From ca8fe4f02c411f094e88a4df53fe6ce9da25ca0e Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 14 Nov 2025 15:48:50 -0500 Subject: [PATCH] Add comprehensive attack monitoring and auto-mitigation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extended live monitor with additional attack vectors and intelligent mitigation: Attack Monitoring: - Email/SMTP bruteforce (dovecot/exim authentication failures) - FTP bruteforce (vsftpd login failures) - Database bruteforce (MySQL authentication failures) - Distributed attack detection (botnet identification via pattern analysis) Automated Mitigation: - Auto-blocking engine for IPs reaching critical threshold (score ≥80) - 1-hour temporary blocks with automatic logging - Prevents manual intervention for clear threats Intelligence Enhancements: - Cross-source attack correlation - Distributed attack pattern recognition (5+ IPs, same attack) - Automated threat response with audit trail Coverage: Web, SSH, Email, FTP, Database, Firewall, cPHulk, Network (8 sources) --- modules/security/live-attack-monitor.sh | 232 ++++++++++++++++++++++++ 1 file changed, 232 insertions(+) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 260f9b0..492e20c 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -975,13 +975,245 @@ monitor_network_attacks() { fi } +################################################################################ +# Email/SMTP Attack Monitoring +################################################################################ + +monitor_email_attacks() { + # Monitor mail logs for SMTP/IMAP/POP3 bruteforce + local mail_log="/var/log/maillog" + + if [ ! -f "$mail_log" ]; then + mail_log="/var/log/mail.log" + fi + + if [ -f "$mail_log" ]; then + tail -n 0 -F "$mail_log" 2>/dev/null | while read -r line; do + # Dovecot authentication failures + if echo "$line" | grep -qiE "auth.*failed|authentication failed|password mismatch"; then + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + [[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue + + # Process as BRUTEFORCE attack + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + hits=$((hits + 1)) + + # Add BRUTEFORCE to attacks + if [[ ! "$attacks" =~ BRUTEFORCE ]]; then + [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" + fi + + score=$(calculate_attack_score "$attacks") + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log to reputation DB + flag_ip_attack "$ip" "BRUTEFORCE" 0 "Email authentication failure" >/dev/null 2>&1 & + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 📧EMAIL_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done & + fi +} + +################################################################################ +# FTP Attack Monitoring +################################################################################ + +monitor_ftp_attacks() { + # Monitor FTP logs for bruteforce attempts + local ftp_log="/var/log/vsftpd.log" + + if [ ! -f "$ftp_log" ]; then + ftp_log="/var/log/xferlog" + fi + + if [ -f "$ftp_log" ]; then + tail -n 0 -F "$ftp_log" 2>/dev/null | while read -r line; do + # FTP authentication failures + if echo "$line" | grep -qiE "FAIL LOGIN|authentication failed|530 Login incorrect"; then + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + [[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue + + # Process as BRUTEFORCE attack + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + hits=$((hits + 1)) + + # Add BRUTEFORCE to attacks + if [[ ! "$attacks" =~ BRUTEFORCE ]]; then + [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" + fi + + score=$(calculate_attack_score "$attacks") + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log to reputation DB + flag_ip_attack "$ip" "BRUTEFORCE" 0 "FTP login failure" >/dev/null 2>&1 & + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 📁FTP_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done & + fi +} + +################################################################################ +# Database Attack Monitoring +################################################################################ + +monitor_database_attacks() { + # Monitor MySQL logs for authentication failures + local mysql_log="/var/log/mysqld.log" + + if [ ! -f "$mysql_log" ]; then + mysql_log="/var/log/mysql/error.log" + fi + + if [ -f "$mysql_log" ]; then + tail -n 0 -F "$mysql_log" 2>/dev/null | while read -r line; do + # MySQL authentication failures + if echo "$line" | grep -qiE "Access denied for user|Failed password for"; then + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + [[ "$ip" =~ ^127\. ]] || [[ "$ip" =~ ^10\. ]] || [[ "$ip" =~ ^192\.168\. ]] || [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] && continue + + # Process as SQL_INJECTION attack (database level) + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + hits=$((hits + 1)) + + # Add SQL_INJECTION to attacks + if [[ ! "$attacks" =~ SQL_INJECTION ]]; then + [ -z "$attacks" ] && attacks="SQL_INJECTION" || attacks="${attacks},SQL_INJECTION" + fi + + score=$(calculate_attack_score "$attacks") + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log to reputation DB + flag_ip_attack "$ip" "SQL_INJECTION" 0 "MySQL authentication failure" >/dev/null 2>&1 & + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 🗄️ DB_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done & + fi +} + +################################################################################ +# Distributed Attack Detection +################################################################################ + +detect_distributed_attacks() { + # Run in background, check every 30 seconds + ( + while true; do + sleep 30 + + # Look for same attack pattern from multiple IPs in short time + if [ -f "$TEMP_DIR/recent_events" ]; then + # Get recent attacks (last 2 minutes) + local recent=$(tail -200 "$TEMP_DIR/recent_events" 2>/dev/null) + + # Check for same attack type from 5+ different IPs + for attack_type in RCE SQL_INJECTION XSS PATH_TRAVERSAL BRUTEFORCE; do + local attack_count=$(echo "$recent" | grep -c "$attack_type") + + if [ "$attack_count" -ge 5 ]; then + local unique_ips=$(echo "$recent" | grep "$attack_type" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u | wc -l) + + if [ "$unique_ips" -ge 5 ]; then + # Distributed attack detected! + local time_str=$(date +"%H:%M:%S") + echo -e "${CRITICAL_COLOR}[${time_str}] DISTRIBUTED_ATTACK | ${attack_type} from ${unique_ips} IPs in last 2min | Possible botnet${NC}" >> "$TEMP_DIR/recent_events" + + # Mark in a file for Quick Actions to see + echo "${attack_type}|${unique_ips}|$(date +%s)" >> "$TEMP_DIR/distributed_attacks" + fi + fi + done + fi + done + ) & +} + +################################################################################ +# Automatic Mitigation Engine +################################################################################ + +auto_mitigation_engine() { + # Run in background, check every 10 seconds + ( + while true; do + sleep 10 + + # Auto-block IPs that reach CRITICAL threshold + for ip in "${!IP_DATA[@]}"; do + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}" + + # Auto-block at score >= 80 (CRITICAL) + if [ "$score" -ge 80 ]; then + # Check if already blocked + if ! is_ip_blocked "$ip" 2>/dev/null; then + # Auto-block + local time_str=$(date +"%H:%M:%S") + echo -e "${CRITICAL_COLOR}[${time_str}] AUTO_BLOCK | $ip | Score:$score | ${attacks}${NC}" >> "$TEMP_DIR/recent_events" + + # Block for 1 hour + block_ip_temporary "$ip" 1 "Auto-block: Critical threat score $score - ${attacks}" >/dev/null 2>&1 & + + # Update ban count + ban_count=$((ban_count + 1)) + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + fi + fi + done + done + ) & +} + # Start all log monitoring sources monitor_apache_logs monitor_ssh_attacks +monitor_email_attacks +monitor_ftp_attacks +monitor_database_attacks monitor_firewall_blocks monitor_cphulk_blocks monitor_network_attacks +# Start intelligence engines +detect_distributed_attacks +auto_mitigation_engine + # Periodic snapshot saving in background ( while true; do