From f311b9b100a239ac4705c7baa8362e663c745f97 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 22:28:07 -0500 Subject: [PATCH] CRITICAL FIX: Background all monitoring subprocess calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue: Monitor functions were being called sequentially without & operator Result: First function (monitor_apache_logs with tail -F) blocked forever Impact: SYN monitoring, SSH monitoring, email monitoring, etc. NEVER RAN Before: monitor_apache_logs # Blocks on tail -F forever monitor_ssh_attacks # Never reached monitor_network_attacks # Never reached → Only apache monitoring attempted, all others skipped After: monitor_apache_logs & # Runs in background, continues monitor_ssh_attacks & # Also runs in background monitor_network_attacks & # Now runs correctly! → All monitoring runs in parallel This was the root cause of why SYN flood detection never worked. Now monitor_network_attacks will run independently and detect SYN-RECV connections properly. Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index d365cfa..de7d337 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -3483,14 +3483,15 @@ auto_mitigation_engine() { } # Start all log monitoring sources -monitor_apache_logs -monitor_ssh_attacks -monitor_email_attacks -monitor_ftp_attacks -monitor_database_attacks -monitor_firewall_blocks -monitor_cphulk_blocks -monitor_network_attacks +# Start all monitoring subprocesses in background +monitor_apache_logs & +monitor_ssh_attacks & +monitor_email_attacks & +monitor_ftp_attacks & +monitor_database_attacks & +monitor_firewall_blocks & +monitor_cphulk_blocks & +monitor_network_attacks & # Display IPset initialization status if [ -n "$IPSET_INIT_ERROR" ]; then