marco/ids.alfacom.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: marco:b18e0a51e1e4e139c68578b2d4c96eeb56c4a63d
Branches Tags
marco:main
marco:v1.0.122
marco:v1.0.121
marco:v1.0.120
marco:v1.0.119
marco:v1.0.118
marco:v1.0.117
marco:v1.0.116
marco:v1.0.115
marco:v1.0.114
marco:v1.0.113
marco:v1.0.112
marco:v1.0.111
marco:v1.0.110
marco:v1.0.109
marco:v1.0.108
marco:v1.0.107
marco:v1.0.106
marco:v1.0.105
marco:v1.0.104
marco:v1.0.103
marco:v1.0.102
marco:v1.0.101
marco:v1.0.100
marco:v1.0.99
marco:v1.0.98
marco:v1.0.97
marco:v1.0.96
marco:v1.0.95
marco:v1.0.94
marco:v1.0.93
marco:v1.0.92
marco:v1.0.91
marco:v1.0.90
marco:v1.0.89
marco:v1.0.88
marco:v1.0.87
marco:v1.0.86
marco:v1.0.85
marco:v1.0.84
marco:v1.0.83
marco:v1.0.82
marco:v1.0.81
marco:v1.0.80
marco:v1.0.79
marco:v1.0.78
marco:v1.0.77
marco:v1.0.76
marco:v1.0.75
marco:v1.0.74
marco:v1.0.73
marco:v1.0.72
marco:v1.0.71
marco:v1.0.70
marco:v1.0.69
marco:v1.0.68
marco:v1.0.67
marco:v1.0.66
marco:v1.0.65
marco:v1.0.64
marco:v1.0.63
marco:v1.0.62
marco:v1.0.61
marco:v1.0.60
marco:v1.0.59
marco:v1.0.58
marco:v1.0.57
marco:v1.0.56
marco:v1.0.55
marco:v1.0.54
marco:v1.0.53
marco:v1.0.52
marco:v1.0.51
marco:v1.0.50
marco:v1.0.49
marco:v1.0.48
marco:v1.0.47
marco:v1.0.46
marco:v1.0.45
marco:v1.0.44
marco:v1.0.43
marco:v1.0.42
marco:v1.0.41
marco:v1.0.40
marco:v1.0.39
marco:v1.0.38
marco:v1.0.37
marco:v1.0.36
marco:v1.0.35
marco:v1.0.34
marco:v1.0.33
marco:v1.0.32
marco:v1.0.30
marco:v1.0.29
marco:v1.0.28
marco:v1.0.27
marco:v1.0.26
marco:v1.0.25
marco:v1.0.24
marco:v1.0.23
marco:v1.0.22
marco:v1.0.21
marco:v1.0.20
marco:v1.0.19
marco:v1.0.18
marco:v1.0.17
marco:v1.0.15
marco:v1.0.14
marco:v1.0.13
marco:v1.0.12
marco:v1.0.11
marco:v1.0.10
marco:v1.0.9
marco:v1.0.8
marco:v1.0.7
marco:v1.0.6
marco:v1.0.4
marco:v1.0.3
marco:v1.0.2
marco:v1.0.1
..
compare: marco:85db2b1483a17e90c303b9e382ff37faa06c80dc
Branches Tags
marco:main
marco:v1.0.122
marco:v1.0.121
marco:v1.0.120
marco:v1.0.119
marco:v1.0.118
marco:v1.0.117
marco:v1.0.116
marco:v1.0.115
marco:v1.0.114
marco:v1.0.113
marco:v1.0.112
marco:v1.0.111
marco:v1.0.110
marco:v1.0.109
marco:v1.0.108
marco:v1.0.107
marco:v1.0.106
marco:v1.0.105
marco:v1.0.104
marco:v1.0.103
marco:v1.0.102
marco:v1.0.101
marco:v1.0.100
marco:v1.0.99
marco:v1.0.98
marco:v1.0.97
marco:v1.0.96
marco:v1.0.95
marco:v1.0.94
marco:v1.0.93
marco:v1.0.92
marco:v1.0.91
marco:v1.0.90
marco:v1.0.89
marco:v1.0.88
marco:v1.0.87
marco:v1.0.86
marco:v1.0.85
marco:v1.0.84
marco:v1.0.83
marco:v1.0.82
marco:v1.0.81
marco:v1.0.80
marco:v1.0.79
marco:v1.0.78
marco:v1.0.77
marco:v1.0.76
marco:v1.0.75
marco:v1.0.74
marco:v1.0.73
marco:v1.0.72
marco:v1.0.71
marco:v1.0.70
marco:v1.0.69
marco:v1.0.68
marco:v1.0.67
marco:v1.0.66
marco:v1.0.65
marco:v1.0.64
marco:v1.0.63
marco:v1.0.62
marco:v1.0.61
marco:v1.0.60
marco:v1.0.59
marco:v1.0.58
marco:v1.0.57
marco:v1.0.56
marco:v1.0.55
marco:v1.0.54
marco:v1.0.53
marco:v1.0.52
marco:v1.0.51
marco:v1.0.50
marco:v1.0.49
marco:v1.0.48
marco:v1.0.47
marco:v1.0.46
marco:v1.0.45
marco:v1.0.44
marco:v1.0.43
marco:v1.0.42
marco:v1.0.41
marco:v1.0.40
marco:v1.0.39
marco:v1.0.38
marco:v1.0.37
marco:v1.0.36
marco:v1.0.35
marco:v1.0.34
marco:v1.0.33
marco:v1.0.32
marco:v1.0.30
marco:v1.0.29
marco:v1.0.28
marco:v1.0.27
marco:v1.0.26
marco:v1.0.25
marco:v1.0.24
marco:v1.0.23
marco:v1.0.22
marco:v1.0.21
marco:v1.0.20
marco:v1.0.19
marco:v1.0.18
marco:v1.0.17
marco:v1.0.15
marco:v1.0.14
marco:v1.0.13
marco:v1.0.12
marco:v1.0.11
marco:v1.0.10
marco:v1.0.9
marco:v1.0.8
marco:v1.0.7
marco:v1.0.6
marco:v1.0.4
marco:v1.0.3
marco:v1.0.2
marco:v1.0.1

