Linux-Server-Management-Toolkit

cschantz/Linux-Server-Management-Toolkit

Files

T

cschantz 91578bfd51 Add advanced attack intelligence with 9 intelligent detection systems

Implemented comprehensive attack analysis and adaptive threat scoring:

1. ATTACK VELOCITY TRACKING:
   - Tracks attacks per hour in 1-hour sliding window
   - Rapid attacks (10 in 5min) = +15pts bonus
   - High velocity (10-19/hr) = +20pts
   - Extreme velocity (20+/hr) = +30pts
   - Prevents slow-scan evasion

2. ATTACK DIVERSITY SCORING:
   - Detects multi-vector coordinated attacks
   - 2 vectors (SSH+Web) = +10pts
   - 3 vectors = +25pts "COORDINATED"
   - 4+ vectors = +35pts "MULTI_VECTOR"
   - Identifies sophisticated attackers

3. TIMING PATTERN DETECTION:
   - Calculates attack interval variance
   - Consistent intervals (variance <3s) = BOT_PATTERN +20pts
   - Moderate consistency (variance <10s) = LIKELY_BOT +10pts
   - Detects automated tools vs humans

4. REPUTATION DECAY:
   - Scores decay 20% every 6 hours of inactivity
   - Prevents permanent blacklisting of dynamic IPs
   - Runs every 30 minutes in background
   - Allows false positives to naturally clear

5. ATTACK SUCCESS DETECTION:
   - Detects successful WordPress logins (302 redirect) = +50pts
   - Admin access (POST to wp-admin) = +40pts
   - Shell access (200 on shell files) = +60pts CRITICAL
   - Prioritizes actual breaches over attempts

6. SUBNET ATTACK TRACKING:
   - Identifies coordinated botnet attacks from same /24
   - 3 IPs from subnet = +15pts RELATED_IPS
   - 5 IPs = +25pts SUBNET_ATTACK
   - 10+ IPs = +40pts SUBNET_SWARM
   - Detects distributed campaigns

7. TARGET CRITICALITY ASSESSMENT:
   - Admin paths (/wp-admin, phpmyadmin) = +15pts
   - Auth endpoints (/login, wp-login.php) = +12pts
   - Config files (.env, .git, .sql) = +18pts
   - Shell/exploit attempts = +20pts CRITICAL
   - Upload endpoints (POST) = +15pts

8. DETAILED BLOCK REASONS:
   - CSF blocks now include intelligence details
   - Format: "Score=82 Attacks=BRUTEFORCE Intel:HIGH_VELOCITY:15/hr+BOT_PATTERN"
   - Explains WHY IP was blocked
   - Stored per-IP for manual blocks too

9. BLOCK TRACKING:
   - New TOTAL_BLOCKS counter in dashboard header
   - Tracks both auto-blocks and manual blocks
   - Per-IP ban_count incremented on each block
   - Identifies repeat offenders

Integration:
- All features integrated into SSH monitoring (template for others)
- Block reasons saved to /tmp files for CSF submission
- New data structures: IP_TIMESTAMPS, IP_ATTACK_VECTORS, SUBNET_ATTACKS
- Background decay engine runs every 30min
- Zero performance impact (background processing)

Example Block Reason in CSF:
"Auto-block: Score=95 Attacks=BRUTEFORCE Intel:HIGH_VELOCITY:18/hr+BOT_PATTERN:5s_intervals+SUBNET_ATTACK:7_IPs"

2025-11-14 16:43:40 -05:00

bot-analyzer.sh

Add progress indicator to bot analyzer log parsing

2025-11-10 20:55:33 -05:00

enable-cphulk.sh

Initial commit: Server Management Toolkit v2.0

2025-11-03 18:21:40 -05:00

firewall-activity-monitor.sh

Initial commit: Server Management Toolkit v2.0

2025-11-03 18:21:40 -05:00

ip-reputation-manager.sh

Add critical performance optimizations for large IP databases