PROBLEM: Live monitor detected attacks but didn't provide actionable
recommendations for firewall configuration (CT_LIMIT, SYNFLOOD, etc.)
BEFORE:
Quick Actions panel only showed:
- Number of IPs ready to block
- Press 'b' to block
No guidance on:
- What to do about SYN floods
- How to enable SYNFLOOD protection
- When to adjust CT_LIMIT
- How to strengthen SSH against bruteforce
AFTER:
Quick Actions now provides intelligent recommendations based on detected attacks:
1. DDoS/SYN Flood Detection:
⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended
→ Enable SYNFLOOD protection: csf -e SYNFLOOD
→ Set CT_LIMIT: Edit /etc/csf/csf.conf → CT_LIMIT="100"
→ Apply changes: csf -r
2. SSH Bruteforce Detection (>5 attempts):
⚠️ SSH Bruteforce (X attempts) - Strengthen SSH Security
→ Lower LF_SSHD trigger: Edit /etc/csf/csf.conf → LF_SSHD="3"
→ Enable PortKnocking or change SSH port
3. IP Blocking (score >= 60):
⚠️ X high-threat IPs ready to block
→ Press 'b' to open blocking menu
INTELLIGENCE:
- Monitors IP_DATA for DDOS attacks
- Counts HIGH_CONN_COUNT events (>20 SYN_RECV)
- Counts SSH_BRUTEFORCE attempts in feed
- Only shows recommendations when threats detected
- Provides exact commands to run
PANEL RENAMED:
"QUICK ACTIONS" → "QUICK ACTIONS & RECOMMENDATIONS"
USER BENEFIT:
- Know exactly what to do when SYN flood happens
- Get firewall config commands immediately
- Proactive security hardening suggestions
- No need to remember CSF syntax
NAVIGATION VERIFIED:
✅ All menu back buttons (0) return properly
✅ Cleanup trap handles Ctrl+C correctly
✅ Keyboard controls work (b, s, r, h, q)
✅ Blocking menu has cancel option
FILES MODIFIED:
- modules/security/live-attack-monitor.sh
- Enhanced draw_quick_actions() (lines 393-460)
- Added attack pattern detection
- Added firewall recommendation logic
- Panel title updated
- Changed from 'score >= 40' to 'score > 0 OR has attacks OR suspicious bot'
- Now shows ALL interesting traffic, not just high-scoring threats
- Added bot type display for suspicious/AI bots
- Users will see much more activity in the feed
This fixes the issue where legitimate attacks weren't showing because
they hadn't accumulated enough score yet.
Created a comprehensive IP reputation system that tracks IPs across all
toolkit scripts with tags/attack types, scores, and detailed analytics.
NEW FILES:
- lib/ip-reputation.sh: Core reputation library with optimized database
* Fast lookup using pipe-delimited file format
* Attack type tagging system (bitmask: SQL, XSS, RCE, Bot, Scanner, etc.)
* Reputation scoring (0-100) based on hits and attack severity
* GeoIP country lookup integration
* Automatic cleanup of old entries
* Thread-safe with file locking
- modules/security/ip-reputation-manager.sh: Interactive management tool
* Query individual IPs with full details
* View top malicious/active IPs
* Database statistics and analytics
* Manual IP flagging/whitelisting
* Import IPs from logs
* Export to readable reports
* Live monitoring mode
INTEGRATION:
All security and analysis scripts now use the centralized reputation system:
- modules/website/500-error-tracker.sh:
* Tracks IPs generating 500 errors
* Tags bots/scanners with BOT/SCANNER flags
* Background processing for performance
- modules/security/live-attack-monitor.sh:
* Maps attack types to reputation flags
* Tracks SSH bruteforce, SQL injection, XSS, DDoS, etc.
* Real-time reputation updates
- modules/website/website-error-analyzer.sh:
* Tags filtered bots in error analysis
* Builds IP reputation from website errors
- launcher.sh:
* Added IP Reputation Manager to Bot & Traffic Analysis menu
* Menu option 4 in Security > Analysis > Bot & Traffic Analysis
KEY FEATURES:
✓ Centralized IP tracking across ALL scripts
✓ Multi-tag system (IP can have multiple attack types)
✓ Reputation scores increase with more tags/attacks
✓ Country tracking via GeoIP
✓ Optimized for high-volume traffic (attacks with 1000s of IPs)
✓ Fast lookups even during DDoS
✓ Background processing doesn't slow down analysis
✓ Database cleanup/maintenance tools
✓ Export for reports and sharing
BENEFITS:
- Single source of truth for IP reputation
- Scripts share intelligence (bot detected in one script = flagged for all)
- Track IPs across time and multiple attack vectors
- Identify repeat offenders with multiple attack types
- Make blocking decisions based on comprehensive data
- Performance optimized with file locking and background updates
- Complete security menu restructure (3-mode: Analysis/Actions/Live)
- Intelligent cPHulk enablement with CSF whitelist import
- Live network security monitoring dashboard
- Multi-source threat detection and classification
- 50+ organized security tools across 4-level menu hierarchy
- System health diagnostics with cPanel/WHM integration
- Reference database for cross-module intelligence sharing
cschantz