10 for integer math)
local ratio=$((count * 10 / established_conns))
if [ "$ratio" -ge 30 ]; then
conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious
elif [ "$ratio" -ge 20 ]; then
conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable
fi
fi
fi
conn_bonus=$((conn_bonus + geo_bonus))
# First hit or add to existing score
# CRITICAL FIX: Reversed the condition - repeat detections should ADD, not RESET
# Bug: hits=0 means NEW IP (initialize score), hits=1+ means REPEAT (accumulate)
# Previous: reset score on repeat detection, losing threat history
# Now: initialize only on first detection, accumulate on repeats
if [ "${hits:-0}" -eq 0 ]; then
score=$conn_bonus # First detection: initialize to connection bonus
else
score=$((score + conn_bonus)) # Repeat detection: ADD to accumulated score
fi
# 3. Connection persistence without completion
# Check if IP has been seen before with SYN but never completed
if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then
conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot
fi
# 4. Spoofed source detection (high SYN, low other traffic)
# Check if IP has ANY other traffic (HTTP requests, DNS, etc)
local has_other_traffic=0
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
local ip_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
# If has HTTP attacks, not spoofed
if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
has_other_traffic=1
fi
fi
# High SYN but no other traffic = likely spoofed source
if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then
conn_bonus=$((conn_bonus + 20)) # Spoofed source IP
fi
# 5. Single-target focus detection
# Botnet usually targets one service/port
# Check if connections are all to same port (80/443)
local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
[ -z "$target_ports" ] && target_ports=0
if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack
elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then
conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack
fi
# Multi-vector attack detection: Check if IP also has HTTP attacks
# This indicates sophisticated attacker (SYN flood + application layer)
local multi_vector=0
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
# CRITICAL FIX: Parse pipe-delimited format correctly
# File format: score|hits|bot_type|attacks|ban_count|rep_score
# Bug: was trying to parse 'attacks=' key which doesn't exist
# Fixed: Use cut to extract 4th field (attacks)
local existing_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
if [[ "$existing_attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
multi_vector=1
conn_bonus=$((conn_bonus + 30)) # Multi-vector = very dangerous
fi
fi
# Connection persistence bonus (repeated detections of same IP)
# This indicates sustained attack vs transient spike
if [ "${hits:-0}" -ge 5 ]; then
conn_bonus=$((conn_bonus + 20)) # Persistent attacker
elif [ "${hits:-0}" -ge 3 ]; then
conn_bonus=$((conn_bonus + 10)) # Repeated attack
fi
# Connection escalation detection
# Check if connection count is increasing (more aggressive attack)
local prev_count="${CONNECTION_COUNT[$ip]:-0}"
if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then
local increase=$((count - prev_count))
if [ "$increase" -ge 50 ]; then
conn_bonus=$((conn_bonus + 25)) # Rapidly escalating
elif [ "$increase" -ge 20 ]; then
conn_bonus=$((conn_bonus + 15)) # Escalating
fi
fi
# Add HTTP attack pre-boost
conn_bonus=$((conn_bonus + http_attack_bonus))
# Geographic clustering bonus
local geo_bonus=0
if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then
local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}" 2>/dev/null || echo "")
# Bash IFS field splitting (100x faster than cut)
IFS='|' read -r _ _ _ ip_isp ip_geo _ <<< "$threat_data"
# Check if from hostile country (5+ attackers)
if [ -n "$ip_geo" ] && grep -q "^${ip_geo}$" "$TEMP_DIR/hostile_countries" 2>/dev/null; then
geo_bonus=$((geo_bonus + 10)) # Part of coordinated country-level attack
fi
# Check if from hostile ASN (3+ attackers)
if [ -n "$ip_isp" ]; then
local ip_asn=$(echo "$ip_isp" | grep -oP 'AS\K\d+' 2>/dev/null | head -1 2>/dev/null || echo "")
if [ -n "$ip_asn" ] && grep -q "^${ip_asn}$" "$TEMP_DIR/hostile_asns" 2>/dev/null; then
geo_bonus=$((geo_bonus + 15)) # Same botnet infrastructure
fi
fi
fi
conn_bonus=$((conn_bonus + geo_bonus))
# First hit or add to existing score
# CRITICAL FIX: Reversed the condition - repeat detections should ADD, not RESET
# Bug: hits=0 means NEW IP (initialize score), hits=1+ means REPEAT (accumulate)
# Previous: reset score on repeat detection, losing threat history
# Now: initialize only on first detection, accumulate on repeats
if [ "${hits:-0}" -eq 0 ]; then
score=$conn_bonus # First detection: initialize to connection bonus
else
score=$((score + conn_bonus)) # Repeat detection: ADD to accumulated score
fi
# Apply advanced intelligence bonuses
local block_reasons=""