PROBLEM: Live monitor detected attacks but didn't provide actionable
recommendations for firewall configuration (CT_LIMIT, SYNFLOOD, etc.)
BEFORE:
Quick Actions panel only showed:
- Number of IPs ready to block
- Press 'b' to block
No guidance on:
- What to do about SYN floods
- How to enable SYNFLOOD protection
- When to adjust CT_LIMIT
- How to strengthen SSH against bruteforce
AFTER:
Quick Actions now provides intelligent recommendations based on detected attacks:
1. DDoS/SYN Flood Detection:
⚠️ DDoS/SYN Flood Detected - Firewall Protection Recommended
→ Enable SYNFLOOD protection: csf -e SYNFLOOD
→ Set CT_LIMIT: Edit /etc/csf/csf.conf → CT_LIMIT="100"
→ Apply changes: csf -r
2. SSH Bruteforce Detection (>5 attempts):
⚠️ SSH Bruteforce (X attempts) - Strengthen SSH Security
→ Lower LF_SSHD trigger: Edit /etc/csf/csf.conf → LF_SSHD="3"
→ Enable PortKnocking or change SSH port
3. IP Blocking (score >= 60):
⚠️ X high-threat IPs ready to block
→ Press 'b' to open blocking menu
INTELLIGENCE:
- Monitors IP_DATA for DDOS attacks
- Counts HIGH_CONN_COUNT events (>20 SYN_RECV)
- Counts SSH_BRUTEFORCE attempts in feed
- Only shows recommendations when threats detected
- Provides exact commands to run
PANEL RENAMED:
"QUICK ACTIONS" → "QUICK ACTIONS & RECOMMENDATIONS"
USER BENEFIT:
- Know exactly what to do when SYN flood happens
- Get firewall config commands immediately
- Proactive security hardening suggestions
- No need to remember CSF syntax
NAVIGATION VERIFIED:
✅ All menu back buttons (0) return properly
✅ Cleanup trap handles Ctrl+C correctly
✅ Keyboard controls work (b, s, r, h, q)
✅ Blocking menu has cancel option
FILES MODIFIED:
- modules/security/live-attack-monitor.sh
- Enhanced draw_quick_actions() (lines 393-460)
- Added attack pattern detection
- Added firewall recommendation logic
- Panel title updated
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
cschantz
21da5cab2e