Improve IP blocking by separating detection and blocking steps

Refactor auto_block.py to call the Node.js backend for blocking critical IPs and adjust the auto-block service configuration. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: aef8a3be-adf0-4bdc-942f-3e7b19be7d72 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/4aeldgV
2026-02-16 15:04:35 +00:00 · 2026-02-16 15:04:35 +00:00 · a7967260b1
commit a7967260b1
parent 59416f0fe3
3 changed files with 137 additions and 28 deletions
--- a/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
+++ b/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
@ -0,0 +1,77 @@
 journalctl -u ids-analytics-aggregator.timer -f
 Feb 16 12:18:50 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: ids-analytics-aggregator.timer: Deactivated successfully.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
 ^C
 [root@ids ids]# systemctl status ids-ml-backend
 ● ids-ml-backend.service - IDS ML Backend (FastAPI)
     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
     Active: active (running) since Mon 2026-02-16 15:51:26 CET; 9min ago
   Main PID: 13099 (python3)
      Tasks: 26 (limit: 100409)
     Memory: 402.9M (max: 2.0G available: 1.6G)
        CPU: 15.905s
     CGroup: /system.slice/ids-ml-backend.service
             └─13099 /opt/ids/python_ml/venv/bin/python3 main.py
 Feb 16 15:51:26 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
 [root@ids ids]# cat /var/log/ids/backend.log | tail -20
 [Mon Feb 16 15:40:04 CET 2026] Backend riavviato con PID: 12165
 INFO:     Started server process [12165]
 INFO:     Waiting for application startup.
 INFO:     Application startup complete.
 ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
 INFO:     Waiting for application shutdown.
 INFO:     Application shutdown complete.
 [WARNING] Extended Isolation Forest not available, using standard IF
 [ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
 [HYBRID] Ensemble classifier loaded
 [HYBRID] Models loaded (version: latest)
 [HYBRID] Selected features: 18/25
 [HYBRID] Mode: Hybrid (IF + Ensemble)
 [ML] ✓ Hybrid detector models loaded and ready
  Starting IDS API on http://0.0.0.0:8000
  Docs available at http://0.0.0.0:8000/docs
 [Mon Feb 16 15:45:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
 [Mon Feb 16 15:45:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
 [Mon Feb 16 15:50:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
 [Mon Feb 16 15:50:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
 [root@ids ids]# systemctl status ids-auto-block
 journalctl -u ids-auto-block --no-pager | tail -20
 × ids-auto-block.service - IDS Auto-Blocking Service - Detect and Block Malicious IPs
     Loaded: loaded (/etc/systemd/system/ids-auto-block.service; disabled; preset: disabled)
     Active: failed (Result: signal) since Mon 2026-02-16 12:47:58 CET; 3h 13min ago
 TriggeredBy: ○ ids-auto-block.timer
       Docs: https://github.com/yourusername/ids
   Main PID: 2896 (code=killed, signal=TERM)
        CPU: 155ms
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:38:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 [root@ids ids]# curl -X POST http://localhost:5000/api/ml/block-all-critical \
  -H "Content-Type: application/json" \
  -d '{"min_score": 80, "limit": 200}'
--- a/deployment/systemd/ids-auto-block.service
+++ b/deployment/systemd/ids-auto-block.service
@ -1,8 +1,7 @@
 [Unit]
 Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs
-Documentation=https://github.com/yourusername/ids
+After=network.target postgresql-16.service
-After=network.target ids-ml-backend.service postgresql-16.service
+Wants=ids-ml-backend.service
 Requires=ids-ml-backend.service
 [Service]
 Type=oneshot
@ -23,8 +22,8 @@ SyslogIdentifier=ids-auto-block
 NoNewPrivileges=true
 PrivateTmp=true
-# Timeout: max 3 minuti per detection+blocking
+# Timeout: max 5 minuti per detection+blocking
-TimeoutStartSec=180
+TimeoutStartSec=300
 [Install]
 WantedBy=multi-user.target
--- a/python_ml/auto_block.py
+++ b/python_ml/auto_block.py
@ -3,59 +3,92 @@
 IDS Auto-Blocking Script
 Rileva e blocca automaticamente IP con risk_score >= 80
 Eseguito periodicamente da systemd timer (ogni 5 minuti)
 Flusso:
 1. Chiama Node.js /api/ml/detect per eseguire detection ML
 2. Chiama Node.js /api/ml/block-all-critical per bloccare IP critici sui router
 """
 import requests
 import sys
 from datetime import datetime
 NODE_API_URL = "http://localhost:5000"
 ML_API_URL = "http://localhost:8000"
 def auto_block():
    """Esegue detection e blocking automatico degli IP critici"""
    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
-    print(f"[{timestamp}] 🔍 Starting auto-block detection...")
