Created new threat intelligence library with extensive monitoring capabilities:
Threat Intelligence Integration:
- AbuseIPDB API integration with caching (24hr TTL)
- Geolocation detection via geoiplookup/whois
- High-risk country identification
- ISP and country-based risk scoring
Smart Whitelisting:
- Automatic detection of legitimate services (Google, Cloudflare, Microsoft, Akamai)
- CDN IP range recognition
- Configurable whitelist management
Behavioral Analysis:
- Request timing pattern analysis (human vs bot detection)
- Attack pattern learning and recording
- Pattern matching for repeat attackers
Performance Monitoring:
- Server load tracking integration
- Stress detection for adaptive mitigation
- CPU and load average monitoring
Incident Response:
- Automated incident report generation
- Comprehensive threat intelligence summaries
- Attack history tracking
- Recommended action suggestions
Multi-Server Coordination:
- Shared threat data logging
- Cross-server attack correlation preparation
Live Monitor Integration:
- Auto-enrichment on first IP encounter
- AbuseIPDB confidence scoring boost (30pts for 75%+, 15pts for 50%+)
- High-risk country detection adds 5pts
- Attack pattern recording for learning
- New keyboard commands:
i) Threat intelligence lookup with incident reports
p) Performance impact monitor
All features use existing system tools only (no new services installed)
PROBLEM: Live monitor showed static CT_LIMIT="100" recommendation
- No analysis of actual site traffic
- No consideration of legitimate high-connection users
- Could block CDNs, bots, or legitimate traffic spikes
- No way to know what's safe for the specific server
SOLUTION: Created comprehensive CT_LIMIT optimizer script
NEW SCRIPT: modules/security/optimize-ct-limit.sh
WHAT IT DOES:
1. Analyzes Apache logs (last 24 hours by default)
- Parses all domain logs in /var/log/apache2/domlogs/
- Tracks max concurrent connections per IP per domain
- Identifies user agents and behavior patterns
2. Classifies IP behavior using bot-signatures.sh
- Legitimate bots (Googlebot, Bingbot, etc.)
- AI crawlers (GPT, Claude, etc.)
- CDNs (Cloudflare, Akamai, etc.)
- Normal users vs high-traffic users
- Potential scrapers
3. Analyzes current active connections
- Uses ss or netstat to check real-time connections
- Identifies current highest connection counts
4. Calculates statistics
- 95th percentile of legitimate user connections
- 99th percentile for headroom
- Max concurrent from single legitimate IP
- Separates bot/CDN traffic from user traffic
5. Provides 3 recommendations:
a) CONSERVATIVE (max_legit + 20) - For high-traffic sites
b) BALANCED (max_legit + 10) - Recommended for most ⭐
c) AGGRESSIVE (max_legit + 5) - Only during active attack
6. Whitelist recommendations
- Identifies bots/CDNs exceeding recommended limit
- Suggests specific IPs to whitelist in CSF
- Prevents blocking Googlebot, monitoring services, etc.
7. One-command application
- Backs up csf.conf automatically
- Updates CT_LIMIT to recommended value
- Enables SYNFLOOD protection
- Restarts CSF
- Provides monitoring command
EXAMPLE OUTPUT:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Connection Analysis Summary:
Total unique IPs analyzed: 1,247
Legitimate users: 1,180
Bots/CDNs/Crawlers: 67
Legitimate User Connection Patterns:
Max concurrent from single IP: 45
95th percentile: 12 concurrent connections
99th percentile: 28 concurrent connections
Current Active Connections:
Highest right now: 8 connections from 1.2.3.4
Current CSF Configuration:
CT_LIMIT = 150
📊 RECOMMENDED CT_LIMIT VALUES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. CONSERVATIVE: CT_LIMIT = 65
• Allows headroom for traffic spikes
• Won't block legitimate users
2. BALANCED: CT_LIMIT = 55 ⭐
• Based on 99th percentile + buffer
• Blocks most attack traffic
3. AGGRESSIVE: CT_LIMIT = 50
• Maximum DDoS protection
• May affect some legitimate users
⚠️ WHITELIST RECOMMENDATIONS
Found bots/crawlers with high connection counts:
• 66.249.72.38 (Googlebot) 82 connections
• 40.77.167.88 (Bingbot) 65 connections
• 157.55.39.183 (UptimeRobot) 48 connections
To whitelist: csf -a <IP>
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
INTEGRATION WITH LIVE MONITOR:
- Press 'c' during live monitoring to run optimizer
- Recommendation updates based on detected DDoS/SYN floods
- Quick Actions panel shows: "Press 'c' to run CT_LIMIT optimizer"
- Help screen updated with 'c' key
USAGE:
1. Standalone: modules/security/optimize-ct-limit.sh
2. From live monitor: Press 'c' during monitoring
3. With custom period: optimize-ct-limit.sh 48 (48 hours)
SAFETY:
- Automatic backup of csf.conf before changes
- Minimum thresholds (50/80/100) prevent too-aggressive limits
- Option to apply or just view recommendations
- Full report saved to /tmp for review
INTELLIGENCE:
- Uses actual traffic data, not guesses
- Accounts for legitimate high-connection sources
- Prevents blocking search engines and monitoring
- Adapts to each server's unique traffic patterns
FILES MODIFIED:
- modules/security/optimize-ct-limit.sh (NEW - 650 lines)
- modules/security/live-attack-monitor.sh
- Added 'c' key handler (line 1019-1024)
- Updated Quick Actions recommendation (line 438)
- Updated help screen (line 1045)
- Updated footer keys (line 457)
PROBLEM: Live monitor detected attacks but didn't provide actionable
recommendations for firewall configuration (CT_LIMIT, SYNFLOOD, etc.)
