Unified Security Hardening Menu - Simplified CT_LIMIT with intelligent recommendations

MAJOR UX IMPROVEMENT: Consolidated security hardening into single 'c' key menu

REMOVED:
- 'f' key (Auto-Fix menu) - merged into 'c' key
- Scattered security recommendations across multiple menus
- Confusing workflow with multiple entry points

NEW UNIFIED MENU (Press 'c'):
┌─ Security Hardening & Firewall Optimization ─┐
│ Current Security Status:                      │
│   ✓ SYNFLOOD Protection: Enabled             │
│   ✗ SSH Security: Default (LF_SSHD=5)        │
│   ✓ Connection Tracking: Configured (200)    │
│                                               │
│ Available Hardening Options:                 │
│   1 - Enable SYNFLOOD Protection             │
│   2 - Harden SSH Security (Lower LF_SSHD)   │
│   3 - Optimize CT_LIMIT (Auto-analyze)       │
│   4 - Configure Port Knocking (Coming soon)  │
│   a - Apply All Needed Fixes                 │
│   q - Return to Monitor                      │
└───────────────────────────────────────────────┘

FEATURES:

1. Status Display:
   - Shows current state of all security settings
   - ✓ green checkmark = already configured
   - ✗ red X = needs attention
   - Clear indication of what's already done

2. CT_LIMIT Auto Mode (--auto flag):
   - Runs analysis silently when called from menu
   - Automatically applies BALANCED recommendation
   - No user prompts - just analyzes and applies
   - Creates backup before making changes

3. Intelligent Recommendations:
   - Quick Actions panel checks current settings
   - Only recommends DDoS protection if SYNFLOOD disabled OR CT_LIMIT not set
   - Only recommends SSH hardening if LF_SSHD > 3
   - Recommendations disappear after being applied
   - Clear actionable guidance

4. Apply All:
   - Option 'a' applies all needed fixes automatically
   - Skips already-configured settings
   - Shows count of fixes applied
   - One-click hardening for new servers

WORKFLOW IMPROVEMENTS:

Before:
1. See recommendation in Quick Actions
2. Press 'f' to open auto-fix menu
3. Select option from dynamic list
4. Different menu for CT_LIMIT ('c' key)

After:
1. See recommendation: "Press 'c' for Security Hardening menu"
2. Press 'c' - see status of ALL security settings
3. Select what to fix or press 'a' for all
4. Everything in ONE place

CT_LIMIT SIMPLIFICATION:
- Added --auto flag to optimize-ct-limit.sh
- When called with --auto: runs analysis + auto-applies BALANCED
- No user prompts in auto mode
- Perfect for automated workflows and menu integration

SMART RECOMMENDATIONS:
- DDoS recommendation only shows if:
  - SYNFLOOD = 0 OR CT_LIMIT not set/zero
- SSH recommendation only shows if:
  - LF_SSHD > 3
- After applying fixes, recommendations disappear
- No more "already configured" noise

USER EXPERIENCE:
- Single entry point for all security hardening
- Clear visual status indicators
- Actionable next steps
- No redundant options
- Professional menu layout

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

modules/security/optimize-ct-limit.sh

@@ -802,18 +802,29 @@ apply_recommendation() {
 ################################################################################
 
 main() {
-    clear
-    print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator"
-    echo ""
-    echo "This tool analyzes your actual traffic patterns to recommend"
-    echo "an optimal CT_LIMIT that protects against DDoS without blocking"
-    echo "legitimate users, bots, and CDNs."
-    echo ""
-    echo "Analysis period: Last $ANALYSIS_HOURS hours"
-    echo ""
+    # Check for auto mode
+    local AUTO_MODE=0
+    if [ "$1" = "--auto" ] || [ "$1" = "-a" ]; then
+        AUTO_MODE=1
+    fi
 
-    read -p "Press Enter to start analysis or Ctrl+C to cancel..."
-    echo ""
+    if [ $AUTO_MODE -eq 0 ]; then
+        clear
+        print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator"
+        echo ""
+        echo "This tool analyzes your actual traffic patterns to recommend"
+        echo "an optimal CT_LIMIT that protects against DDoS without blocking"
+        echo "legitimate users, bots, and CDNs."
+        echo ""
+        echo "Analysis period: Last $ANALYSIS_HOURS hours"
+        echo ""
+
+        read -p "Press Enter to start analysis or Ctrl+C to cancel..."
+        echo ""
+    else
+        echo "Running CT_LIMIT analysis in auto mode..."
+        echo ""
+    fi
 
     # Check if sysref database exists, build if needed
     if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then
@@ -830,27 +841,44 @@ main() {
     # Generate and show recommendations
     generate_recommendation
 
-    # Offer to apply
-    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-    echo ""
-    read -p "Would you like to apply the BALANCED recommendation automatically? (y/n): " apply
-
-    if [[ "$apply" =~ ^[Yy] ]]; then
+    # Apply automatically in auto mode, otherwise ask
+    if [ $AUTO_MODE -eq 1 ]; then
         # Extract balanced value from recommendation
         local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+')
 
         if [ -n "$balanced" ]; then
+            echo ""
+            echo "Auto-applying BALANCED recommendation..."
             apply_recommendation "$balanced"
         else
             print_error "Could not determine balanced recommendation value"
+            return 1
         fi
     else
+        # Offer to apply
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
         echo ""
-        echo "No changes made. You can apply manually using the commands above."
+        read -p "Would you like to apply the BALANCED recommendation automatically? (y/n): " apply
+
+        if [[ "$apply" =~ ^[Yy] ]]; then
+            # Extract balanced value from recommendation
+            local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+')
+
+            if [ -n "$balanced" ]; then
+                apply_recommendation "$balanced"
+            else
+                print_error "Could not determine balanced recommendation value"
+            fi
+        else
+            echo ""
+            echo "No changes made. You can apply manually using the commands above."
+        fi
     fi
 
     echo ""
-    print_success "Analysis complete!"
+    if [ $AUTO_MODE -eq 0 ]; then
+        print_success "Analysis complete!"
+    fi
 }
 
-main
+main "$@"