diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh index 0d73007..7109084 100644 --- a/lib/attack-patterns.sh +++ b/lib/attack-patterns.sh @@ -162,6 +162,7 @@ calculate_attack_score() { [[ "$attacks" =~ (^|,)INFO_DISCLOSURE(,|$) ]] && score=$((score + 8)) [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10)) [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5)) + [[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25)) echo "$score" } diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index e76d517..fe27816 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -629,8 +629,320 @@ monitor_apache_logs() { # Main Loop ################################################################################ -# Start log monitoring +################################################################################ +# SSH Attack Monitoring +################################################################################ + +monitor_ssh_attacks() { + # Monitor SSH brute force attempts from /var/log/secure + local secure_log="/var/log/secure" + + if [ ! -f "$secure_log" ]; then + # Try alternative location (Debian/Ubuntu) + secure_log="/var/log/auth.log" + fi + + if [ -f "$secure_log" ]; then + tail -n 0 -F "$secure_log" 2>/dev/null | while read -r line; do + # Detect failed SSH login attempts + if echo "$line" | grep -qi "Failed password\|authentication failure\|Invalid user"; then + # Extract IP address + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + if [[ "$ip" =~ ^127\. ]] || \ + [[ "$ip" =~ ^10\. ]] || \ + [[ "$ip" =~ ^192\.168\. ]] || \ + [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]]; then + continue + fi + + # Process as BRUTEFORCE attack + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + # Increment hits + hits=$((hits + 1)) + + # Add BRUTEFORCE to attacks if not already present + if [[ ! "$attacks" =~ BRUTEFORCE ]]; then + if [ -z "$attacks" ]; then + attacks="BRUTEFORCE" + else + attacks="${attacks},BRUTEFORCE" + fi + fi + + # Calculate new score + score=$(calculate_attack_score "$attacks") + + # Update IP_DATA + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log to reputation DB + flag_ip_attack "$ip" "BRUTEFORCE" 0 "SSH failed login attempt" >/dev/null 2>&1 & + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + local icon=$(get_attack_icon "BRUTEFORCE") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | ${icon}SSH_BRUTEFORCE | Hits:$hits${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done & + fi +} + +################################################################################ +# Firewall Block Monitoring +################################################################################ + +monitor_firewall_blocks() { + # Monitor CSF/iptables blocks in real-time from /var/log/messages + local messages_log="/var/log/messages" + + if [ ! -f "$messages_log" ]; then + # Try alternative location + messages_log="/var/log/syslog" + fi + + if [ -f "$messages_log" ]; then + tail -n 0 -F "$messages_log" 2>/dev/null | while read -r line; do + # Detect firewall blocks (CSF, iptables, kernel blocks) + if echo "$line" | grep -qiE "Firewall|iptables.*DENY|iptables.*DROP|CSF.*block"; then + # Extract IP address + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + if [[ "$ip" =~ ^127\. ]] || \ + [[ "$ip" =~ ^10\. ]] || \ + [[ "$ip" =~ ^192\.168\. ]] || \ + [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]]; then + continue + fi + + # Log firewall block + local time_str=$(date +"%H:%M:%S") + echo -e "${LOW_COLOR}[${time_str}] $ip | FIREWALL_BLOCK | Blocked by firewall${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done & + fi +} + +################################################################################ +# cPHulk Monitoring +################################################################################ + +monitor_cphulk_blocks() { + # Monitor cPHulk blocks (cPanel security system) + if [ -x "/usr/local/cpanel/bin/cphulk_pam_ctl" ] || command -v whmapi1 &>/dev/null; then + ( + declare -A SEEN_BLOCKS + while true; do + # Query cPHulk for blocked IPs + whmapi1 cphulkd_list_blocks 2>/dev/null | grep -E "ip:" | while read -r line; do + local ip=$(echo "$line" | awk '{print $2}') + + if [ -n "$ip" ] && [ -z "${SEEN_BLOCKS[$ip]}" ]; then + SEEN_BLOCKS[$ip]=1 + + # Skip local/private IPs + if [[ "$ip" =~ ^127\. ]] || \ + [[ "$ip" =~ ^10\. ]] || \ + [[ "$ip" =~ ^192\.168\. ]] || \ + [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]]; then + continue + fi + + # Process as BRUTEFORCE attack (cPHulk blocks login attempts) + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + # Add