cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add auto-fix menu for security recommendations with intelligent hiding

Browse Source 
NEW FEATURE: Auto-Fix Menu (Press 'f' key)
- Interactive menu to automatically apply security hardening
- Detects active attack patterns and offers contextual fixes
- Creates timestamped backups before making changes
- Verifies settings and skips if already configured

AUTO-FIX OPTIONS:

1. SYNFLOOD Protection (when DDoS detected):
   - Automatically enables CSF SYNFLOOD protection
   - Sets reasonable defaults: 100/s rate limit, 150 burst
   - Restarts CSF to apply changes
   - Only shows if not already enabled

2. SSH Hardening (when 5+ bruteforce attempts):
   - Lowers LF_SSHD from default (5) to 3 failed attempts
   - Also updates LF_SSHD_PERM if present
   - Restarts LFD to apply changes
   - Only shows if threshold > 3

3. CT_LIMIT Optimizer (always available):
   - Runs existing optimize-ct-limit.sh script
   - Prevents connection tracking exhaustion

INTELLIGENT RECOMMENDATION HIDING:

1. Blockable IP count now excludes already blocked IPs:
   - Loads blocked_ips_cache into hash table for O(1) lookups
   - After blocking IPs via 'b' menu, count updates correctly
   - Shows "No IPs requiring immediate blocks" when all handled

2. Recommendations hide after being applied:
   - SSH recommendation checks current LF_SSHD setting
   - SYNFLOOD recommendation checks current SYNFLOOD status
   - Only displays recommendations for issues not yet fixed
   - Provides clear feedback about what's already secured

USER EXPERIENCE IMPROVEMENTS:
- Added 'f' key to keyboard controls help
- Updated quick actions bar to show Auto-Fix option
- Clear success messages after applying fixes
- Shows current settings before and after changes
- "Apply All" option to fix everything at once
- Graceful handling when CSF not installed

