From a7967260b14efa277716b24a3d3b966eadea3a2b Mon Sep 17 00:00:00 2001 From: marco370 <48531002-marco370@users.noreply.replit.com> Date: Mon, 16 Feb 2026 15:04:35 +0000 Subject: [PATCH] Improve IP blocking by separating detection and blocking steps Refactor auto_block.py to call the Node.js backend for blocking critical IPs and adjust the auto-block service configuration. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: aef8a3be-adf0-4bdc-942f-3e7b19be7d72 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/4aeldgV --- ...egator-timer-f-Feb-16-12_1771254164972.txt | 77 ++++++++++++++++++ deployment/systemd/ids-auto-block.service | 9 +-- python_ml/auto_block.py | 79 +++++++++++++------ 3 files changed, 137 insertions(+), 28 deletions(-) create mode 100644 attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt diff --git a/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt b/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt new file mode 100644 index 0000000..5767725 --- /dev/null +++ b/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt @@ -0,0 +1,77 @@ +journalctl -u ids-analytics-aggregator.timer -f +Feb 16 12:18:50 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour. +Feb 16 12:40:08 ids.alfacom.it systemd[1]: ids-analytics-aggregator.timer: Deactivated successfully. +Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour. +Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour... +Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour. +^C +[root@ids ids]# systemctl status ids-ml-backend +● ids-ml-backend.service - IDS ML Backend (FastAPI) + Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled) + Active: active (running) since Mon 2026-02-16 15:51:26 CET; 9min ago + Main PID: 13099 (python3) + Tasks: 26 (limit: 100409) + Memory: 402.9M (max: 2.0G available: 1.6G) + CPU: 15.905s + CGroup: /system.slice/ids-ml-backend.service + └─13099 /opt/ids/python_ml/venv/bin/python3 main.py + +Feb 16 15:51:26 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI). +[root@ids ids]# cat /var/log/ids/backend.log | tail -20 +[Mon Feb 16 15:40:04 CET 2026] Backend riavviato con PID: 12165 +INFO: Started server process [12165] +INFO: Waiting for application startup. +INFO: Application startup complete. +ERROR: [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use +INFO: Waiting for application shutdown. +INFO: Application shutdown complete. +[WARNING] Extended Isolation Forest not available, using standard IF +[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection) +[HYBRID] Ensemble classifier loaded +[HYBRID] Models loaded (version: latest) +[HYBRID] Selected features: 18/25 +[HYBRID] Mode: Hybrid (IF + Ensemble) +[ML] ✓ Hybrid detector models loaded and ready + Starting IDS API on http://0.0.0.0:8000 + Docs available at http://0.0.0.0:8000/docs +[Mon Feb 16 15:45:01 CET 2026] Backend Python NON attivo, riavvio via systemctl... +[Mon Feb 16 15:45:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend +[Mon Feb 16 15:50:01 CET 2026] Backend Python NON attivo, riavvio via systemctl... +[Mon Feb 16 15:50:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend +[root@ids ids]# systemctl status ids-auto-block +journalctl -u ids-auto-block --no-pager | tail -20 +× ids-auto-block.service - IDS Auto-Blocking Service - Detect and Block Malicious IPs + Loaded: loaded (/etc/systemd/system/ids-auto-block.service; disabled; preset: disabled) + Active: failed (Result: signal) since Mon 2026-02-16 12:47:58 CET; 3h 13min ago +TriggeredBy: ○ ids-auto-block.timer + Docs: https://github.com/yourusername/ids + Main PID: 2896 (code=killed, signal=TERM) + CPU: 155ms + +Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs... +Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM +Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'. +Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs. +Feb 16 12:38:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs... +Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE +Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'. +Feb 16 12:40:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs. +Feb 16 12:40:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs... +Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE +Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'. +Feb 16 12:42:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs. +Feb 16 12:42:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs... +Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE +Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'. +Feb 16 12:44:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs. +Feb 16 12:44:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs... +Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE +Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'. +Feb 16 12:46:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs. +Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs... +Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM +Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'. +Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs. +[root@ids ids]# curl -X POST http://localhost:5000/api/ml/block-all-critical \ + -H "Content-Type: application/json" \ + -d '{"min_score": 80, "limit": 200}' diff --git a/deployment/systemd/ids-auto-block.service b/deployment/systemd/ids-auto-block.service index 8d3fa25..d6bc7e5 100644 --- a/deployment/systemd/ids-auto-block.service +++ b/deployment/systemd/ids-auto-block.service @@ -1,8 +1,7 @@ [Unit] Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs -Documentation=https://github.com/yourusername/ids -After=network.target ids-ml-backend.service postgresql-16.service -Requires=ids-ml-backend.service +After=network.target postgresql-16.service +Wants=ids-ml-backend.service [Service] Type=oneshot @@ -23,8 +22,8 @@ SyslogIdentifier=ids-auto-block NoNewPrivileges=true PrivateTmp=true -# Timeout: max 3 minuti per detection+blocking -TimeoutStartSec=180 +# Timeout: max 5 minuti per detection+blocking +TimeoutStartSec=300 [Install] WantedBy=multi-user.target diff --git a/python_ml/auto_block.py b/python_ml/auto_block.py index 76f833d..f496ea2 100644 --- a/python_ml/auto_block.py +++ b/python_ml/auto_block.py @@ -3,59 +3,92 @@ IDS Auto-Blocking Script Rileva e blocca automaticamente IP con risk_score >= 80 Eseguito periodicamente da systemd timer (ogni 5 minuti) + +Flusso: +1. Chiama Node.js /api/ml/detect per eseguire detection ML +2. Chiama Node.js /api/ml/block-all-critical per bloccare IP critici sui router """ import requests import sys from datetime import datetime +NODE_API_URL = "http://localhost:5000" ML_API_URL = "http://localhost:8000" def auto_block(): """Esegue detection e blocking automatico degli IP critici""" timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") - print(f"[{timestamp}] 🔍 Starting auto-block detection...") - + print(f"[{timestamp}] Starting auto-block cycle...") + + # Step 1: Esegui detection via ML Backend (se disponibile) try: - # Chiama endpoint ML /detect con auto_block=true + print(f"[{timestamp}] Step 1: Detection ML...") response = requests.post( f"{ML_API_URL}/detect", json={ - "max_records": 5000, # Analizza ultimi 5000 log - "hours_back": 1.0, # Ultima ora - "risk_threshold": 80.0, # Solo IP critici (score >= 80) - "auto_block": True # BLOCCA AUTOMATICAMENTE + "max_records": 50000, + "hours_back": 1.0, + "risk_threshold": 75.0, + "auto_block": False }, - timeout=120 # 2 minuti timeout + timeout=120 ) - + if response.status_code == 200: data = response.json() detections = len(data.get("detections", [])) + print(f"[{timestamp}] Detection completata: {detections} anomalie rilevate") + else: + print(f"[{timestamp}] Detection API error: HTTP {response.status_code}") + + except requests.exceptions.ConnectionError: + print(f"[{timestamp}] ML Backend non raggiungibile, skip detection (blocco IP esistenti continua)") + except requests.exceptions.Timeout: + print(f"[{timestamp}] ML Detection timeout, skip (blocco IP esistenti continua)") + except Exception as e: + print(f"[{timestamp}] Detection error: {e}") + + # Step 2: Blocca IP critici (score >= 80) via Node.js + try: + print(f"[{timestamp}] Step 2: Blocco IP critici sui router...") + response = requests.post( + f"{NODE_API_URL}/api/ml/block-all-critical", + json={ + "min_score": 80, + "limit": 200, + "list_name": "ddos_blocked" + }, + timeout=120 + ) + + if response.status_code == 200: + data = response.json() blocked = data.get("blocked", 0) - + failed = data.get("failed", 0) + skipped = data.get("skipped", 0) + remaining = data.get("remaining", 0) + if blocked > 0: - print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati") + print(f"[{timestamp}] {blocked} IP bloccati sui router, {failed} falliti, {skipped} gia' bloccati") else: - print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare") - + print(f"[{timestamp}] Nessun nuovo IP da bloccare ({skipped} gia' bloccati)") + + if remaining > 0: + print(f"[{timestamp}] Rimangono {remaining} IP critici da bloccare") + return 0 else: - print(f"✗ API error: HTTP {response.status_code}") - print(f" Response: {response.text}") + print(f"[{timestamp}] Block API error: HTTP {response.status_code} - {response.text[:200]}") return 1 - + except requests.exceptions.ConnectionError: - print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000") - print(" Verifica che ids-ml-backend.service sia attivo:") - print(" sudo systemctl status ids-ml-backend") + print(f"[{timestamp}] ERRORE: Node.js backend non raggiungibile su {NODE_API_URL}") return 1 except requests.exceptions.Timeout: - print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?") + print(f"[{timestamp}] ERRORE: Timeout blocco IP (120s)") return 1 except Exception as e: - print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}") - import traceback - traceback.print_exc() + print(f"[{timestamp}] ERRORE imprevisto: {type(e).__name__}: {e}") return 1 if __name__ == "__main__":