Add automatic IP blocking system to enhance security

Implement a systemd timer and Python script to periodically detect and automatically block malicious IP addresses based on risk scores, improving the application's security posture.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 05ab2f73-e195-4de9-a183-cd4729713b92
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/31VdIyL

.replit

@@ -18,6 +18,10 @@ externalPort = 80
 localPort = 41303
 externalPort = 3002
 
+[[ports]]
+localPort = 43081
+externalPort = 4200
+
 [[ports]]
 localPort = 43471
 externalPort = 3003

deployment/AUTO_BLOCKING_SETUP.md

@@ -0,0 +1,260 @@
+# Auto-Blocking Setup - IDS MikroTik
+
+## 📋 Panoramica
+
+Sistema di auto-blocking automatico che rileva e blocca IP con **risk_score >= 80** ogni 5 minuti.
+
+**Componenti**:
+1. `python_ml/auto_block.py` - Script Python che chiama API ML
+2. `deployment/systemd/ids-auto-block.service` - Systemd service
+3. `deployment/systemd/ids-auto-block.timer` - Timer esecuzione ogni 5 minuti
+
+---
+
+## 🚀 Installazione su AlmaLinux
+
+### 1️⃣ Prerequisiti
+
+Verifica che questi servizi siano attivi:
+```bash
+sudo systemctl status ids-ml-backend    # ML Backend FastAPI
+sudo systemctl status postgresql-16     # Database PostgreSQL
+```
+
+### 2️⃣ Copia File Systemd
+
+```bash
+# Service file
+sudo cp /opt/ids/deployment/systemd/ids-auto-block.service /etc/systemd/system/
+
+# Timer file
+sudo cp /opt/ids/deployment/systemd/ids-auto-block.timer /etc/systemd/system/
+
+# Verifica permessi
+sudo chown root:root /etc/systemd/system/ids-auto-block.*
+sudo chmod 644 /etc/systemd/system/ids-auto-block.*
+```
+
+### 3️⃣ Rendi Eseguibile Script Python
+
+```bash
+chmod +x /opt/ids/python_ml/auto_block.py
+```
+
+### 4️⃣ Installa Dipendenza Python (requests)
+
+```bash
+# Attiva virtual environment
+cd /opt/ids/python_ml
+source venv/bin/activate
+
+# Installa requests
+pip install requests
+
+# Esci da venv
+deactivate
+```
+
+### 5️⃣ Crea Directory Log
+
+```bash
+sudo mkdir -p /var/log/ids
+sudo chown ids:ids /var/log/ids
+```
+
+### 6️⃣ Ricarica Systemd e Avvia Timer
+
+```bash
+# Ricarica systemd
+sudo systemctl daemon-reload
+
+# Abilita timer (autostart al boot)
+sudo systemctl enable ids-auto-block.timer
+
+# Avvia timer
+sudo systemctl start ids-auto-block.timer
+```
+
+---
+
+## ✅ Verifica Funzionamento
+
+### Test Manuale (esegui subito)
+
+```bash
+# Esegui auto-blocking adesso (non aspettare 5 min)
+sudo systemctl start ids-auto-block.service
+
+# Controlla log output
+journalctl -u ids-auto-block -n 30
+```
+
+**Output atteso**:
+```
+[2024-11-25 12:00:00] 🔍 Starting auto-block detection...
+✓ Detection completata: 14 anomalie rilevate, 14 IP bloccati
+```
+
+### Verifica Timer Attivo
+
+```bash
+# Status timer
+systemctl status ids-auto-block.timer
+
+# Prossime esecuzioni
+systemctl list-timers ids-auto-block.timer
+
+# Ultima esecuzione
+journalctl -u ids-auto-block.service -n 1
+```
+
+### Verifica IP Bloccati
+
+**Database**:
+```sql
+SELECT COUNT(*) FROM detections WHERE blocked = true;
+```
+
+**MikroTik Router**:
+```
+/ip firewall address-list print where list=blocked_ips
+```
+
+---
+
+## 📊 Monitoring
+
+### Log in Tempo Reale
+
+```bash
+# Log auto-blocking
+tail -f /var/log/ids/auto_block.log
+
+# O via journalctl
+journalctl -u ids-auto-block -f
+```
+
+### Statistiche Blocchi
+
+```bash
+# Conta esecuzioni ultimo giorno
+journalctl -u ids-auto-block --since "1 day ago" | grep "Detection completata" | wc -l
+
+# Totale IP bloccati oggi
+journalctl -u ids-auto-block --since today | grep "IP bloccati"
+```
+
+---
+
+## ⚙️ Configurazione
+
+### Modifica Frequenza Esecuzione
+
+Edita `/etc/systemd/system/ids-auto-block.timer`:
+
+```ini
+[Timer]
+# Cambia 5min con frequenza desiderata (es: 10min, 1h, 30s)
+OnUnitActiveSec=10min  # Esegui ogni 10 minuti
+```
+
+Poi ricarica:
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart ids-auto-block.timer
+```
+
+### Modifica Threshold Risk Score
+
+Edita `python_ml/auto_block.py`:
+
+```python
+"risk_threshold": 80.0,  # Cambia soglia (80, 90, 100, etc)
+```
+
+Poi riavvia timer:
+```bash
+sudo systemctl restart ids-auto-block.timer
+```
+
+---
+
+## 🛠️ Troubleshooting
+
+### Problema: Nessun IP bloccato
+
+**Verifica ML Backend attivo**:
+```bash
+systemctl status ids-ml-backend
+curl http://localhost:8000/health
+```
+
+**Verifica router configurati**:
+```sql
+SELECT * FROM routers WHERE enabled = true;
+```
+
+Deve esserci almeno 1 router!
+
+### Problema: Errore "Connection refused"
+
+ML Backend non risponde su porta 8000:
+```bash
+# Riavvia ML backend
+sudo systemctl restart ids-ml-backend
+
+# Verifica porta listening
+netstat -tlnp | grep 8000
+```
+
+### Problema: Script non eseguito
+
+**Verifica timer attivo**:
+```bash
+systemctl status ids-auto-block.timer
+```
+
+**Forza esecuzione manuale**:
+```bash
+sudo systemctl start ids-auto-block.service
+journalctl -u ids-auto-block -n 50
+```
+
+---
+
+## 🔄 Disinstallazione
+
+```bash
+# Stop e disabilita timer
+sudo systemctl stop ids-auto-block.timer
+sudo systemctl disable ids-auto-block.timer
+
+# Rimuovi file systemd
+sudo rm /etc/systemd/system/ids-auto-block.*
+
+# Ricarica systemd
+sudo systemctl daemon-reload
+```
+
+---
+
+## 📝 Note
+
+- **Frequenza**: 5 minuti (configurabile)
+- **Risk Threshold**: 80 (solo IP critici)
+- **Timeout**: 180 secondi (3 minuti max per detection)
+- **Logs**: `/var/log/ids/auto_block.log` + journalctl
+- **Dipendenze**: ids-ml-backend.service, postgresql-16.service
+
+---
+
+## ✅ Checklist Post-Installazione
+
+- [ ] File copiati in `/etc/systemd/system/`
+- [ ] Script `auto_block.py` eseguibile
+- [ ] Dipendenza `requests` installata in venv
+- [ ] Directory log creata (`/var/log/ids`)
+- [ ] Timer abilitato e avviato
+- [ ] Test manuale eseguito con successo
+- [ ] IP bloccati su MikroTik verificati
+- [ ] Monitoring attivo (journalctl -f)

