diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 5dad79c..d148a20 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2359,7 +2359,8 @@ monitor_network_attacks() { hits=$((hits + 1)) # Smart whitelisting: Skip IPs with successful established connections - local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0") + local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l) + [ -z "$established_conns" ] && established_conns=0 if [ "$established_conns" -ge 5 ]; then # IP has 5+ established connections = legitimate traffic continue @@ -2462,11 +2463,12 @@ monitor_network_attacks() { # Distributed attack severity bonus # Higher severity = more dangerous, boost scores + # Tier 4 (500+ SYN) is extreme - should auto-block immediately case "$attack_severity" in - 4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS - 3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS - 2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS - 1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS + 4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK) + 3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS + 2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS + 1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS esac # Attack momentum bonus (growing attack = more dangerous) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 5dad79c..d148a20 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2359,7 +2359,8 @@ monitor_network_attacks() { hits=$((hits + 1)) # Smart whitelisting: Skip IPs with successful established connections - local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0") + local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l) + [ -z "$established_conns" ] && established_conns=0 if [ "$established_conns" -ge 5 ]; then # IP has 5+ established connections = legitimate traffic continue @@ -2462,11 +2463,12 @@ monitor_network_attacks() { # Distributed attack severity bonus # Higher severity = more dangerous, boost scores + # Tier 4 (500+ SYN) is extreme - should auto-block immediately case "$attack_severity" in - 4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS - 3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS - 2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS - 1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS + 4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK) + 3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS + 2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS + 1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS esac # Attack momentum bonus (growing attack = more dangerous)