Add immediate blocking for RCE and critical web exploits

ISSUE: RCE (Remote Code Execution) attacks were being DETECTED and LOGGED but NOT BLOCKED, allowing the attacks to proceed even with Score:100. ROOT CAUSE: The ET-based blocking only triggered if: 1. Both record_request AND detect_rate_anomaly functions exist AND 2. Combined score >= 90 If either function failed or didn't exist, RCE wasn't immediately blocked. SOLUTION: Add explicit, immediate blocking for RCE attacks: - Detect RCE|WEBSHELL|ECOMMERCE_EXPLOIT in attack types - Block IMMEDIATELY regardless of score calculation - Don't wait for rate anomaly detection - Log as INSTANT_BLOCK_RCE for clear visibility AFFECTED ATTACKS (Now immediately blocked): - RCE (Remote Code Execution) - WEBSHELL (Web shell uploads/access) - ECOMMERCE_EXPLOIT (Commerce site exploits) IMPACT: - 0-second blocking for RCE attempts (previously delayed) - Prevents exploitation of PHP shells and upload endpoints - Eliminates time window for attackers to interact with shells Applied to both live-attack-monitor.sh and live-attack-monitor-v2.sh Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-02-20 23:04:35 -05:00
parent c94c708a6f
commit ff3a1e22d7
2 changed files with 18 additions and 0 deletions
@@ -1945,6 +1945,15 @@ monitor_apache_logs() {
                        # CRITICAL FIX: Write to file for cross-process communication
                        write_ip_data_to_file "$ip" "$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" 2>/dev/null &

+                        # CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.)
+                        if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then
+                            # These are ALWAYS critical - block immediately regardless of score
+                            echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events"
+                            if type quick_block_ip &>/dev/null; then
+                                quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" &
+                            fi
+                        fi
+
                        # Check rate anomaly
                        if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
                            record_request "$ip"