diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 2b69793..b6c72c2 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2657,6 +2657,12 @@ monitor_network_attacks() { # This is the total lifetime detection count for this IP hits=$((hits + 1)) + # CRITICAL FIX: Always write incremented hits to persistent storage BEFORE whitelisting + # Bug: If continue executes after incrementing hits, the incremented value is lost + # This causes hits counter to never increase for whitelisted/legitimate IPs + # Solution: Persist the increment immediately, then check whitelist + write_ip_data_to_file "$ip" "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" 2>/dev/null & + # Smart whitelisting: Skip IPs with MANY successful established connections # Only whitelist if IP has 20+ established connections (highly unlikely for attacker) # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches) @@ -2665,14 +2671,14 @@ monitor_network_attacks() { [ -z "$established_conns" ] && established_conns=0 if [ "$established_conns" -ge 20 ]; then # IP has 20+ established connections = highly likely legitimate user - continue + continue # Now safe - hits already persisted fi # Enhanced threat intelligence on first detection if [ "${hits:-0}" -eq 1 ]; then # Check if whitelisted service first if is_whitelisted_service "$ip" 2>/dev/null; then - continue # Skip whitelisted IPs + continue # Now safe - hits already persisted fi # Get threat intelligence in background to avoid slowdown