diff --git a/deployment/systemd/ids-cleanup.timer b/deployment/systemd/ids-cleanup.timer
index 7c605a7..5c7b926 100644
--- a/deployment/systemd/ids-cleanup.timer
+++ b/deployment/systemd/ids-cleanup.timer
@@ -4,8 +4,7 @@ Documentation=https://github.com/yourusername/ids
 Requires=ids-cleanup.service
 
 [Timer]
-# Esegui ogni ora, 10 minuti dopo l'ora (es. 10:10, 11:10, 12:10...)
-OnCalendar=hourly
+# Esegui ogni ora al minuto 10 (es. 00:10, 01:10, 02:10, ..., 23:10)
 OnCalendar=*:10:00
 
 # Esegui subito se il sistema era spento durante l'esecuzione programmata
diff --git a/python_ml/cleanup_detections.py b/python_ml/cleanup_detections.py
index ba4be48..56105f0 100644
--- a/python_ml/cleanup_detections.py
+++ b/python_ml/cleanup_detections.py
@@ -116,12 +116,15 @@ def unblock_old_ips(conn, hours=2):
             ip = ip_data['source_ip']
             logger.info(f"  - {ip} (tipo: {ip_data['anomaly_type']}, score: {ip_data['risk_score']})")
             
-            # Aggiorna DB
+            # Aggiorna DB - SOLO i record bloccati da più di N ore
+            # NON sbloccate record recenti dello stesso IP!
             cursor.execute("""
                 UPDATE detections
                 SET blocked = false, blocked_at = NULL
                 WHERE source_ip = %s
-            """, (ip,))
+                  AND blocked = true
+                  AND blocked_at < %s
+            """, (ip, cutoff_time))
         
         conn.commit()
         logger.info(f"✅ Sbloccati {len(ips_to_unblock)} IP nel database")