diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh index 2d3f090..d087eda 100755 --- a/modules/security/suspicious-login-monitor.sh +++ b/modules/security/suspicious-login-monitor.sh @@ -2268,7 +2268,7 @@ check_system_file_tampering() { # System accounts if ($1 == "sync" || $1 == "shutdown" || $1 == "halt" || $1 == "operator") next # cPanel shells - if (shell ~ /\/noshell$/) next + if (shell ~ /\/noshell$/ || shell ~ /\/jailshell$/) next # If we get here, shell is suspicious print $1":"shell }' /etc/passwd 2>/dev/null) @@ -2660,12 +2660,18 @@ perform_compromise_detection() { trigger_automated_response() { local ip=$1 - local risk_score=$2 + local risk_score=${2:-0} local username=$3 local panel=$4 + # Skip if risk_score is not a valid number + if ! [[ "$risk_score" =~ ^[0-9]+$ ]]; then + echo "Warning: Invalid risk_score '$risk_score', skipping automated response" >&2 + return 1 + fi + # CRITICAL: 85-100 - if [ $risk_score -ge $RISK_CRITICAL ] && [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ]; then + if [ "$risk_score" -ge "$RISK_CRITICAL" ] && [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ]; then echo -e "\n${RED}🚨 CRITICAL RISK: Triggering automated response${NC}" # 1. Block IP @@ -2706,7 +2712,7 @@ trigger_automated_response() { fi # HIGH: 70-84 - elif [ $risk_score -ge $RISK_HIGH ]; then + elif [ "$risk_score" -ge "$RISK_HIGH" ]; then echo -e "\n${YELLOW}⚠️ HIGH RISK: Manual review recommended${NC}" if [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ] && command -v csf &>/dev/null; then @@ -2719,7 +2725,7 @@ trigger_automated_response() { echo " [2/2] Schedule security scan for review" # MEDIUM: 50-69 - elif [ $risk_score -ge $RISK_MEDIUM ]; then + elif [ "$risk_score" -ge "$RISK_MEDIUM" ]; then echo -e "\n${BLUE}ℹ️ MEDIUM RISK: Monitoring recommended${NC}" # LOW: <50