Add immediate blocking for RCE and critical web exploits

ISSUE:
RCE (Remote Code Execution) attacks were being DETECTED and LOGGED
but NOT BLOCKED, allowing the attacks to proceed even with Score:100.

ROOT CAUSE:
The ET-based blocking only triggered if:
1. Both record_request AND detect_rate_anomaly functions exist AND
2. Combined score >= 90

If either function failed or didn't exist, RCE wasn't immediately blocked.

SOLUTION:
Add explicit, immediate blocking for RCE attacks:
- Detect RCE|WEBSHELL|ECOMMERCE_EXPLOIT in attack types
- Block IMMEDIATELY regardless of score calculation
- Don't wait for rate anomaly detection
- Log as INSTANT_BLOCK_RCE for clear visibility

AFFECTED ATTACKS (Now immediately blocked):
- RCE (Remote Code Execution)
- WEBSHELL (Web shell uploads/access)
- ECOMMERCE_EXPLOIT (Commerce site exploits)

IMPACT:
- 0-second blocking for RCE attempts (previously delayed)
- Prevents exploitation of PHP shells and upload endpoints
- Eliminates time window for attackers to interact with shells

Applied to both live-attack-monitor.sh and live-attack-monitor-v2.sh

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

modules/security/live-attack-monitor-v2.sh

@@ -1945,6 +1945,15 @@ monitor_apache_logs() {
                         # CRITICAL FIX: Write to file for cross-process communication
                         write_ip_data_to_file "$ip" "$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" 2>/dev/null &
 
+                        # CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.)
+                        if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then
+                            # These are ALWAYS critical - block immediately regardless of score
+                            echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events"
+                            if type quick_block_ip &>/dev/null; then
+                                quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" &
+                            fi
+                        fi
+
                         # Check rate anomaly
                         if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
                             record_request "$ip"

modules/security/live-attack-monitor.sh

@@ -1974,6 +1974,15 @@ monitor_apache_logs() {
                         # Update IP data with ET-based score
                         IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep"
 
+                        # CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.)
+                        if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then
+                            # These are ALWAYS critical - block immediately regardless of score
+                            echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events"
+                            if type quick_block_ip &>/dev/null; then
+                                quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" &
+                            fi
+                        fi
+
                         # Check rate anomaly
                         if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
                             record_request "$ip"