cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add immediate blocking for RCE and critical web exploits

Browse Source 
ISSUE:
RCE (Remote Code Execution) attacks were being DETECTED and LOGGED
but NOT BLOCKED, allowing the attacks to proceed even with Score:100.

ROOT CAUSE:
The ET-based blocking only triggered if:
1. Both record_request AND detect_rate_anomaly functions exist AND
2. Combined score >= 90

If either function failed or didn't exist, RCE wasn't immediately blocked.

SOLUTION:
Add explicit, immediate blocking for RCE attacks:
- Detect RCE|WEBSHELL|ECOMMERCE_EXPLOIT in attack types
- Block IMMEDIATELY regardless of score calculation
- Don't wait for rate anomaly detection
- Log as INSTANT_BLOCK_RCE for clear visibility

AFFECTED ATTACKS (Now immediately blocked):
- RCE (Remote Code Execution)
- WEBSHELL (Web shell uploads/access)
- ECOMMERCE_EXPLOIT (Commerce site exploits)

IMPACT:
- 0-second blocking for RCE attempts (previously delayed)
- Prevents exploitation of PHP shells and upload endpoints
- Eliminates time window for attackers to interact with shells

Applied to both live-attack-monitor.sh and live-attack-monitor-v2.sh

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-02-20 23:04:35 -05:00
parent c94c708a6f
commit ff3a1e22d7
2 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+9
View File
@@ -1945,6 +1945,15 @@ monitor_apache_logs() {
# CRITICAL FIX: Write to file for cross-process communication # CRITICAL FIX: Write to file for cross-process communication
write_ip_data_to_file "$ip" "$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" 2>/dev/null & write_ip_data_to_file "$ip" "$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" 2>/dev/null &
# CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.)
if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then
# These are ALWAYS critical - block immediately regardless of score
echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events"
if type quick_block_ip &>/dev/null; then
quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" &
fi
fi
# Check rate anomaly # Check rate anomaly
if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
record_request "$ip" record_request "$ip"
modules/security/live-attack-monitor.sh
+9
View File
@@ -1974,6 +1974,15 @@ monitor_apache_logs() {
# Update IP data with ET-based score # Update IP data with ET-based score
IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep"
# CRITICAL: Immediate block for severe threats (RCE, WEBSHELL, etc.)
if [[ "$et_attack_types" =~ (RCE|WEBSHELL|ECOMMERCE_EXPLOIT) ]]; then
# These are ALWAYS critical - block immediately regardless of score
echo "[CRITICAL] INSTANT_BLOCK_RCE | $ip | Score:$et_attack_score | Attacks:$et_attack_types" >> "$TEMP_DIR/recent_events"
if type quick_block_ip &>/dev/null; then
quick_block_ip "$ip" "CRITICAL_RCE: $et_attack_types" &
fi
fi
# Check rate anomaly # Check rate anomaly
if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
record_request "$ip" record_request "$ip"