cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add context-aware scoring (geo, ISP, time-of-day)

Browse Source 
Completes the 10th intelligence system:

Context-Aware Scoring:
- Night attacks (2am-5am server time) = +8pts suspicious timing
- High-risk geography (CN, RU, etc) = +5pts
- Residential ISP attacking servers = +10pts suspicious source
  (Comcast, Verizon, AT&T, cable/DSL/fiber residential connections)

Integration:
- Integrated into SSH monitoring with other intelligence
- Uses threat enrichment data from AbuseIPDB lookups
- Adds context reasons to CSF block messages

Example enhanced block reason:
"Score=98 Intel:HIGH_VELOCITY:20/hr+BOT_PATTERN+NIGHT_ATTACK:3h+RESIDENTIAL_ISP"

All 10 intelligence systems now operational in SSH monitoring
This commit is contained in:
cschantz
2025-11-14 16:45:50 -05:00
parent 0857944c9b
commit c9bfa211c0
1 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+49
View File
@@ -650,6 +650,46 @@ apply_reputation_decay() {
done done
} }
# Context-aware scoring (geo, ISP, time-of-day)
# Returns: context_bonus|reason
calculate_context_bonus() {
local ip="$1"
local now=$(date +%s)
local bonus=0
local reasons=""
# Time-of-day analysis (attacks at odd hours = suspicious)
local hour=$(date +%H)
if [ "$hour" -ge 2 ] && [ "$hour" -le 5 ]; then
# Attacks between 2am-5am (server timezone) = suspicious
bonus=$((bonus + 8))
reasons="NIGHT_ATTACK:${hour}h"
fi
# Check geolocation if available (from threat intelligence)
if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then
local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}")
IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_data"
# High-risk country already detected
if is_high_risk_country "${geo:-XX}" 2>/dev/null; then
bonus=$((bonus + 5))
[ -n "$reasons" ] && reasons="${reasons}+" || reasons=""
reasons="${reasons}HIGH_RISK_GEO:${geo}"
fi
# Residential ISP (suspicious for server attacks)
if echo "$isp" | grep -qiE "(comcast|verizon|att|residential|cable|dsl|fiber|broadband)"; then
bonus=$((bonus + 10))
[ -n "$reasons" ] && reasons="${reasons}+" || reasons=""
reasons="${reasons}RESIDENTIAL_ISP"
fi
fi
echo "${bonus}|${reasons}"
}
# Get threat level from score # Get threat level from score
get_threat_level() { get_threat_level() {
local score="$1" local score="$1"
@@ -1182,6 +1222,15 @@ monitor_ssh_attacks() {
block_reasons="${block_reasons}${subnet_reason}" block_reasons="${block_reasons}${subnet_reason}"
fi fi
# 5. Context-aware bonus (geo, ISP, time)
local context_data=$(calculate_context_bonus "$ip")
IFS='|' read -r context_bonus context_reason <<< "$context_data"
if [ "$context_bonus" -gt 0 ]; then
score=$((score + context_bonus))
[ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
block_reasons="${block_reasons}${context_reason}"
fi
# Cap at 100 # Cap at 100
[ $score -gt 100 ] && score=100 [ $score -gt 100 ] && score=100