From ed584b84515872ddf3561f8bfcb245318ecefc34 Mon Sep 17 00:00:00 2001 From: cschantz Date: Tue, 3 Feb 2026 20:06:06 -0500 Subject: [PATCH] Fix: Add jailshell filter and validate risk_score MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issues Fixed: 1. cPanel jailshell users flagged as suspicious - jailshell is a legitimate cPanel shell (like noshell) - Users with jailshell were incorrectly flagged - Fix: Added jailshell to shell filter regex 2. Integer expression errors when risk_score is empty/invalid - Line 2668, 2709, 2728: Unvalidated risk_score in comparisons - If risk_score is empty or non-numeric: "integer expression expected" - Fix: Added validation and default value Changes: - Line 2271: if (shell ~ /\/noshell$/ || shell ~ /\/jailshell$/) next - Line 2663: local risk_score=${2:-0} (default to 0) - Added: regex validation for risk_score - Quoted all $risk_score comparisons for safety Testing: ✓ Syntax validation passed ✓ jailshell filter tested (correctly ignores jailshell users) ✓ Risk score validation prevents empty/invalid values Result: Eliminates false positives for cPanel jailshell users and prevents "integer expression expected" errors Co-Authored-By: Claude Sonnet 4.5 --- modules/security/suspicious-login-monitor.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh index 2d3f090..d087eda 100755 --- a/modules/security/suspicious-login-monitor.sh +++ b/modules/security/suspicious-login-monitor.sh @@ -2268,7 +2268,7 @@ check_system_file_tampering() { # System accounts if ($1 == "sync" || $1 == "shutdown" || $1 == "halt" || $1 == "operator") next # cPanel shells - if (shell ~ /\/noshell$/) next + if (shell ~ /\/noshell$/ || shell ~ /\/jailshell$/) next # If we get here, shell is suspicious print $1":"shell }' /etc/passwd 2>/dev/null) @@ -2660,12 +2660,18 @@ perform_compromise_detection() { trigger_automated_response() { local ip=$1 - local risk_score=$2 + local risk_score=${2:-0} local username=$3 local panel=$4 + # Skip if risk_score is not a valid number + if ! [[ "$risk_score" =~ ^[0-9]+$ ]]; then + echo "Warning: Invalid risk_score '$risk_score', skipping automated response" >&2 + return 1 + fi + # CRITICAL: 85-100 - if [ $risk_score -ge $RISK_CRITICAL ] && [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ]; then + if [ "$risk_score" -ge "$RISK_CRITICAL" ] && [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ]; then echo -e "\n${RED}🚨 CRITICAL RISK: Triggering automated response${NC}" # 1. Block IP @@ -2706,7 +2712,7 @@ trigger_automated_response() { fi # HIGH: 70-84 - elif [ $risk_score -ge $RISK_HIGH ]; then + elif [ "$risk_score" -ge "$RISK_HIGH" ]; then echo -e "\n${YELLOW}⚠ī¸ HIGH RISK: Manual review recommended${NC}" if [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ] && command -v csf &>/dev/null; then @@ -2719,7 +2725,7 @@ trigger_automated_response() { echo " [2/2] Schedule security scan for review" # MEDIUM: 50-69 - elif [ $risk_score -ge $RISK_MEDIUM ]; then + elif [ "$risk_score" -ge "$RISK_MEDIUM" ]; then echo -e "\n${BLUE}ℹī¸ MEDIUM RISK: Monitoring recommended${NC}" # LOW: <50