cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e176aa310abe3d740ea685902f6566fea2cb346
Linux-Server-Management-Too…/modules/security
T
History
cschantz 2e176aa310 Add 5 advanced SYN flood intelligence metrics for better attacker detection 
New SYN-Specific Intelligence Metrics:

1. PURE-SYN DETECTION (+20 points)
   - IP has 5+ SYN_RECV but 0 ESTABLISHED connections
   - Legitimate users always complete some handshakes
   - Pure SYN = 100% attack traffic, no legitimate use
   - Tag: PURE-SYN

2. SYN/ESTABLISHED RATIO ANALYSIS (+10-15 points)
   - Normal: More ESTABLISHED than SYN_RECV
   - Suspicious: 2:1 or 3:1 SYN_RECV:ESTABLISHED ratio
   - 3:1 ratio: +15 points
   - 2:1 ratio: +10 points
   - Tag: BAD-RATIO

3. REPEATED SYN WITHOUT COMPLETION (+15 points)
   - IP detected 2+ times with SYN floods
   - BUT never has any ESTABLISHED connections
   - Indicates bot that never completes handshakes
   - Filters out transient network issues

4. SPOOFED SOURCE IP DETECTION (+20 points)
   - High SYN count (10+)
   - Detected 2+ times
   - No other traffic (no HTTP, no scans, nothing)
   - Likely IP spoofing attack
   - Tag: SPOOFED

5. SINGLE-TARGET PORT FOCUS (+5-10 points)
   - All SYN_RECV to same port (e.g., only :80)
   - Indicates targeted attack vs port scan
   - 1 port + 8+ conns: +10 points
   - 2 ports + 15+ conns: +5 points
   - Tag: TARGETED

Log Format Enhancement:
  Old: Conns:14 | DDoS:T4
  New: Conns:14 Est:0 | DDoS:T4 PURE-SYN SPOOFED TARGETED

Example Attack Signatures:

Pure Botnet:
  [20:45:12] 1.2.3.4 | Score:105 [CRITICAL] | 💥SYN_FLOOD | Conns:12 Est:0 | DDoS:T4 ACCEL BOTNET PURE-SYN SPOOFED TARGETED

Sophisticated Multi-Vector:
  [20:45:13] 5.6.7.8 | Score:120 [CRITICAL] | 💥SYN_FLOOD | Conns:15 Est:2 | DDoS:T4 BOTNET MULTI-VECTOR HTTP-ATTACKER BAD-RATIO HOSTILE-ASN

Scoring Impact (512 SYN Attack Example):
  Base: 15
  Tier 4: +50
  Momentum: +15
  Pure SYN: +20
  Spoofed: +20
  Targeted: +10
  ──────────────
  TOTAL: 130 points → Instant block + score 100 cap

Benefits:
- Distinguishes bots from legitimate users
- Catches IP spoofing attacks
- Detects repeat offenders faster
- Provides clear attack attribution in logs
2025-12-24 20:44:48 -05:00
..
bot-analyzer.sh
Fix menu standards: Add RED 0 back buttons to remaining 6 menus
2025-12-17 01:34:24 -05:00
enable-cphulk.sh
Fix cPHulk to use SQLite database instead of MySQL
2025-12-11 17:01:17 -05:00
firewall-activity-monitor.sh
Initial commit: Server Management Toolkit v2.0
2025-11-03 18:21:40 -05:00
ip-reputation-manager.sh
Fix final 10 HIGH integer comparisons in live-attack-monitor and ip-reputation-manager
2025-12-03 20:12:20 -05:00
live-attack-monitor-v2.sh
Add 5 advanced SYN flood intelligence metrics for better attacker detection
2025-12-24 20:44:48 -05:00
live-attack-monitor.sh
Add 5 advanced SYN flood intelligence metrics for better attacker detection
2025-12-24 20:44:48 -05:00
malware-scanner.sh
Fix ClamAV progress display to only update on file change
2025-12-23 16:59:46 -05:00
optimize-ct-limit.sh
PERFECT QA SCRIPT - Eliminate ALL false positives (HIGH issues: 0!)
2025-12-04 20:39:08 -05:00
ssh-attack-monitor.sh
Initial commit: Server Management Toolkit v2.0
2025-11-03 18:21:40 -05:00
tail-apache-access.sh
CRITICAL FIX: Update InterWorx log file name from access_log to transfer.log
2025-11-20 15:50:45 -05:00
tail-apache-error.sh
REFACTOR: Class B modules - Multi-panel log discovery
2025-11-19 20:06:50 -05:00
tail-mail-log.sh
Initial commit: Server Management Toolkit v2.0
2025-11-03 18:21:40 -05:00
tail-secure-log.sh
Initial commit: Server Management Toolkit v2.0
2025-11-03 18:21:40 -05:00
web-traffic-monitor.sh
CRITICAL FIX: Update InterWorx log file name from access_log to transfer.log
2025-11-20 15:50:45 -05:00