From 4d9ed22c3903b58627fdcc78cbe0f9f47a614645 Mon Sep 17 00:00:00 2001 From: marco370 <48531002-marco370@users.noreply.replit.com> Date: Tue, 25 Nov 2025 11:52:13 +0000 Subject: [PATCH] Add automatic IP blocking system to enhance security Implement a systemd timer and Python script to periodically detect and automatically block malicious IP addresses based on risk scores, improving the application's security posture. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: 05ab2f73-e195-4de9-a183-cd4729713b92 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/31VdIyL --- .replit | 4 + deployment/AUTO_BLOCKING_SETUP.md | 260 ++++++++++++++++++++++ deployment/systemd/ids-auto-block.service | 30 +++ deployment/systemd/ids-auto-block.timer | 20 ++ python_ml/auto_block.py | 63 ++++++ 5 files changed, 377 insertions(+) create mode 100644 deployment/AUTO_BLOCKING_SETUP.md create mode 100644 deployment/systemd/ids-auto-block.service create mode 100644 deployment/systemd/ids-auto-block.timer create mode 100644 python_ml/auto_block.py diff --git a/.replit b/.replit index aa41490..a5e7f75 100644 --- a/.replit +++ b/.replit @@ -18,6 +18,10 @@ externalPort = 80 localPort = 41303 externalPort = 3002 +[[ports]] +localPort = 43081 +externalPort = 4200 + [[ports]] localPort = 43471 externalPort = 3003 diff --git a/deployment/AUTO_BLOCKING_SETUP.md b/deployment/AUTO_BLOCKING_SETUP.md new file mode 100644 index 0000000..b87614c --- /dev/null +++ b/deployment/AUTO_BLOCKING_SETUP.md @@ -0,0 +1,260 @@ +# Auto-Blocking Setup - IDS MikroTik + +## 📋 Panoramica + +Sistema di auto-blocking automatico che rileva e blocca IP con **risk_score >= 80** ogni 5 minuti. + +**Componenti**: +1. `python_ml/auto_block.py` - Script Python che chiama API ML +2. `deployment/systemd/ids-auto-block.service` - Systemd service +3. `deployment/systemd/ids-auto-block.timer` - Timer esecuzione ogni 5 minuti + +--- + +## 🚀 Installazione su AlmaLinux + +### 1️⃣ Prerequisiti + +Verifica che questi servizi siano attivi: +```bash +sudo systemctl status ids-ml-backend # ML Backend FastAPI +sudo systemctl status postgresql-16 # Database PostgreSQL +``` + +### 2️⃣ Copia File Systemd + +```bash +# Service file +sudo cp /opt/ids/deployment/systemd/ids-auto-block.service /etc/systemd/system/ + +# Timer file +sudo cp /opt/ids/deployment/systemd/ids-auto-block.timer /etc/systemd/system/ + +# Verifica permessi +sudo chown root:root /etc/systemd/system/ids-auto-block.* +sudo chmod 644 /etc/systemd/system/ids-auto-block.* +``` + +### 3️⃣ Rendi Eseguibile Script Python + +```bash +chmod +x /opt/ids/python_ml/auto_block.py +``` + +### 4️⃣ Installa Dipendenza Python (requests) + +```bash +# Attiva virtual environment +cd /opt/ids/python_ml +source venv/bin/activate + +# Installa requests +pip install requests + +# Esci da venv +deactivate +``` + +### 5️⃣ Crea Directory Log + +```bash +sudo mkdir -p /var/log/ids +sudo chown ids:ids /var/log/ids +``` + +### 6️⃣ Ricarica Systemd e Avvia Timer + +```bash +# Ricarica systemd +sudo systemctl daemon-reload + +# Abilita timer (autostart al boot) +sudo systemctl enable ids-auto-block.timer + +# Avvia timer +sudo systemctl start ids-auto-block.timer +``` + +--- + +## ✅ Verifica Funzionamento + +### Test Manuale (esegui subito) + +```bash +# Esegui auto-blocking adesso (non aspettare 5 min) +sudo systemctl start ids-auto-block.service + +# Controlla log output +journalctl -u ids-auto-block -n 30 +``` + +**Output atteso**: +``` +[2024-11-25 12:00:00] 🔍 