Update README with new security features (v2.2)

Added comprehensive documentation for:
- Auto-Mitigation Engine (Score >= 80/100 blocking)
- Distributed attack detection and blocking (5+ IPs)
- Subnet-level blocking (25+ IPs from same /24)
- IPset kernel-level blocking with batching
- 24 attack signatures with improved accuracy
- Bot classification system
- Multi-source monitoring (HTTP, SSH, Email, FTP, DB, Network)
- No system pollution design (/tmp storage)

Updated version to 2.2.0 with January 2026 highlights.
Enhanced security module documentation in usage examples.

README.md

@@ -83,14 +83,21 @@ source /root/linux-server-management-toolkit/run.sh
 ## ✨ Key Features
 
 ### 🛡️ Security & Monitoring
+- **Live Attack Monitor**: Real-time SOC dashboard with intelligent auto-blocking
+  - **Auto-Mitigation Engine**: Automatic blocking at Score >= 80 (critical) or >= 100 (instant)
+  - **Distributed Attack Detection**: Blocks coordinated attacks (5+ IPs, 25+ for subnet-level blocking)
+  - **24 Attack Signatures**: RCE, SQL injection, XSS, path traversal, SSRF, XXE, credential stuffing, and more
+  - **IPset Integration**: Kernel-level blocking for instant response (batched for performance)
+  - **Bot Classification**: Distinguishes legitimate bots (Google, Bing) from AI scrapers and attack tools
+  - **Attack Scoring System**: Dynamic scoring with volume bonuses and attack severity weighting
+  - **Multi-Source Monitoring**: HTTP, SSH, Email, FTP, Database, Network attacks in unified dashboard
 - **Bot & Traffic Analyzer**: Full bot/threat analysis with pattern detection
-- **Live Attack Monitor**: Real-time SOC dashboard with threat classification
-- **Specialized Monitors**: SSH attacks, web traffic, firewall activity
 - **IP Reputation Manager**: Centralized cross-module IP intelligence with query/tracking
-- **Malware Scanner**: ImunifyAV, ClamAV, and Maldet integration
+- **Malware Scanner**: ImunifyAV, ClamAV, and Maldet integration with auto-installation
 - **cPHulk Integration**: Auto-imports CSF whitelists from all sources
+- **Specialized Monitors**: SSH attacks, web traffic, firewall activity
 - **Log Viewers**: Live tail for Apache access/error, mail, and security logs
-- **Optimized Status Checks**: Uses cached domain status (no redundant HTTP requests)
+- **No System Pollution**: All data stored in /tmp (auto-cleanup on reboot, no /var/lib/ files)
 
 ### 💾 Backup & Recovery
 - **Acronis Cyber Protect**: Complete agent management (install, update, configure, monitor, troubleshoot)
@@ -135,12 +142,17 @@ bash launcher.sh
 bash launcher.sh
 # Select: 2) Security & Monitoring
 # Options:
+#   - Live Attack Monitor (real-time SOC dashboard with auto-blocking)
+#     * Monitors HTTP, SSH, Email, FTP, Database, Network attacks
+#     * Auto-blocks IPs at Score >= 80 (critical) or >= 100 (instant)
+#     * Detects distributed attacks (5+ IPs) and blocks all participants
+#     * Subnet blocking when 25+ IPs attack from same /24 range
+#     * IPset kernel-level blocking for instant response
 #   - Bot & Traffic Analyzer (full scan or 1-hour quick scan)
-#   - Live Attack Monitor (unified threat intelligence)
-#   - SSH/Web/Firewall attack monitors
 #   - IP Reputation Manager
-#   - Malware Scanner
+#   - Malware Scanner (ImunifyAV, ClamAV, Maldet with auto-install)
 #   - Enable cPHulk Protection
+#   - SSH/Web/Firewall attack monitors
 ```
 
 ### Website Diagnostics
@@ -191,7 +203,16 @@ nano /root/server-toolkit/config/settings.conf
 - **No sensitive data in repo**: .gitignore excludes keys, tokens, credentials
 - **Test first**: Try on non-production environments first
 
-## 📊 Recent Updates (v2.1)
+## 📊 Recent Updates (v2.2)
+
+### January 2026 Highlights - Security Enhancements
+- **Auto-Mitigation Engine**: Automatic IP blocking at Score >= 80/100 via IPset (kernel-level)
+- **Distributed Attack Blocking**: Detects and blocks coordinated botnet attacks (5+ IPs)
+- **Subnet-Level Blocking**: Blocks entire /24 subnets when 25+ IPs attack from same range
+- **Attack Signature Improvements**: Fixed false positives in HTTP_SMUGGLING and SUSPICIOUS_UA detection
+- **Function Exports**: Fixed critical bug preventing HTTP attack auto-blocking in subshells
+- **No System Pollution**: Moved all persistent data from /var/lib/ to /tmp/ for clean removal
+- **Maldet Auto-Installation**: Enhanced Plesk support with improved directory detection
 
 ### December 2025 Highlights
 - **Launcher Cleanup**: Removed 90+ phantom menu items, reduced from 1,576 to 574 lines (64% reduction)
@@ -201,8 +222,10 @@ nano /root/server-toolkit/config/settings.conf
 
 ### Current Feature Set
 - **41 Working Modules**: Security (14), Website (3), Performance (5), Backup (11), Diagnostics (8)
+- **24 Attack Signatures**: RCE, SQL Injection, XSS, Path Traversal, SSRF, XXE, and more
 - **Reference Database**: 1-hour cached status for cross-module intelligence
 - **Zero Hardcoded Paths**: Automatic control panel detection and path abstraction
+- **Self-Contained Design**: Delete toolkit directory = all data removed (no system files)
 
 ## 🙏 Credits
 
@@ -210,5 +233,6 @@ Built for comprehensive cPanel/Linux server management with a focus on security
 
 ---
 
-**Version**: 2.1.0
+**Version**: 2.2.0
+**Last Updated**: January 2026
 **Repository**: https://git.mull.lol/cschantz/Linux-Server-Management-Toolkit