SECURITY BEST PRACTICES:
- All config changes create timestamped backups
- Validates settings before modifying
- Provides clear explanation of what each fix does
- Non-destructive - can be safely reversed from backups
This commit is contained in:
cschantz
2025-12-01 18:33:31 -05:00
parent 6ce471e37b
commit d61c71dd2b
1 changed files with 242 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+240 -7
View File
@@ -1135,6 +1135,14 @@ draw_quick_actions() {
local has_ssh_bruteforce=0
local high_conn_count=0
# Load blocked IPs cache once for efficient lookups
declare -A blocked_ips_check
if [ -f "$TEMP_DIR/blocked_ips_cache" ]; then
while IFS= read -r blocked_ip; do
[ -n "$blocked_ip" ] && blocked_ips_check[$blocked_ip]=1
done < "$TEMP_DIR/blocked_ips_cache"
fi
for ip in "${!IP_DATA[@]}"; do
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
@@ -1145,8 +1153,10 @@ draw_quick_actions() {
# Skip if score too low for blocking
[ "$score" -lt 60 ] && continue
# Quick check - only verify if CSF/iptables commands available
# Don't check on every refresh (too slow)
# Skip if already blocked
[ -n "${blocked_ips_check[$ip]}" ] && continue
# Count as blockable
blockable_count=$((blockable_count + 1))
blockable_ips+="$ip "
done
@@ -1174,10 +1184,17 @@ draw_quick_actions() {
local recommendations=0
if [ "$has_ddos" -eq 1 ] || [ "$high_conn_count" -gt 0 ]; then
# Check if SYNFLOOD is already enabled
local synflood_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2)
echo -e "${HIGH_COLOR} ⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended${NC}"
echo -e "${MEDIUM_COLOR} → Enable SYNFLOOD protection: ${BOLD}csf -e SYNFLOOD${NC}"
# Only show SYNFLOOD recommendation if not already enabled
if [ "$synflood_status" != "1" ]; then
echo -e "${MEDIUM_COLOR} → Press 'f' for Auto-Fix menu (enable SYNFLOOD protection)${NC}"
fi
echo -e "${MEDIUM_COLOR} → Optimize CT_LIMIT: ${BOLD}Press 'c' to run CT_LIMIT optimizer${NC}"
echo -e "${MEDIUM_COLOR} → Or manual: ${BOLD}modules/security/optimize-ct-limit.sh${NC}"
recommendations=1
fi
@@ -1189,18 +1206,25 @@ draw_quick_actions() {
ssh_attacks=$(echo "$ssh_attacks" | tr -d '[:space:]')
[[ ! "$ssh_attacks" =~ ^[0-9]+$ ]] && ssh_attacks=0
if [ "$ssh_attacks" -gt 5 ]; then
# Check if SSH hardening is already applied
local current_lf=$(grep "^LF_SSHD\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
[ -z "$current_lf" ] && current_lf="5"
# Only show recommendation if not already hardened
if [ "$current_lf" -gt 3 ]; then
echo -e "${HIGH_COLOR} ⚠️ SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}"
echo -e "${MEDIUM_COLOR}Lower LF_SSHD trigger: ${BOLD}Edit /etc/csf/csf.conf → LF_SSHD=\"3\"${NC}"
echo -e "${MEDIUM_COLOR}Enable PortKnocking or change SSH port${NC}"
echo -e "${MEDIUM_COLOR}Press 'f' for Auto-Fix menu (harden SSH to 3 attempts)${NC}"
echo -e "${MEDIUM_COLOR}Or enable PortKnocking or change SSH port${NC}"
recommendations=1
fi
fi
fi
if [ $recommendations -eq 0 ]; then
echo ""
fi
echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' CT_LIMIT | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
echo -e "${INFO_COLOR} Keys: 'b' Block | 'c' CT_LIMIT | 'f' Auto-Fix | 's' Stats | 'r' Refresh | 'h' Help | 'q' Quit${NC}"
echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
}
@@ -1317,6 +1341,210 @@ show_blocking_menu() {
fi
}
show_autofix_menu() {
clear
print_banner "Auto-Fix Security Recommendations"
echo ""
# Detect current attack patterns
local has_ddos=0
local has_ssh_bruteforce=0
local ssh_attacks=0
for ip in "${!IP_DATA[@]}"; do
IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
[[ "$attacks" =~ DDOS ]] && has_ddos=1
[[ "$attacks" =~ BRUTEFORCE ]] && has_ssh_bruteforce=1
done
if [ -f "$TEMP_DIR/recent_events" ]; then
ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
fi
# Show available fixes
echo "Available security hardening fixes:"
echo ""
local fix_count=0
# Check if CSF is available
if ! command -v csf &>/dev/null; then
echo -e "${HIGH_COLOR}⚠️ CSF/LFD firewall not detected${NC}"
echo " Most auto-fix options require CSF to be installed"
echo ""
read -p "Press Enter to return to monitor..."
return
fi
# DDoS/SYN Flood protection
if [ "$has_ddos" -eq 1 ]; then
fix_count=$((fix_count + 1))
echo -e "${HIGH_COLOR}[$fix_count] Enable SYNFLOOD Protection${NC}"
echo " Current: DDoS/SYN flood attacks detected"
echo " Fix: Enable kernel-level SYN flood protection in CSF"
echo ""
fi
# SSH Bruteforce hardening
if [ "$ssh_attacks" -gt 5 ]; then
fix_count=$((fix_count + 1))
echo -e "${HIGH_COLOR}[$fix_count] Harden SSH Security (Lower LF_SSHD)${NC}"
echo " Current: $ssh_attacks SSH bruteforce attempts detected"
echo " Fix: Lower SSH failure threshold from default to 3 attempts"
echo ""
fi
