cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91578bfd516f6aa0141df0613e11df1b792726c9
Linux-Server-Management-Too…/modules
T
History
cschantz 91578bfd51 Add advanced attack intelligence with 9 intelligent detection systems 
Implemented comprehensive attack analysis and adaptive threat scoring:

1. ATTACK VELOCITY TRACKING:
   - Tracks attacks per hour in 1-hour sliding window
   - Rapid attacks (10 in 5min) = +15pts bonus
   - High velocity (10-19/hr) = +20pts
   - Extreme velocity (20+/hr) = +30pts
   - Prevents slow-scan evasion

2. ATTACK DIVERSITY SCORING:
   - Detects multi-vector coordinated attacks
   - 2 vectors (SSH+Web) = +10pts
   - 3 vectors = +25pts "COORDINATED"
   - 4+ vectors = +35pts "MULTI_VECTOR"
   - Identifies sophisticated attackers

3. TIMING PATTERN DETECTION:
   - Calculates attack interval variance
   - Consistent intervals (variance <3s) = BOT_PATTERN +20pts
   - Moderate consistency (variance <10s) = LIKELY_BOT +10pts
   - Detects automated tools vs humans

4. REPUTATION DECAY:
   - Scores decay 20% every 6 hours of inactivity
   - Prevents permanent blacklisting of dynamic IPs
   - Runs every 30 minutes in background
   - Allows false positives to naturally clear

5. ATTACK SUCCESS DETECTION:
   - Detects successful WordPress logins (302 redirect) = +50pts
   - Admin access (POST to wp-admin) = +40pts
   - Shell access (200 on shell files) = +60pts CRITICAL
   - Prioritizes actual breaches over attempts

6. SUBNET ATTACK TRACKING:
   - Identifies coordinated botnet attacks from same /24
   - 3 IPs from subnet = +15pts RELATED_IPS
   - 5 IPs = +25pts SUBNET_ATTACK
   - 10+ IPs = +40pts SUBNET_SWARM
   - Detects distributed campaigns

7. TARGET CRITICALITY ASSESSMENT:
   - Admin paths (/wp-admin, phpmyadmin) = +15pts
   - Auth endpoints (/login, wp-login.php) = +12pts
   - Config files (.env, .git, .sql) = +18pts
   - Shell/exploit attempts = +20pts CRITICAL
   - Upload endpoints (POST) = +15pts

8. DETAILED BLOCK REASONS:
   - CSF blocks now include intelligence details
   - Format: "Score=82 Attacks=BRUTEFORCE Intel:HIGH_VELOCITY:15/hr+BOT_PATTERN"
   - Explains WHY IP was blocked
   - Stored per-IP for manual blocks too

9. BLOCK TRACKING:
   - New TOTAL_BLOCKS counter in dashboard header
   - Tracks both auto-blocks and manual blocks
   - Per-IP ban_count incremented on each block
   - Identifies repeat offenders

Integration:
- All features integrated into SSH monitoring (template for others)
- Block reasons saved to /tmp files for CSF submission
- New data structures: IP_TIMESTAMPS, IP_ATTACK_VECTORS, SUBNET_ATTACKS
- Background decay engine runs every 30min
- Zero performance impact (background processing)

Example Block Reason in CSF:
"Auto-block: Score=95 Attacks=BRUTEFORCE Intel:HIGH_VELOCITY:18/hr+BOT_PATTERN:5s_intervals+SUBNET_ATTACK:7_IPs"
2025-11-14 16:43:40 -05:00
..
backup
Improve Acronis backup trigger plan detection
2025-11-06 22:27:47 -05:00
diagnostics
Initial commit: Server Management Toolkit v2.0
2025-11-03 18:21:40 -05:00
maintenance
Optimize IP reputation database for 500k+ IPs with hash-based indexing
2025-11-05 18:55:16 -05:00
performance
Initial commit: Server Management Toolkit v2.0
2025-11-03 18:21:40 -05:00
security
Add advanced attack intelligence with 9 intelligent detection systems
2025-11-14 16:43:40 -05:00
website
Fix domain lookup in WordPress Cron Manager
2025-11-10 20:41:13 -05:00