6 changed files with 38 additions and 204 deletions
--- a/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
+++ b/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
@ -1,77 +0,0 @@
 journalctl -u ids-analytics-aggregator.timer -f
 Feb 16 12:18:50 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: ids-analytics-aggregator.timer: Deactivated successfully.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
 ^C
 [root@ids ids]# systemctl status ids-ml-backend
 ● ids-ml-backend.service - IDS ML Backend (FastAPI)
     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
     Active: active (running) since Mon 2026-02-16 15:51:26 CET; 9min ago
   Main PID: 13099 (python3)
      Tasks: 26 (limit: 100409)
     Memory: 402.9M (max: 2.0G available: 1.6G)
        CPU: 15.905s
     CGroup: /system.slice/ids-ml-backend.service
             └─13099 /opt/ids/python_ml/venv/bin/python3 main.py
 Feb 16 15:51:26 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
 [root@ids ids]# cat /var/log/ids/backend.log | tail -20
 [Mon Feb 16 15:40:04 CET 2026] Backend riavviato con PID: 12165
 INFO:     Started server process [12165]
 INFO:     Waiting for application startup.
 INFO:     Application startup complete.
 ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
 INFO:     Waiting for application shutdown.
 INFO:     Application shutdown complete.
 [WARNING] Extended Isolation Forest not available, using standard IF
 [ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
 [HYBRID] Ensemble classifier loaded
 [HYBRID] Models loaded (version: latest)
 [HYBRID] Selected features: 18/25
 [HYBRID] Mode: Hybrid (IF + Ensemble)
 [ML] ✓ Hybrid detector models loaded and ready
  Starting IDS API on http://0.0.0.0:8000
  Docs available at http://0.0.0.0:8000/docs
 [Mon Feb 16 15:45:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
 [Mon Feb 16 15:45:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
 [Mon Feb 16 15:50:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
 [Mon Feb 16 15:50:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
 [root@ids ids]# systemctl status ids-auto-block
 journalctl -u ids-auto-block --no-pager | tail -20
 × ids-auto-block.service - IDS Auto-Blocking Service - Detect and Block Malicious IPs
     Loaded: loaded (/etc/systemd/system/ids-auto-block.service; disabled; preset: disabled)
     Active: failed (Result: signal) since Mon 2026-02-16 12:47:58 CET; 3h 13min ago
 TriggeredBy: ○ ids-auto-block.timer
       Docs: https://github.com/yourusername/ids
   Main PID: 2896 (code=killed, signal=TERM)
        CPU: 155ms
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:38:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:40:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:42:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:44:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
 Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
 [root@ids ids]# curl -X POST http://localhost:5000/api/ml/block-all-critical \
  -H "Content-Type: application/json" \
  -d '{"min_score": 80, "limit": 200}'
--- a/attached_assets/Pasted-sudo-opt-ids-deployment-setup-analytics-timer-sh--17712_1771253681344.txt
+++ b/attached_assets/Pasted-sudo-opt-ids-deployment-setup-analytics-timer-sh--17712_1771253681344.txt
@ -1,57 +0,0 @@
 sudo /opt/ids/deployment/setup_analytics_timer.sh
 ╔═══════════════════════════════════════════════╗
 ║   IDS Analytics Timer Setup                  ║
 ╚═══════════════════════════════════════════════╝
  Copia file systemd...
  Reload systemd daemon...
 ⚙  Enable e start timer...
  Stato timer:
 ● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
     Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
     Active: active (waiting) since Mon 2026-02-16 12:40:08 CET; 3h 12min ago
      Until: Mon 2026-02-16 12:40:08 CET; 3h 12min ago
    Trigger: Mon 2026-02-16 16:05:00 CET; 12min left
   Triggers: ● ids-analytics-aggregator.service
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
  Prossime esecuzioni:
 NEXT                        LEFT       LAST                        PASSED    UNIT                           ACTIVATES
 Mon 2026-02-16 16:05:00 CET 12min left Mon 2026-02-16 15:05:00 CET 47min ago ids-analytics-aggregator.timer ids-analytics-aggregator.service
 1 timers listed.
 Pass --all to see loaded but inactive timers, too.
