From e4611b994f1b641d96798e046329d0d68fcda2b9 Mon Sep 17 00:00:00 2001 From: cschantz Date: Thu, 8 Jan 2026 17:24:19 -0500 Subject: [PATCH] Update README with new security features (v2.2) Added comprehensive documentation for: - Auto-Mitigation Engine (Score >= 80/100 blocking) - Distributed attack detection and blocking (5+ IPs) - Subnet-level blocking (25+ IPs from same /24) - IPset kernel-level blocking with batching - 24 attack signatures with improved accuracy - Bot classification system - Multi-source monitoring (HTTP, SSH, Email, FTP, DB, Network) - No system pollution design (/tmp storage) Updated version to 2.2.0 with January 2026 highlights. Enhanced security module documentation in usage examples. --- README.md | 42 +++++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ebb9cc0..5619be8 100644 --- a/README.md +++ b/README.md @@ -83,14 +83,21 @@ source /root/linux-server-management-toolkit/run.sh ## ✨ Key Features ### 🛡️ Security & Monitoring +- **Live Attack Monitor**: Real-time SOC dashboard with intelligent auto-blocking + - **Auto-Mitigation Engine**: Automatic blocking at Score >= 80 (critical) or >= 100 (instant) + - **Distributed Attack Detection**: Blocks coordinated attacks (5+ IPs, 25+ for subnet-level blocking) + - **24 Attack Signatures**: RCE, SQL injection, XSS, path traversal, SSRF, XXE, credential stuffing, and more + - **IPset Integration**: Kernel-level blocking for instant response (batched for performance) + - **Bot Classification**: Distinguishes legitimate bots (Google, Bing) from AI scrapers and attack tools + - **Attack Scoring System**: Dynamic scoring with volume bonuses and attack severity weighting + - **Multi-Source Monitoring**: HTTP, SSH, Email, FTP, Database, Network attacks in unified dashboard - **Bot & Traffic Analyzer**: Full bot/threat analysis with pattern detection -- **Live Attack Monitor**: Real-time SOC dashboard with threat classification -- **Specialized Monitors**: SSH attacks, web traffic, firewall activity - **IP Reputation Manager**: Centralized cross-module IP intelligence with query/tracking -- **Malware Scanner**: ImunifyAV, ClamAV, and Maldet integration +- **Malware Scanner**: ImunifyAV, ClamAV, and Maldet integration with auto-installation - **cPHulk Integration**: Auto-imports CSF whitelists from all sources +- **Specialized Monitors**: SSH attacks, web traffic, firewall activity - **Log Viewers**: Live tail for Apache access/error, mail, and security logs -- **Optimized Status Checks**: Uses cached domain status (no redundant HTTP requests) +- **No System Pollution**: All data stored in /tmp (auto-cleanup on reboot, no /var/lib/ files) ### 💾 Backup & Recovery - **Acronis Cyber Protect**: Complete agent management (install, update, configure, monitor, troubleshoot) @@ -135,12 +142,17 @@ bash launcher.sh bash launcher.sh # Select: 2) Security & Monitoring # Options: +# - Live Attack Monitor (real-time SOC dashboard with auto-blocking) +# * Monitors HTTP, SSH, Email, FTP, Database, Network attacks +# * Auto-blocks IPs at Score >= 80 (critical) or >= 100 (instant) +# * Detects distributed attacks (5+ IPs) and blocks all participants +# * Subnet blocking when 25+ IPs attack from same /24 range +# * IPset kernel-level blocking for instant response # - Bot & Traffic Analyzer (full scan or 1-hour quick scan) -# - Live Attack Monitor (unified threat intelligence) -# - SSH/Web/Firewall attack monitors # - IP Reputation Manager -# - Malware Scanner +# - Malware Scanner (ImunifyAV, ClamAV, Maldet with auto-install) # - Enable cPHulk Protection +# - SSH/Web/Firewall attack monitors ``` ### Website Diagnostics @@ -191,7 +203,16 @@ nano /root/server-toolkit/config/settings.conf - **No sensitive data in repo**: .gitignore excludes keys, tokens, credentials - **Test first**: Try on non-production environments first -## 📊 Recent Updates (v2.1) +## 📊 Recent Updates (v2.2) + +### January 2026 Highlights - Security Enhancements +- **Auto-Mitigation Engine**: Automatic IP blocking at Score >= 80/100 via IPset (kernel-level) +- **Distributed Attack Blocking**: Detects and blocks coordinated botnet attacks (5+ IPs) +- **Subnet-Level Blocking**: Blocks entire /24 subnets when 25+ IPs attack from same range +- **Attack Signature Improvements**: Fixed false positives in HTTP_SMUGGLING and SUSPICIOUS_UA detection +- **Function Exports**: Fixed critical bug preventing HTTP attack auto-blocking in subshells +- **No System Pollution**: Moved all persistent data from /var/lib/ to /tmp/ for clean removal +- **Maldet Auto-Installation**: Enhanced Plesk support with improved directory detection ### December 2025 Highlights - **Launcher Cleanup**: Removed 90+ phantom menu items, reduced from 1,576 to 574 lines (64% reduction) @@ -201,8 +222,10 @@ nano /root/server-toolkit/config/settings.conf ### Current Feature Set - **41 Working Modules**: Security (14), Website (3), Performance (5), Backup (11), Diagnostics (8) +- **24 Attack Signatures**: RCE, SQL Injection, XSS, Path Traversal, SSRF, XXE, and more - **Reference Database**: 1-hour cached status for cross-module intelligence - **Zero Hardcoded Paths**: Automatic control panel detection and path abstraction +- **Self-Contained Design**: Delete toolkit directory = all data removed (no system files) ## 🙏 Credits @@ -210,5 +233,6 @@ Built for comprehensive cPanel/Linux server management with a focus on security --- -**Version**: 2.1.0 +**Version**: 2.2.0 +**Last Updated**: January 2026 **Repository**: https://git.mull.lol/cschantz/Linux-Server-Management-Toolkit