diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index fb82f3f..1b35257 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1178,7 +1178,12 @@ monitor_ssh_attacks() { fi # Process as BRUTEFORCE attack - local current_data="${IP_DATA[$ip]:-0|0|human||0|0}" + # Read from file (subshells can't access IP_DATA array) + local ip_file="$TEMP_DIR/ip_${ip//\./_}" + local current_data="0|0|human||0|0" + if [ -f "$ip_file" ]; then + current_data=$(cat "$ip_file") + fi IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" # Increment hits @@ -1256,8 +1261,9 @@ monitor_ssh_attacks() { # Cap at 100 [ $score -gt 100 ] && score=100 - # Update IP_DATA - IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Update ip_data file directly (subshells can't access IP_DATA array) + local ip_file="$TEMP_DIR/ip_${ip//\./_}" + echo "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" > "$ip_file" # Store block reasons for CSF if [ -n "$block_reasons" ]; then @@ -1972,10 +1978,20 @@ while true; do draw_live_feed draw_quick_actions - # Write IP data to temp file for auto-mitigation engine (every loop) + # Consolidate IP data from individual files into ip_data file (for auto-mitigation engine) { - for ip in "${!IP_DATA[@]}"; do - echo "$ip=${IP_DATA[$ip]}" + for ip_file in "$TEMP_DIR"/ip_*; do + [ -f "$ip_file" ] || continue + # Skip the consolidated ip_data file itself + [[ "$(basename "$ip_file")" == "ip_data" ]] && continue + # Extract IP from filename (ip_1_2_3_4 -> 1.2.3.4) + ip=$(basename "$ip_file" | sed 's/^ip_//' | tr '_' '.') + data=$(cat "$ip_file" 2>/dev/null) + if [ -n "$data" ]; then + echo "$ip=$data" + # Also update IP_DATA array for dashboard display + IP_DATA[$ip]="$data" + fi done } > "$TEMP_DIR/ip_data" 2>/dev/null