deployment/systemd/ids-auto-block.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs
+Documentation=https://github.com/yourusername/ids
+After=network.target ids-ml-backend.service postgresql-16.service
+Requires=ids-ml-backend.service
+
+[Service]
+Type=oneshot
+User=ids
+Group=ids
+WorkingDirectory=/opt/ids
+EnvironmentFile=/opt/ids/.env
+
+# Esegui script auto-blocking (usa venv Python)
+ExecStart=/opt/ids/python_ml/venv/bin/python3 /opt/ids/python_ml/auto_block.py
+
+# Logging
+StandardOutput=append:/var/log/ids/auto_block.log
+StandardError=append:/var/log/ids/auto_block.log
+SyslogIdentifier=ids-auto-block
+
+# Security
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Timeout: max 3 minuti per detection+blocking
+TimeoutStartSec=180
+
+[Install]
+WantedBy=multi-user.target

deployment/systemd/ids-auto-block.timer

@@ -0,0 +1,20 @@
+[Unit]
+Description=IDS Auto-Blocking Timer - Run every 5 minutes
+Documentation=https://github.com/yourusername/ids
+Requires=ids-auto-block.service
+
+[Timer]
+# Esegui 2 minuti dopo boot (per dare tempo a ML backend di avviarsi)
+OnBootSec=2min
+
+# Poi esegui ogni 5 minuti
+OnUnitActiveSec=5min
+
+# Precisione: ±1 secondo
+AccuracySec=1s
+
+# Esegui subito se il sistema era spento durante l'esecuzione programmata
+Persistent=true
+
+[Install]
+WantedBy=timers.target

python_ml/auto_block.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+"""
+IDS Auto-Blocking Script
+Rileva e blocca automaticamente IP con risk_score >= 80
+Eseguito periodicamente da systemd timer (ogni 5 minuti)
+"""
+import requests
+import sys
+from datetime import datetime
+
+ML_API_URL = "http://localhost:8000"
+
+def auto_block():
+    """Esegue detection e blocking automatico degli IP critici"""
+    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+    print(f"[{timestamp}] 🔍 Starting auto-block detection...")
+    
+    try:
+        # Chiama endpoint ML /detect con auto_block=true
+        response = requests.post(
+            f"{ML_API_URL}/detect",
+            json={
+                "max_records": 5000,        # Analizza ultimi 5000 log
+                "hours_back": 1.0,          # Ultima ora
+                "risk_threshold": 80.0,     # Solo IP critici (score >= 80)
+                "auto_block": True          # BLOCCA AUTOMATICAMENTE
+            },
+            timeout=120  # 2 minuti timeout
+        )
+        
+        if response.status_code == 200:
+            data = response.json()
+            detections = len(data.get("detections", []))
+            blocked = data.get("blocked", 0)
+            
+            if blocked > 0:
+                print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati")
+            else:
+                print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare")
+            
+            return 0
+        else:
+            print(f"✗ API error: HTTP {response.status_code}")
+            print(f"   Response: {response.text}")
+            return 1
+            
+    except requests.exceptions.ConnectionError:
+        print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000")
+        print("   Verifica che ids-ml-backend.service sia attivo:")
+        print("   sudo systemctl status ids-ml-backend")
+        return 1
+    except requests.exceptions.Timeout:
+        print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?")
+        return 1
+    except Exception as e:
+        print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}")
+        import traceback
+        traceback.print_exc()
+        return 1
+
+if __name__ == "__main__":
+    exit_code = auto_block()
+    sys.exit(exit_code)