From e3dedf00f1b5f051bd6bcc525f46667aab177a7c Mon Sep 17 00:00:00 2001
From: marco370 <48531002-marco370@users.noreply.replit.com>
Date: Tue, 25 Nov 2025 10:42:52 +0000
Subject: [PATCH] Automate removal of old blocked IPs and update timer

Fix bug where auto-unblock incorrectly removed all records for an IP, and correct systemd timer to run once hourly.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
Replit-Commit-Event-Id: ae7d80ee-d080-4e32-b4a2-b23e876e3650
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/L6QSDnx
---
 deployment/systemd/ids-cleanup.timer | 3 +--
 python_ml/cleanup_detections.py      | 7 +++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/deployment/systemd/ids-cleanup.timer b/deployment/systemd/ids-cleanup.timer
index 7c605a7..5c7b926 100644
--- a/deployment/systemd/ids-cleanup.timer
+++ b/deployment/systemd/ids-cleanup.timer
@@ -4,8 +4,7 @@ Documentation=https://github.com/yourusername/ids
 Requires=ids-cleanup.service
 
 [Timer]
-# Esegui ogni ora, 10 minuti dopo l'ora (es. 10:10, 11:10, 12:10...)
-OnCalendar=hourly
+# Esegui ogni ora al minuto 10 (es. 00:10, 01:10, 02:10, ..., 23:10)
 OnCalendar=*:10:00
 
 # Esegui subito se il sistema era spento durante l'esecuzione programmata
diff --git a/python_ml/cleanup_detections.py b/python_ml/cleanup_detections.py
index ba4be48..56105f0 100644
--- a/python_ml/cleanup_detections.py
+++ b/python_ml/cleanup_detections.py
@@ -116,12 +116,15 @@ def unblock_old_ips(conn, hours=2):
             ip = ip_data['source_ip']
             logger.info(f"  - {ip} (tipo: {ip_data['anomaly_type']}, score: {ip_data['risk_score']})")
             
-            # Aggiorna DB
+            # Aggiorna DB - SOLO i record bloccati da più di N ore
+            # NON sbloccate record recenti dello stesso IP!
             cursor.execute("""
                 UPDATE detections
                 SET blocked = false, blocked_at = NULL
                 WHERE source_ip = %s
-            """, (ip,))
+                  AND blocked = true
+                  AND blocked_at < %s
+            """, (ip, cutoff_time))
         
         conn.commit()
         logger.info(f"✅ Sbloccati {len(ips_to_unblock)} IP nel database")