# Always offer CT_LIMIT optimization
fix_count=$((fix_count + 1))
echo -e "${MEDIUM_COLOR}[$fix_count] Optimize Connection Tracking Limit${NC}"
echo " Fix: Run CT_LIMIT optimizer to prevent connection exhaustion"
echo ""
if [ "$fix_count" -eq 1 ]; then
echo -e "${SAFE_COLOR}✓ No critical security issues detected${NC}"
echo " You can still run CT_LIMIT optimizer (option 1)"
echo ""
fi
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Select fix to apply [1-$fix_count], 'a' for all, or 'q' to cancel:"
read -n 1 choice
echo ""
echo ""
case "$choice" in
1)
if [ "$has_ddos" -eq 1 ]; then
apply_synflood_fix
elif [ "$ssh_attacks" -gt 5 ]; then
apply_ssh_hardening
else
# CT_LIMIT is option 1 if no other fixes available
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
fi
;;
2)
if [ "$has_ddos" -eq 1 ] && [ "$ssh_attacks" -gt 5 ]; then
apply_ssh_hardening
else
# CT_LIMIT is option 2 if only one other fix available
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
fi
;;
3)
# CT_LIMIT is option 3 if both other fixes available
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
;;
a|A)
echo "Applying all recommended fixes..."
echo ""
[ "$has_ddos" -eq 1 ] && apply_synflood_fix
[ "$ssh_attacks" -gt 5 ] && apply_ssh_hardening
echo ""
echo "✓ All fixes applied"
echo ""
read -p "Press Enter to return to monitor..."
;;
q|Q)
return
;;
*)
echo "Invalid option"
read -p "Press Enter to continue..."
;;
esac
}
apply_synflood_fix() {
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Enabling SYNFLOOD Protection..."
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Check current status
local current_status=$(grep "^SYNFLOOD\s*=" /etc/csf/csf.conf 2>/dev/null | cut -d'"' -f2)
if [ "$current_status" = "1" ]; then
echo "✓ SYNFLOOD protection is already enabled"
else
echo "Current setting: SYNFLOOD = \"$current_status\""
echo "Enabling SYNFLOOD protection..."
# Backup config
cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)
# Enable SYNFLOOD
sed -i 's/^SYNFLOOD\s*=.*/SYNFLOOD = "1"/' /etc/csf/csf.conf
# Set reasonable defaults if not already set
if ! grep -q "^SYNFLOOD_RATE\s*=" /etc/csf/csf.conf; then
echo 'SYNFLOOD_RATE = "100/s"' >> /etc/csf/csf.conf
fi
if ! grep -q "^SYNFLOOD_BURST\s*=" /etc/csf/csf.conf; then
echo 'SYNFLOOD_BURST = "150"' >> /etc/csf/csf.conf
fi
# Restart CSF
echo ""
echo "Restarting CSF to apply changes..."
csf -r >/dev/null 2>&1
echo ""
echo "✓ SYNFLOOD protection enabled successfully"
echo " Rate limit: 100 connections per second"
echo " Burst: 150 connections"
fi
echo ""
read -p "Press Enter to continue..."
}
apply_ssh_hardening() {
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Hardening SSH Security..."
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Check current LF_SSHD setting
local current_lf=$(grep "^LF_SSHD\s*=" /etc/csf/csf.conf 2>/dev/null | grep -oE '[0-9]+' | head -1)
if [ -z "$current_lf" ]; then
current_lf="5" # CSF default
fi
echo "Current SSH failure threshold: LF_SSHD = \"$current_lf\""
if [ "$current_lf" -le 3 ]; then
echo "✓ SSH security is already hardened (threshold ≤ 3)"
else
echo "Lowering threshold to 3 failed attempts..."
# Backup config
cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)
# Update LF_SSHD
sed -i 's/^LF_SSHD\s*=.*/LF_SSHD = "3"/' /etc/csf/csf.conf
# Also lower LF_SSHD_PERM if it exists (permanent blocks after X temp blocks)
if grep -q "^LF_SSHD_PERM\s*=" /etc/csf/csf.conf; then
sed -i 's/^LF_SSHD_PERM\s*=.*/LF_SSHD_PERM = "3"/' /etc/csf/csf.conf
fi
# Restart LFD to apply changes
echo ""
echo "Restarting LFD to apply changes..."
csf -r >/dev/null 2>&1
echo ""
echo "✓ SSH security hardened successfully"
echo " New threshold: 3 failed attempts before temp block"
echo " Block duration: As configured in LF_TRIGGER (default: 1 hour)"
fi
echo ""
read -p "Press Enter to continue..."
}
################################################################################
# Log Monitoring
################################################################################
@@ -2430,6 +2658,10 @@ while true; do
"$SCRIPT_DIR/modules/security/optimize-ct-limit.sh"
read -p "Press Enter to return to monitor..."
;;
f|F)
# Auto-fix recommendations
show_autofix_menu
;;
i|I)
# Show threat intelligence for specific IP
clear
@@ -2523,6 +2755,7 @@ while true; do
echo "Available Commands:"
echo " ${BOLD}b${NC} - Open IP blocking menu (batch or individual)"
echo " ${BOLD}c${NC} - Run CT_LIMIT optimizer (analyze traffic & recommend limit)"
echo " ${BOLD}f${NC} - Auto-fix recommended security hardening (SYNFLOOD, SSH, etc.)"
echo " ${BOLD}i${NC} - Threat intelligence lookup (AbuseIPDB, geo, incident reports)"
echo " ${BOLD}p${NC} - Show performance impact monitor (server load)"
echo " ${BOLD}s${NC} - Show IP reputation database statistics"