+    print(f"[{timestamp}] Starting auto-block cycle...")
    # Step 1: Esegui detection via ML Backend (se disponibile)
    try:
-        # Chiama endpoint ML /detect con auto_block=true
+        print(f"[{timestamp}] Step 1: Detection ML...")
        response = requests.post(
            f"{ML_API_URL}/detect",
            json={
-                "max_records": 5000,        # Analizza ultimi 5000 log
+                "max_records": 50000,
-                "hours_back": 1.0,          # Ultima ora
+                "hours_back": 1.0,
-                "risk_threshold": 80.0,     # Solo IP critici (score >= 80)
+                "risk_threshold": 75.0,
-                "auto_block": True          # BLOCCA AUTOMATICAMENTE
+                "auto_block": False
            },
-            timeout=120  # 2 minuti timeout
+            timeout=120
        )
        if response.status_code == 200:
            data = response.json()
            detections = len(data.get("detections", []))
            print(f"[{timestamp}] Detection completata: {detections} anomalie rilevate")
        else:
            print(f"[{timestamp}] Detection API error: HTTP {response.status_code}")
    except requests.exceptions.ConnectionError:
        print(f"[{timestamp}] ML Backend non raggiungibile, skip detection (blocco IP esistenti continua)")
    except requests.exceptions.Timeout:
        print(f"[{timestamp}] ML Detection timeout, skip (blocco IP esistenti continua)")
    except Exception as e:
        print(f"[{timestamp}] Detection error: {e}")
    # Step 2: Blocca IP critici (score >= 80) via Node.js
    try:
        print(f"[{timestamp}] Step 2: Blocco IP critici sui router...")
        response = requests.post(
            f"{NODE_API_URL}/api/ml/block-all-critical",
            json={
                "min_score": 80,
                "limit": 200,
                "list_name": "ddos_blocked"
            },
            timeout=120
        )
        if response.status_code == 200:
            data = response.json()
            blocked = data.get("blocked", 0)
            failed = data.get("failed", 0)
            skipped = data.get("skipped", 0)
            remaining = data.get("remaining", 0)
            if blocked > 0:
-                print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati")
+                print(f"[{timestamp}] {blocked} IP bloccati sui router, {failed} falliti, {skipped} gia' bloccati")
            else:
-                print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare")
+                print(f"[{timestamp}] Nessun nuovo IP da bloccare ({skipped} gia' bloccati)")
            if remaining > 0:
                print(f"[{timestamp}] Rimangono {remaining} IP critici da bloccare")
            return 0
        else:
-            print(f"✗ API error: HTTP {response.status_code}")
+            print(f"[{timestamp}] Block API error: HTTP {response.status_code} - {response.text[:200]}")
            print(f"   Response: {response.text}")
            return 1
    except requests.exceptions.ConnectionError:
-        print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000")
+        print(f"[{timestamp}] ERRORE: Node.js backend non raggiungibile su {NODE_API_URL}")
        print("   Verifica che ids-ml-backend.service sia attivo:")
        print("   sudo systemctl status ids-ml-backend")
        return 1
    except requests.exceptions.Timeout:
-        print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?")
+        print(f"[{timestamp}] ERRORE: Timeout blocco IP (120s)")
        return 1
    except Exception as e:
-        print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}")
+        print(f"[{timestamp}] ERRORE imprevisto: {type(e).__name__}: {e}")
        import traceback
        traceback.print_exc()
        return 1
 if __name__ == "__main__":