cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Add jailshell filter and validate risk_score

Browse Source 
Issues Fixed:
1. cPanel jailshell users flagged as suspicious
   - jailshell is a legitimate cPanel shell (like noshell)
   - Users with jailshell were incorrectly flagged
   - Fix: Added jailshell to shell filter regex

2. Integer expression errors when risk_score is empty/invalid
   - Line 2668, 2709, 2728: Unvalidated risk_score in comparisons
   - If risk_score is empty or non-numeric: "integer expression expected"
   - Fix: Added validation and default value

Changes:
- Line 2271: if (shell ~ /\/noshell$/ || shell ~ /\/jailshell$/) next
- Line 2663: local risk_score=${2:-0} (default to 0)
- Added: regex validation for risk_score
- Quoted all $risk_score comparisons for safety

Testing:
✓ Syntax validation passed
✓ jailshell filter tested (correctly ignores jailshell users)
✓ Risk score validation prevents empty/invalid values

Result: Eliminates false positives for cPanel jailshell users
and prevents "integer expression expected" errors

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-02-03 20:06:06 -05:00
parent 0be6dbe551
commit ed584b8451
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/suspicious-login-monitor.sh
+11 -5
View File
@@ -2268,7 +2268,7 @@ check_system_file_tampering() {
# System accounts
if ($1 == "sync" || $1 == "shutdown" || $1 == "halt" || $1 == "operator") next
# cPanel shells
if (shell ~ /\/noshell$/) next
if (shell ~ /\/noshell$/ || shell ~ /\/jailshell$/) next
# If we get here, shell is suspicious
print $1":"shell
}' /etc/passwd 2>/dev/null)
@@ -2660,12 +2660,18 @@ perform_compromise_detection() {
trigger_automated_response() {
local ip=$1
local risk_score=$2
local risk_score=${2:-0}
local username=$3
local panel=$4
# Skip if risk_score is not a valid number
if ! [[ "$risk_score" =~ ^[0-9]+$ ]]; then
echo "Warning: Invalid risk_score '$risk_score', skipping automated response" >&2
return 1
fi
# CRITICAL: 85-100
if [ $risk_score -ge $RISK_CRITICAL ] && [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ]; then
if [ "$risk_score" -ge "$RISK_CRITICAL" ] && [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ]; then
echo -e "\n${RED}🚨 CRITICAL RISK: Triggering automated response${NC}"
# 1. Block IP
@@ -2706,7 +2712,7 @@ trigger_automated_response() {
fi
# HIGH: 70-84
elif [ $risk_score -ge $RISK_HIGH ]; then
elif [ "$risk_score" -ge "$RISK_HIGH" ]; then
echo -e "\n${YELLOW}⚠️ HIGH RISK: Manual review recommended${NC}"
if [ "$SUSPICIOUS_LOGIN_AUTO_BLOCK" = "yes" ] && command -v csf &>/dev/null; then
@@ -2719,7 +2725,7 @@ trigger_automated_response() {
echo " [2/2] Schedule security scan for review"
# MEDIUM: 50-69
elif [ $risk_score -ge $RISK_MEDIUM ]; then
elif [ "$risk_score" -ge "$RISK_MEDIUM" ]; then
echo -e "\n${BLUE}️ MEDIUM RISK: Monitoring recommended${NC}"
# LOW: <50