BEFORE:
Quick Actions panel only showed:
- Number of IPs ready to block
- Press 'b' to block
No guidance on:
- What to do about SYN floods
- How to enable SYNFLOOD protection
- When to adjust CT_LIMIT
- How to strengthen SSH against bruteforce
AFTER:
Quick Actions now provides intelligent recommendations based on detected attacks:
1. DDoS/SYN Flood Detection:
⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended
→ Enable SYNFLOOD protection: csf -e SYNFLOOD
→ Set CT_LIMIT: Edit /etc/csf/csf.conf → CT_LIMIT="100"
→ Apply changes: csf -r
2. SSH Bruteforce Detection (>5 attempts):
⚠️ SSH Bruteforce (X attempts) - Strengthen SSH Security
→ Lower LF_SSHD trigger: Edit /etc/csf/csf.conf → LF_SSHD="3"
→ Enable PortKnocking or change SSH port
3. IP Blocking (score >= 60):
⚠️ X high-threat IPs ready to block
→ Press 'b' to open blocking menu
INTELLIGENCE:
- Monitors IP_DATA for DDOS attacks
- Counts HIGH_CONN_COUNT events (>20 SYN_RECV)
- Counts SSH_BRUTEFORCE attempts in feed
- Only shows recommendations when threats detected
- Provides exact commands to run
PANEL RENAMED:
"QUICK ACTIONS" → "QUICK ACTIONS & RECOMMENDATIONS"
USER BENEFIT:
- Know exactly what to do when SYN flood happens
- Get firewall config commands immediately
- Proactive security hardening suggestions
- No need to remember CSF syntax
NAVIGATION VERIFIED:
✅ All menu back buttons (0) return properly
✅ Cleanup trap handles Ctrl+C correctly
✅ Keyboard controls work (b, s, r, h, q)
✅ Blocking menu has cancel option
FILES MODIFIED:
- modules/security/live-attack-monitor.sh
- Enhanced draw_quick_actions() (lines 393-460)
- Added attack pattern detection
- Added firewall recommendation logic
- Panel title updated
- Changed from 'score >= 40' to 'score > 0 OR has attacks OR suspicious bot'
- Now shows ALL interesting traffic, not just high-scoring threats
- Added bot type display for suspicious/AI bots
- Users will see much more activity in the feed
This fixes the issue where legitimate attacks weren't showing because
they hadn't accumulated enough score yet.
Created a comprehensive IP reputation system that tracks IPs across all
toolkit scripts with tags/attack types, scores, and detailed analytics.
NEW FILES:
- lib/ip-reputation.sh: Core reputation library with optimized database
* Fast lookup using pipe-delimited file format
* Attack type tagging system (bitmask: SQL, XSS, RCE, Bot, Scanner, etc.)
* Reputation scoring (0-100) based on hits and attack severity
* GeoIP country lookup integration
* Automatic cleanup of old entries
* Thread-safe with file locking
- modules/security/ip-reputation-manager.sh: Interactive management tool
* Query individual IPs with full details
* View top malicious/active IPs
* Database statistics and analytics
* Manual IP flagging/whitelisting
* Import IPs from logs
* Export to readable reports
* Live monitoring mode
INTEGRATION:
All security and analysis scripts now use the centralized reputation system:
- modules/website/500-error-tracker.sh:
* Tracks IPs generating 500 errors
* Tags bots/scanners with BOT/SCANNER flags
* Background processing for performance
- modules/security/live-attack-monitor.sh:
* Maps attack types to reputation flags
* Tracks SSH bruteforce, SQL injection, XSS, DDoS, etc.
* Real-time reputation updates
- modules/website/website-error-analyzer.sh:
* Tags filtered bots in error analysis
* Builds IP reputation from website errors
- launcher.sh:
* Added IP Reputation Manager to Bot & Traffic Analysis menu
* Menu option 4 in Security > Analysis > Bot & Traffic Analysis
KEY FEATURES:
✓ Centralized IP tracking across ALL scripts
✓ Multi-tag system (IP can have multiple attack types)
✓ Reputation scores increase with more tags/attacks
✓ Country tracking via GeoIP
✓ Optimized for high-volume traffic (attacks with 1000s of IPs)
✓ Fast lookups even during DDoS
✓ Background processing doesn't slow down analysis
✓ Database cleanup/maintenance tools
✓ Export for reports and sharing
BENEFITS:
- Single source of truth for IP reputation
- Scripts share intelligence (bot detected in one script = flagged for all)
- Track IPs across time and multiple attack vectors
- Identify repeat offenders with multiple attack types
- Make blocking decisions based on comprehensive data
- Performance optimized with file locking and background updates
- Complete security menu restructure (3-mode: Analysis/Actions/Live)
- Intelligent cPHulk enablement with CSF whitelist import
- Live network security monitoring dashboard
- Multi-source threat detection and classification
- 50+ organized security tools across 4-level menu hierarchy
- System health diagnostics with cPanel/WHM integration
- Reference database for cross-module intelligence sharing
cschantz