cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix established_conns parsing + increase Tier 4 DDoS scoring for instant blocking

Browse Source 
Bug 1: Line 2363 integer expression error
Error: [: 0\n0: integer expression expected
Cause: grep -c with || echo 0 was outputting multiple lines
Fix: Changed to grep | wc -l with empty check

Bug 2: Tier 4 DDoS (512 SYN) only scoring 55 points, not auto-blocking
Problem: 500+ connection attacks getting detected but not blocked
Analysis:
  Base: 15 points
  Old Tier 4: +25 points
  Momentum: +15 points
  Total: 55 points (need 80 for auto-block)

Fix: Increased Tier 4 severity bonus from +25 to +50
New scoring for 512 SYN attack:
  Base: 15
  Tier 4: +50 (DOUBLED)
  Rapid Accel: +15
  Total: 80 points → INSTANT AUTO-BLOCK on first detection

Also adjusted other tiers proportionally:
  Tier 1: +5 → +8
  Tier 2: +10 → +15
  Tier 3: +15 → +30
  Tier 4: +25 → +50

Rationale:
- 500+ SYN_RECV is extreme attack
- Should block immediately, not wait for persistence
- User reported active 512-connection attack not blocking
- Now blocks on first 15-second detection cycle
This commit is contained in:
cschantz
2025-12-24 20:42:31 -05:00
parent 996be0bdd0
commit cae9db2d53
2 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+7 -5
View File
@@ -2359,7 +2359,8 @@ monitor_network_attacks() {
hits=$((hits + 1)) hits=$((hits + 1))
# Smart whitelisting: Skip IPs with successful established connections # Smart whitelisting: Skip IPs with successful established connections
local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0") local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
[ -z "$established_conns" ] && established_conns=0
if [ "$established_conns" -ge 5 ]; then if [ "$established_conns" -ge 5 ]; then
# IP has 5+ established connections = legitimate traffic # IP has 5+ established connections = legitimate traffic
continue continue
@@ -2462,11 +2463,12 @@ monitor_network_attacks() {
# Distributed attack severity bonus # Distributed attack severity bonus
# Higher severity = more dangerous, boost scores # Higher severity = more dangerous, boost scores
# Tier 4 (500+ SYN) is extreme - should auto-block immediately
case "$attack_severity" in case "$attack_severity" in
4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS 4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK)
3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS 3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS
2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS 2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS
1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS 1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS
esac esac
# Attack momentum bonus (growing attack = more dangerous) # Attack momentum bonus (growing attack = more dangerous)
modules/security/live-attack-monitor.sh
+7 -5
View File
@@ -2359,7 +2359,8 @@ monitor_network_attacks() {
hits=$((hits + 1)) hits=$((hits + 1))
# Smart whitelisting: Skip IPs with successful established connections # Smart whitelisting: Skip IPs with successful established connections
local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0") local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
[ -z "$established_conns" ] && established_conns=0
if [ "$established_conns" -ge 5 ]; then if [ "$established_conns" -ge 5 ]; then
# IP has 5+ established connections = legitimate traffic # IP has 5+ established connections = legitimate traffic
continue continue
@@ -2462,11 +2463,12 @@ monitor_network_attacks() {
# Distributed attack severity bonus # Distributed attack severity bonus
# Higher severity = more dangerous, boost scores # Higher severity = more dangerous, boost scores
# Tier 4 (500+ SYN) is extreme - should auto-block immediately
case "$attack_severity" in case "$attack_severity" in
4) conn_bonus=$((conn_bonus + 25)) ;; # Critical DDoS 4) conn_bonus=$((conn_bonus + 50)) ;; # Critical DDoS (INSTANT BLOCK)
3) conn_bonus=$((conn_bonus + 15)) ;; # Severe DDoS 3) conn_bonus=$((conn_bonus + 30)) ;; # Severe DDoS
2) conn_bonus=$((conn_bonus + 10)) ;; # Major DDoS 2) conn_bonus=$((conn_bonus + 15)) ;; # Major DDoS
1) conn_bonus=$((conn_bonus + 5)) ;; # Moderate DDoS 1) conn_bonus=$((conn_bonus + 8)) ;; # Moderate DDoS
esac esac
# Attack momentum bonus (growing attack = more dangerous) # Attack momentum bonus (growing attack = more dangerous)