 ╔═══════════════════════════════════════════════╗
 ║   ✅ ANALYTICS TIMER CONFIGURATO              ║
 ╚═══════════════════════════════════════════════╝
 📝 Comandi utili:
   Stato timer:        sudo systemctl status ids-analytics-aggregator.timer
   Prossime run:       sudo systemctl list-timers
   Log aggregazione:   sudo journalctl -u ids-analytics-aggregator -f
   Test manuale:       sudo systemctl start ids-analytics-aggregator
 [root@ids ids]# systemctl status ids-analytics-aggregator.timer
 ● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
     Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
     Active: active (waiting) since Mon 2026-02-16 12:40:08 CET; 3h 12min ago
      Until: Mon 2026-02-16 12:40:08 CET; 3h 12min ago
    Trigger: Mon 2026-02-16 16:05:00 CET; 11min left
   Triggers: ● ids-analytics-aggregator.service
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
 Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
 [root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh
 Usage: ./deployment/run_analytics.sh {hourly|daily}
 [root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {1}
 Errore: modo deve essere 'hourly' o 'daily'
 [root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {hourly}
 Errore: modo deve essere 'hourly' o 'daily'
 [root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {hourly=1}
 Errore: modo deve essere 'hourly' o 'daily'
--- a/database-schema/schema.sql
+++ b/database-schema/schema.sql
@ -2,7 +2,7 @@
 -- PostgreSQL database dump
 --
-\restrict zKJmTXfD2mDCILkBGmMKFqMblgFsSpKpVUZfa2oGLibXRmd9rKoFVgOjrXmJtIh
+\restrict WwxshcNPCZDO53sICch8FJx8zLgCWQYAbqqfzalUyoBM5kXuVbXnc0maGAhWbkA
 -- Dumped from database version 16.11 (df20cf9)
 -- Dumped by pg_dump version 16.10
@ -387,5 +387,5 @@ ALTER TABLE ONLY public.public_blacklist_ips
 -- PostgreSQL database dump complete
 --
-\unrestrict zKJmTXfD2mDCILkBGmMKFqMblgFsSpKpVUZfa2oGLibXRmd9rKoFVgOjrXmJtIh
+\unrestrict WwxshcNPCZDO53sICch8FJx8zLgCWQYAbqqfzalUyoBM5kXuVbXnc0maGAhWbkA
--- a/deployment/systemd/ids-auto-block.service
+++ b/deployment/systemd/ids-auto-block.service
@ -1,7 +1,8 @@
 [Unit]
 Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs
-After=network.target postgresql-16.service
+Documentation=https://github.com/yourusername/ids
-Wants=ids-ml-backend.service
+After=network.target ids-ml-backend.service postgresql-16.service
 Requires=ids-ml-backend.service
 [Service]
 Type=oneshot
@ -22,8 +23,8 @@ SyslogIdentifier=ids-auto-block
 NoNewPrivileges=true
 PrivateTmp=true
-# Timeout: max 5 minuti per detection+blocking
+# Timeout: max 3 minuti per detection+blocking
-TimeoutStartSec=300
+TimeoutStartSec=180
 [Install]
 WantedBy=multi-user.target
--- a/python_ml/auto_block.py
+++ b/python_ml/auto_block.py
@ -3,92 +3,59 @@
 IDS Auto-Blocking Script
 Rileva e blocca automaticamente IP con risk_score >= 80
 Eseguito periodicamente da systemd timer (ogni 5 minuti)
 Flusso:
 1. Chiama Node.js /api/ml/detect per eseguire detection ML
 2. Chiama Node.js /api/ml/block-all-critical per bloccare IP critici sui router
 """
 import requests
 import sys
 from datetime import datetime
 NODE_API_URL = "http://localhost:5000"
 ML_API_URL = "http://localhost:8000"
 def auto_block():
    """Esegue detection e blocking automatico degli IP critici"""
    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
-    print(f"[{timestamp}] Starting auto-block cycle...")
+    print(f"[{timestamp}] 🔍 Starting auto-block detection...")
    # Step 1: Esegui detection via ML Backend (se disponibile)
    try:
-        print(f"[{timestamp}] Step 1: Detection ML...")
