diff --git a/.replit b/.replit index 5c190e2..4e69802 100644 --- a/.replit +++ b/.replit @@ -14,6 +14,10 @@ run = ["npm", "run", "start"] localPort = 5000 externalPort = 80 +[[ports]] +localPort = 40793 +externalPort = 3001 + [[ports]] localPort = 41303 externalPort = 3002 diff --git a/deployment/run_analytics.sh b/deployment/run_analytics.sh new file mode 100755 index 0000000..0ce568e --- /dev/null +++ b/deployment/run_analytics.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# +# IDS Analytics Aggregator - Manual Execution Wrapper +# Carica credenziali da .env e esegue aggregazione +# +# Usage: +# ./run_analytics.sh hourly +# ./run_analytics.sh daily +# + +set -e + +# Verifica parametro +if [ "$#" -ne 1 ]; then + echo "Usage: $0 {hourly|daily}" + exit 1 +fi + +MODE=$1 + +# Verifica modo valido +if [ "$MODE" != "hourly" ] && [ "$MODE" != "daily" ]; then + echo "Errore: modo deve essere 'hourly' o 'daily'" + exit 1 +fi + +# Directory IDS +IDS_DIR="/opt/ids" +ENV_FILE="$IDS_DIR/.env" +SCRIPT="$IDS_DIR/python_ml/analytics_aggregator.py" +VENV="$IDS_DIR/venv/bin/python3" + +# Verifica file .env esiste +if [ ! -f "$ENV_FILE" ]; then + echo "Errore: File $ENV_FILE non trovato!" + exit 1 +fi + +# Verifica permessi .env (deve essere readable solo da owner) +ENV_PERMS=$(stat -c %a "$ENV_FILE") +if [ "$ENV_PERMS" != "600" ] && [ "$ENV_PERMS" != "400" ]; then + echo "Attenzione: $ENV_FILE dovrebbe avere permessi 600 (rw-------)" + echo "Esegui: chmod 600 $ENV_FILE" +fi + +# Carica variabili d'ambiente e esegui aggregatore +echo "๐Ÿ”„ Esecuzione aggregazione $MODE..." + +# Export variabili da .env +set -a +source "$ENV_FILE" +set +a + +# Esegui come user ids con venv +if [ "$(whoami)" = "ids" ]; then + # Giร  user ids + "$VENV" "$SCRIPT" "$MODE" +else + # Switch a user ids + sudo -u ids -E "$VENV" "$SCRIPT" "$MODE" +fi + +echo "โœ… Aggregazione $MODE completata!" diff --git a/python_ml/analytics_aggregator.py b/python_ml/analytics_aggregator.py index 31edd70..8bf856c 100644 --- a/python_ml/analytics_aggregator.py +++ b/python_ml/analytics_aggregator.py @@ -18,9 +18,14 @@ class AnalyticsAggregator: """ Aggregatore analytics per traffico normale + attacchi Salva statistiche permanenti in network_analytics + + SECURITY: Richiede variabili d'ambiente per credenziali DB. + - Production: Gestite da systemd EnvironmentFile + - Manual: Usare script wrapper run_analytics.sh """ def __init__(self): + # Leggi credenziali da variabili d'ambiente (iniettate da systemd o wrapper) self.db_params = { 'host': os.getenv('PGHOST', 'localhost'), 'port': int(os.getenv('PGPORT', 5432)), @@ -28,6 +33,19 @@ class AnalyticsAggregator: 'user': os.getenv('PGUSER', 'ids'), 'password': os.getenv('PGPASSWORD', ''), } + + # Fail-fast: verifica credenziali obbligatorie + missing = [] + for key in ['PGHOST', 'PGDATABASE', 'PGUSER', 'PGPASSWORD']: + if not os.getenv(key): + missing.append(key) + + if missing: + raise ValueError( + f"Credenziali database mancanti: {', '.join(missing)}\n" + f"Esecuzione manuale: usa ./deployment/run_analytics.sh\n" + f"Systemd: verifica EnvironmentFile in ids-analytics-aggregator.service" + ) def get_connection(self): """Crea connessione database""" diff --git a/replit.md b/replit.md index 7fa41e1..0493829 100644 --- a/replit.md +++ b/replit.md @@ -50,7 +50,7 @@ The IDS employs a React-based frontend for real-time monitoring, detection visua ## Recent Updates (Novembre 2025) -### ๐Ÿ“Š Network Analytics & Dashboard System (22 Nov 2025 - 15:00) +### ๐Ÿ“Š Network Analytics & Dashboard System (24 Nov 2025 - 11:30) - **Feature Completa**: Sistema analytics con traffico normale + attacchi, visualizzazioni grafiche avanzate, dati permanenti - **Componenti**: 1. **Database**: `network_analytics` table con aggregazioni orarie/giornaliere permanenti @@ -61,6 +61,8 @@ The IDS employs a React-based frontend for real-time monitoring, detection visua - **Grafici**: Area Chart, Pie Chart, Bar Chart, Line Chart, Real-time Stream - **Flag Emoji**: ๐Ÿ‡ฎ๐Ÿ‡น๐Ÿ‡บ๐Ÿ‡ธ๐Ÿ‡ท๐Ÿ‡บ๐Ÿ‡จ๐Ÿ‡ณ per identificazione immediata paese origine - **Deploy**: Migration 005 + `./deployment/setup_analytics_timer.sh` +- **Security Fix**: Rimosso hardcoded path, implementato wrapper script sicuro `run_analytics.sh` per esecuzioni manuali +- **Production-grade**: Credenziali gestite via systemd EnvironmentFile (automatico) o wrapper script (manuale) ### ๐ŸŒ IP Geolocation Integration (22 Nov 2025 - 13:00) - **Feature**: Informazioni geografiche complete (paese, cittร , organizzazione, AS) per ogni IP