From cae9db2d539707c5be893033a92e3df6c4ae441f Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Wed, 24 Dec 2025 20:42:31 -0500
Subject: [PATCH] Fix established_conns parsing + increase Tier 4 DDoS scoring
 for instant blocking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug 1: Line 2363 integer expression error
Error: [: 0\n0: integer expression expected
Cause: grep -c with || echo 0 was outputting multiple lines
Fix: Changed to grep | wc -l with empty check

Bug 2: Tier 4 DDoS (512 SYN) only scoring 55 points, not auto-blocking
Problem: 500+ connection attacks getting detected but not blocked
Analysis:
  Base: 15 points
  Old Tier 4: +25 points
  Momentum: +15 points
  Total: 55 points (need 80 for auto-block)

Fix: Increased Tier 4 severity bonus from +25 to +50
New scoring for 512 SYN attack:
  Base: 15
  Tier 4: +50 (DOUBLED)
  Rapid Accel: +15
  Total: 80 points → INSTANT AUTO-BLOCK on first detection

Also adjusted other tiers proportionally:
  Tier 1: +5 → +8
  Tier 2: +10 → +15
  Tier 3: +15 → +30
  Tier 4: +25 → +50

Rationale:
- 500+ SYN_RECV is extreme attack
- Should block immediately, not wait for persistence
- User reported active 512-connection attack not blocking
- Now blocks on first 15-second detection cycle
---
 modules/security/live-attack-monitor-v2.sh | 12 +++++++-----
 modules/security/live-attack-monitor.sh    | 12 +++++++-----
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 5dad79c..d148a20 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2359,7 +2359,8 @@ monitor_network_attacks() {
                                 hits=$((hits + 1))
 
                                 # Smart whitelisting: Skip IPs with successful established connections
-                                local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0")
+                                local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
+                                [ -z "$established_conns" ] && established_conns=0
                                 if [ "$established_conns" -ge 5 ]; then
                                     # IP has 5+ established connections = legitimate traffic
                                     continue
@@ -2462,11 +2463,12 @@ monitor_network_attacks() {
 
                                 # Distributed attack severity bonus
                                 # Higher severity = more dangerous, boost scores
+                                # Tier 4 (500+ SYN) is extreme - should auto-block immediately
                                 case "$attack_severity" in
-                                    4) conn_bonus=$((conn_bonus + 25)) ;;  # Critical DDoS
-                                    3) conn_bonus=$((conn_bonus + 15)) ;;  # Severe DDoS
-                                    2) conn_bonus=$((conn_bonus + 10)) ;;  # Major DDoS
-                                    1) conn_bonus=$((conn_bonus + 5)) ;;   # Moderate DDoS
+                                    4) conn_bonus=$((conn_bonus + 50)) ;;  # Critical DDoS (INSTANT BLOCK)
+                                    3) conn_bonus=$((conn_bonus + 30)) ;;  # Severe DDoS
+                                    2) conn_bonus=$((conn_bonus + 15)) ;;  # Major DDoS
+                                    1) conn_bonus=$((conn_bonus + 8)) ;;   # Moderate DDoS
                                 esac
 
                                 # Attack momentum bonus (growing attack = more dangerous)
diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 5dad79c..d148a20 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -2359,7 +2359,8 @@ monitor_network_attacks() {
                                 hits=$((hits + 1))
 
                                 # Smart whitelisting: Skip IPs with successful established connections
-                                local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0")
+                                local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
+                                [ -z "$established_conns" ] && established_conns=0
                                 if [ "$established_conns" -ge 5 ]; then
                                     # IP has 5+ established connections = legitimate traffic
                                     continue
@@ -2462,11 +2463,12 @@ monitor_network_attacks() {
 
                                 # Distributed attack severity bonus
                                 # Higher severity = more dangerous, boost scores
+                                # Tier 4 (500+ SYN) is extreme - should auto-block immediately
                                 case "$attack_severity" in
-                                    4) conn_bonus=$((conn_bonus + 25)) ;;  # Critical DDoS
-                                    3) conn_bonus=$((conn_bonus + 15)) ;;  # Severe DDoS
-                                    2) conn_bonus=$((conn_bonus + 10)) ;;  # Major DDoS
-                                    1) conn_bonus=$((conn_bonus + 5)) ;;   # Moderate DDoS
+                                    4) conn_bonus=$((conn_bonus + 50)) ;;  # Critical DDoS (INSTANT BLOCK)
+                                    3) conn_bonus=$((conn_bonus + 30)) ;;  # Severe DDoS
+                                    2) conn_bonus=$((conn_bonus + 15)) ;;  # Major DDoS
+                                    1) conn_bonus=$((conn_bonus + 8)) ;;   # Moderate DDoS
                                 esac
 
                                 # Attack momentum bonus (growing attack = more dangerous)