+        # Chiama endpoint ML /detect con auto_block=true
        response = requests.post(
            f"{ML_API_URL}/detect",
            json={
-                "max_records": 50000,
+                "max_records": 5000,        # Analizza ultimi 5000 log
-                "hours_back": 1.0,
+                "hours_back": 1.0,          # Ultima ora
-                "risk_threshold": 75.0,
+                "risk_threshold": 80.0,     # Solo IP critici (score >= 80)
-                "auto_block": False
+                "auto_block": True          # BLOCCA AUTOMATICAMENTE
            },
-            timeout=120
+            timeout=120  # 2 minuti timeout
        )
        if response.status_code == 200:
            data = response.json()
            detections = len(data.get("detections", []))
            print(f"[{timestamp}] Detection completata: {detections} anomalie rilevate")
        else:
            print(f"[{timestamp}] Detection API error: HTTP {response.status_code}")
    except requests.exceptions.ConnectionError:
        print(f"[{timestamp}] ML Backend non raggiungibile, skip detection (blocco IP esistenti continua)")
    except requests.exceptions.Timeout:
        print(f"[{timestamp}] ML Detection timeout, skip (blocco IP esistenti continua)")
    except Exception as e:
        print(f"[{timestamp}] Detection error: {e}")
    # Step 2: Blocca IP critici (score >= 80) via Node.js
    try:
        print(f"[{timestamp}] Step 2: Blocco IP critici sui router...")
        response = requests.post(
            f"{NODE_API_URL}/api/ml/block-all-critical",
            json={
                "min_score": 80,
                "limit": 200,
                "list_name": "ddos_blocked"
            },
            timeout=120
        )
        if response.status_code == 200:
            data = response.json()
            blocked = data.get("blocked", 0)
            failed = data.get("failed", 0)
            skipped = data.get("skipped", 0)
            remaining = data.get("remaining", 0)
            if blocked > 0:
-                print(f"[{timestamp}] {blocked} IP bloccati sui router, {failed} falliti, {skipped} gia' bloccati")
+                print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati")
            else:
-                print(f"[{timestamp}] Nessun nuovo IP da bloccare ({skipped} gia' bloccati)")
+                print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare")
            if remaining > 0:
                print(f"[{timestamp}] Rimangono {remaining} IP critici da bloccare")
            return 0
        else:
-            print(f"[{timestamp}] Block API error: HTTP {response.status_code} - {response.text[:200]}")
+            print(f"✗ API error: HTTP {response.status_code}")
            print(f"   Response: {response.text}")
            return 1
    except requests.exceptions.ConnectionError:
-        print(f"[{timestamp}] ERRORE: Node.js backend non raggiungibile su {NODE_API_URL}")
+        print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000")
        print("   Verifica che ids-ml-backend.service sia attivo:")
        print("   sudo systemctl status ids-ml-backend")
        return 1
    except requests.exceptions.Timeout:
-        print(f"[{timestamp}] ERRORE: Timeout blocco IP (120s)")
+        print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?")
        return 1
    except Exception as e:
-        print(f"[{timestamp}] ERRORE imprevisto: {type(e).__name__}: {e}")
+        print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}")
        import traceback
        traceback.print_exc()
        return 1
 if __name__ == "__main__":
--- a/version.json
+++ b/version.json
@ -1,13 +1,7 @@
 {
-  "version": "1.0.117",
+  "version": "1.0.116",
-  "lastUpdate": "2026-02-16T15:49:34.102Z",
+  "lastUpdate": "2026-02-16T14:49:08.274Z",
  "changelog": [
    {
      "version": "1.0.117",
      "date": "2026-02-16",
      "type": "patch",
      "description": "Deployment automatico v1.0.117"
    },
    {
      "version": "1.0.116",
      "date": "2026-02-16",
@ -301,6 +295,12 @@
      "date": "2025-11-24",
      "type": "patch",
      "description": "Deployment automatico v1.0.68"
    },
    {
      "version": "1.0.67",
      "date": "2025-11-24",
      "type": "patch",
      "description": "Deployment automatico v1.0.67"
    }
  ]
 }