BRUTEFORCE to attacks + if [[ ! "$attacks" =~ BRUTEFORCE ]]; then + if [ -z "$attacks" ]; then + attacks="BRUTEFORCE" + else + attacks="${attacks},BRUTEFORCE" + fi + fi + + # Calculate score + score=$(calculate_attack_score "$attacks") + hits=$((hits + 1)) + + # Update IP_DATA + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 🔐CPHULK_BLOCK | Blocked by cPHulk${NC}" >> "$TEMP_DIR/recent_events" + fi + done + sleep 10 # Poll every 10 seconds + done + ) & + fi +} + +################################################################################ +# Network Attack Monitoring (SYN floods, port scans, DDoS) +################################################################################ + +monitor_network_attacks() { + # Monitor kernel logs and network statistics for SYN floods, port scans, etc. + local kern_log="/var/log/kern.log" + + # Try different log locations + if [ ! -f "$kern_log" ]; then + kern_log="/var/log/messages" + fi + + # Monitor kernel/firewall logs for network attacks + if [ -f "$kern_log" ]; then + tail -n 0 -F "$kern_log" 2>/dev/null | while read -r line; do + # Detect SYN flood patterns + if echo "$line" | grep -qiE "SYN flood|possible SYN flooding|TCP: Possible SYN flooding"; then + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + if [[ "$ip" =~ ^127\. ]] || \ + [[ "$ip" =~ ^10\. ]] || \ + [[ "$ip" =~ ^192\.168\. ]] || \ + [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]]; then + continue + fi + + # Process as DDOS attack + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + # Add DDOS to attacks + if [[ ! "$attacks" =~ DDOS ]]; then + if [ -z "$attacks" ]; then + attacks="DDOS" + else + attacks="${attacks},DDOS" + fi + fi + + # Calculate score (DDOS is high severity) + score=$(calculate_attack_score "$attacks") + hits=$((hits + 1)) + + # Update IP_DATA + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log to reputation DB + flag_ip_attack "$ip" "DDOS" 0 "SYN flood detected" >/dev/null 2>&1 & + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Network attack${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + + # Detect port scan attempts + if echo "$line" | grep -qiE "port.*scan|stealth scan|SYN-FIN scan|NULL scan"; then + local ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1) + + if [ -n "$ip" ]; then + # Skip local/private IPs + if [[ "$ip" =~ ^127\. ]] || \ + [[ "$ip" =~ ^10\. ]] || \ + [[ "$ip" =~ ^192\.168\. ]] || \ + [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]]; then + continue + fi + + # Process as SCANNER attack + local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + + # Add PORT_SCAN to attacks (using ADMIN_PROBE for now - 5 points) + if [[ ! "$attacks" =~ ADMIN_PROBE ]]; then + if [ -z "$attacks" ]; then + attacks="ADMIN_PROBE" + else + attacks="${attacks},ADMIN_PROBE" + fi + fi + + # Calculate score + score=$(calculate_attack_score "$attacks") + hits=$((hits + 1)) + + # Update IP_DATA + IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + + # Log event + local time_str=$(date +"%H:%M:%S") + local level=$(get_threat_level "$score") + local color=$(get_threat_color "$level") + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 🔎PORT_SCAN | Network reconnaissance${NC}" >> "$TEMP_DIR/recent_events" + fi + fi + done & + fi + + # Monitor netstat for high connection counts (possible DDoS) + if command -v netstat &>/dev/null || command -v ss &>/dev/null; then + ( + declare -A CONNECTION_COUNT + declare -A ALERT_SENT + while true; do + # Use ss if available (faster), otherwise netstat + if command -v ss &>/dev/null; then + # Count SYN_RECV connections per IP (sign of SYN flood) + while read -r ip count; do + if [ "$count" -gt 20 ]; then # More than 20 SYN_RECV connections + if [ -z "${ALERT_SENT[$ip]}" ]; then + ALERT_SENT[$ip]=1 + + # Skip local/private IPs + if [[ "$ip" =~ ^127\. ]] || \ + [[ "$ip" =~ ^10\. ]] || \ + [[ "$ip" =~ ^192\.168\. ]] || \ + [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]]; then + continue + fi + + # Log high connection count + local time_str=$(date +"%H:%M:%S") + echo -e "${HIGH_COLOR}[${time_str}] $ip | 💥HIGH_CONN_COUNT | $count SYN_RECV connections (possible DDoS)${NC}" >> "$TEMP_DIR/recent_events" + fi + else + # Reset alert if connections drop + unset ALERT_SENT[$ip] + fi + done < <(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | awk '$1 > 5 {print $2, $1}') + fi + + sleep 15 # Check every 15 seconds + done + ) & + fi +} + +# Start all log monitoring sources monitor_apache_logs +monitor_ssh_attacks +monitor_firewall_blocks +monitor_cphulk_blocks +monitor_network_attacks # Periodic snapshot saving in background (