- live-attack-monitor.sh:
* Remove snapshot loading (start fresh each session)
* Fix Apache log monitoring to use tail -n 0 -F (only new entries)
* Add IP file sync to main loop for auto-blocking to work
* Fix IP_DATA consolidation for cross-process communication
- bot-analyzer.sh:
* Implement gzip compression for large temp files (10-20x space savings)
* Update all read/write operations to use compressed files
* Fix for servers with 200+ domains and millions of log entries
- run.sh:
* Add HISTFILE fallback to prevent crashes when sourced
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove duplicate bot signatures (77 lines), now use lib/bot-signatures.sh
- Add threat intelligence integration with AbuseIPDB and GeoIP
- Enhance threat scoring with external reputation data
- Add bonuses: +15 for high-confidence malicious IPs, +5 for high-risk countries
- Bot analyzer now shares intelligence with live-attack-monitor
The bot analyzer was silently processing thousands of log files with no progress feedback, appearing to stall on large servers.
Changes:
• Added progress counter showing every 50 log files parsed
• Displays current domain being processed
• Shows format: "Parsed 150 log files... (current: domain.com)"
• Clears progress line when complete to avoid clutter
• Interval set to 50 files (adjustable via progress_interval variable)
Example output:
Parsing logs from: /var/log/apache2/domlogs
Parsed 50 log files... (current: example.com)
Parsed 100 log files... (current: another.com)
Logs parsed successfully (125432 entries)
This gives real-time feedback on servers with 1000+ log files without overwhelming the output.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added comprehensive IP reputation tracking to bot analyzer script.
UPDATED:
- modules/security/bot-analyzer.sh
* Now tracks ALL analyzed IPs in centralized reputation database
* Tags IPs with specific attack types discovered:
- SQL_INJECTION: SQL injection attempts
- XSS: Cross-site scripting attempts
- PATH_TRAVERSAL: Directory traversal attempts
- RCE: Remote code execution/shell upload attempts
- BRUTEFORCE: Login bruteforce attempts
- DDOS: Rapid-fire/DDoS patterns
- SCANNER: Suspicious user-agents
* Records hit counts for each IP
* Background processing for performance
* Waits for all updates to complete before finishing
HOW IT WORKS:
When bot analyzer calculates threat scores for each IP, it now:
1. Updates hit count in IP reputation database
2. Tags IP with ALL attack types found (not just one)
3. Runs in background to maintain analysis speed
4. Waits for all background updates before completing
EXAMPLE:
If bot analyzer finds an IP doing:
- SQL injection (15 points)
- XSS attacks (12 points)
- 1000 requests (5 points)
The IP gets:
- Total score: 32/100
- Tags: SQL_INJECTION + XSS
- Hit count: 1000
- Last activity: "Bot analyzer: SQL injection attempts"
This data is then available to ALL other scripts!
BENEFITS:
✓ Bot analysis intelligence shared across entire toolkit
✓ IPs tracked with multiple attack types
✓ Historical data persists between analysis runs
✓ Other scripts can check IP reputation before processing
✓ Build comprehensive threat profile over time
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Complete security menu restructure (3-mode: Analysis/Actions/Live)
- Intelligent cPHulk enablement with CSF whitelist import
- Live network security monitoring dashboard
- Multi-source threat detection and classification
- 50+ organized security tools across 4-level menu hierarchy
- System health diagnostics with cPanel/WHM integration
- Reference database for cross-module intelligence sharing
cschantz