Starting auto-block detection... +✓ Detection completata: 14 anomalie rilevate, 14 IP bloccati +``` + +### Verifica Timer Attivo + +```bash +# Status timer +systemctl status ids-auto-block.timer + +# Prossime esecuzioni +systemctl list-timers ids-auto-block.timer + +# Ultima esecuzione +journalctl -u ids-auto-block.service -n 1 +``` + +### Verifica IP Bloccati + +**Database**: +```sql +SELECT COUNT(*) FROM detections WHERE blocked = true; +``` + +**MikroTik Router**: +``` +/ip firewall address-list print where list=blocked_ips +``` + +--- + +## 📊 Monitoring + +### Log in Tempo Reale + +```bash +# Log auto-blocking +tail -f /var/log/ids/auto_block.log + +# O via journalctl +journalctl -u ids-auto-block -f +``` + +### Statistiche Blocchi + +```bash +# Conta esecuzioni ultimo giorno +journalctl -u ids-auto-block --since "1 day ago" | grep "Detection completata" | wc -l + +# Totale IP bloccati oggi +journalctl -u ids-auto-block --since today | grep "IP bloccati" +``` + +--- + +## ⚙️ Configurazione + +### Modifica Frequenza Esecuzione + +Edita `/etc/systemd/system/ids-auto-block.timer`: + +```ini +[Timer] +# Cambia 5min con frequenza desiderata (es: 10min, 1h, 30s) +OnUnitActiveSec=10min # Esegui ogni 10 minuti +``` + +Poi ricarica: +```bash +sudo systemctl daemon-reload +sudo systemctl restart ids-auto-block.timer +``` + +### Modifica Threshold Risk Score + +Edita `python_ml/auto_block.py`: + +```python +"risk_threshold": 80.0, # Cambia soglia (80, 90, 100, etc) +``` + +Poi riavvia timer: +```bash +sudo systemctl restart ids-auto-block.timer +``` + +--- + +## 🛠️ Troubleshooting + +### Problema: Nessun IP bloccato + +**Verifica ML Backend attivo**: +```bash +systemctl status ids-ml-backend +curl http://localhost:8000/health +``` + +**Verifica router configurati**: +```sql +SELECT * FROM routers WHERE enabled = true; +``` + +Deve esserci almeno 1 router! + +### Problema: Errore "Connection refused" + +ML Backend non risponde su porta 8000: +```bash +# Riavvia ML backend +sudo systemctl restart ids-ml-backend + +# Verifica porta listening +netstat -tlnp | grep 8000 +``` + +### Problema: Script non eseguito + +**Verifica timer attivo**: +```bash +systemctl status ids-auto-block.timer +``` + +**Forza esecuzione manuale**: +```bash +sudo systemctl start ids-auto-block.service +journalctl -u ids-auto-block -n 50 +``` + +--- + +## 🔄 Disinstallazione + +```bash +# Stop e disabilita timer +sudo systemctl stop ids-auto-block.timer +sudo systemctl disable ids-auto-block.timer + +# Rimuovi file systemd +sudo rm /etc/systemd/system/ids-auto-block.* + +# Ricarica systemd +sudo systemctl daemon-reload +``` + +--- + +## 📝 Note + +- **Frequenza**: 5 minuti (configurabile) +- **Risk Threshold**: 80 (solo IP critici) +- **Timeout**: 180 secondi (3 minuti max per detection) +- **Logs**: `/var/log/ids/auto_block.log` + journalctl +- **Dipendenze**: ids-ml-backend.service, postgresql-16.service + +--- + +## ✅ Checklist Post-Installazione + +- [ ] File copiati in `/etc/systemd/system/` +- [ ] Script `auto_block.py` eseguibile +- [ ] Dipendenza `requests` installata in venv +- [ ] Directory log creata (`/var/log/ids`) +- [ ] Timer abilitato e avviato +- [ ] Test manuale eseguito con successo +- [ ] IP bloccati su MikroTik verificati +- [ ] Monitoring attivo (journalctl -f) diff --git a/deployment/systemd/ids-auto-block.service b/deployment/systemd/ids-auto-block.service new file mode 100644 index 0000000..8d3fa25 --- /dev/null +++ b/deployment/systemd/ids-auto-block.service @@ -0,0 +1,30 @@ +[Unit] +Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs +Documentation=https://github.com/yourusername/ids +After=network.target ids-ml-backend.service postgresql-16.service +Requires=ids-ml-backend.service + +[Service] +Type=oneshot +User=ids +Group=ids +WorkingDirectory=/opt/ids +EnvironmentFile=/opt/ids/.env + +# Esegui script auto-blocking (usa venv Python) +ExecStart=/opt/ids/python_ml/venv/bin/python3 /opt/ids/python_ml/auto_block.py + +# Logging +StandardOutput=append:/var/log/ids/auto_block.log +StandardError=append:/var/log/ids/auto_block.log +SyslogIdentifier=ids-auto-block + +# Security +NoNewPrivileges=true +PrivateTmp=true + +# Timeout: max 3 minuti per detection+blocking +TimeoutStartSec=180 + +[Install] +WantedBy=multi-user.target diff --git a/deployment/systemd/ids-auto-block.timer b/deployment/systemd/ids-auto-block.timer new file mode 100644 index 0000000..613335b --- /dev/null +++ b/deployment/systemd/ids-auto-block.timer @@ -0,0 +1,20 @@ +[Unit] +Description=IDS Auto-Blocking Timer - Run every 5 minutes +Documentation=https://github.com/yourusername/ids +Requires=ids-auto-block.service + +[Timer] +# Esegui 2 minuti dopo boot (per dare tempo a ML backend di avviarsi) +OnBootSec=2min + +# Poi esegui ogni 5 minuti +OnUnitActiveSec=5min + +# Precisione: ±1 secondo +AccuracySec=1s + +# Esegui subito se il sistema era spento durante l'esecuzione programmata +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/python_ml/auto_block.py b/python_ml/auto_block.py new file mode 100644 index 0000000..76f833d --- /dev/null +++ b/python_ml/auto_block.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +""" +IDS Auto-Blocking Script +Rileva e blocca automaticamente IP con risk_score >= 80 +Eseguito periodicamente da systemd timer (ogni 5 minuti) +""" +import requests +import sys +from datetime import datetime + +ML_API_URL = "http://localhost:8000" + +def auto_block(): + """Esegue detection e blocking automatico degli IP critici""" + timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") + print(f"[{timestamp}] 🔍 Starting auto-block detection...") + + try: + # Chiama endpoint ML /detect con auto_block=true + response = requests.post( + f"{ML_API_URL}/detect", + json={ + "max_records": 5000, # Analizza ultimi 5000 log + "hours_back": 1.0, # Ultima ora + "risk_threshold": 80.0, # Solo IP critici (score >= 80) + "auto_block": True # BLOCCA AUTOMATICAMENTE + }, + timeout=120 # 2 minuti timeout + ) + + if response.status_code == 200: + data = response.json() + detections = len(data.get("detections", [])) + blocked = data.get("blocked", 0) + + if blocked > 0: + print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati") + else: + print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare") + + return 0 + else: + print(f"✗ API error: HTTP {response.status_code}") + print(f" Response: {response.text}") + return 1 + + except requests.exceptions.ConnectionError: + print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000") + print(" Verifica che ids-ml-backend.service sia attivo:") + print(" sudo systemctl status ids-ml-backend") + return 1 + except requests.exceptions.Timeout: + print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?") + return 1 + except Exception as e: + print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}") + import traceback + traceback.print_exc() + return 1 + +if __name__ == "__main__": + exit_code = auto_block() + sys.exit(exit_code)