No commits in common. "b18e0a51e1e4e139c68578b2d4c96eeb56c4a63d" and "85db2b1483a17e90c303b9e382ff37faa06c80dc" have entirely different histories.
b18e0a51e1 ... 85db2b1483

6 changed files with 38 additions and 204 deletions
Show Stats Expand all files Collapse all files

77
attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
View File

@ -1,77 +0,0 @@
journalctl -u ids-analytics-aggregator.timer -f
Feb 16 12:18:50 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
Feb 16 12:40:08 ids.alfacom.it systemd[1]: ids-analytics-aggregator.timer: Deactivated successfully.
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
^C
[root@ids ids]# systemctl status ids-ml-backend
● ids-ml-backend.service - IDS ML Backend (FastAPI)
Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
Active: active (running) since Mon 2026-02-16 15:51:26 CET; 9min ago
Main PID: 13099 (python3)
Tasks: 26 (limit: 100409)
Memory: 402.9M (max: 2.0G available: 1.6G)
CPU: 15.905s
CGroup: /system.slice/ids-ml-backend.service
└─13099 /opt/ids/python_ml/venv/bin/python3 main.py
Feb 16 15:51:26 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
[root@ids ids]# cat /var/log/ids/backend.log | tail -20
[Mon Feb 16 15:40:04 CET 2026] Backend riavviato con PID: 12165
INFO: Started server process [12165]
INFO: Waiting for application startup.
INFO: Application startup complete.
ERROR: [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
INFO: Waiting for application shutdown.
INFO: Application shutdown complete.
[WARNING] Extended Isolation Forest not available, using standard IF
[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
[HYBRID] Ensemble classifier loaded
[HYBRID] Models loaded (version: latest)
[HYBRID] Selected features: 18/25
[HYBRID] Mode: Hybrid (IF + Ensemble)
[ML] ✓ Hybrid detector models loaded and ready
 Starting IDS API on http://0.0.0.0:8000
 Docs available at http://0.0.0.0:8000/docs
[Mon Feb 16 15:45:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
[Mon Feb 16 15:45:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
[Mon Feb 16 15:50:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
[Mon Feb 16 15:50:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
[root@ids ids]# systemctl status ids-auto-block
journalctl -u ids-auto-block --no-pager | tail -20
× ids-auto-block.service - IDS Auto-Blocking Service - Detect and Block Malicious IPs
Loaded: loaded (/etc/systemd/system/ids-auto-block.service; disabled; preset: disabled)
Active: failed (Result: signal) since Mon 2026-02-16 12:47:58 CET; 3h 13min ago
TriggeredBy: ○ ids-auto-block.timer
Docs: https://github.com/yourusername/ids
Main PID: 2896 (code=killed, signal=TERM)
CPU: 155ms
Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
Feb 16 12:38:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
Feb 16 12:40:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
Feb 16 12:40:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
Feb 16 12:42:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
Feb 16 12:42:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
Feb 16 12:44:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
Feb 16 12:44:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
Feb 16 12:46:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
[root@ids ids]# curl -X POST http://localhost:5000/api/ml/block-all-critical \
-H "Content-Type: application/json" \
-d '{"min_score": 80, "limit": 200}'

57
attached_assets/Pasted-sudo-opt-ids-deployment-setup-analytics-timer-sh--17712_1771253681344.txt
View File

@ -1,57 +0,0 @@
sudo /opt/ids/deployment/setup_analytics_timer.sh
╔═══════════════════════════════════════════════╗
║ IDS Analytics Timer Setup ║
╚═══════════════════════════════════════════════╝
 Copia file systemd...
 Reload systemd daemon...
⚙ Enable e start timer...
 Stato timer:
● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
Active: active (waiting) since Mon 2026-02-16 12:40:08 CET; 3h 12min ago
Until: Mon 2026-02-16 12:40:08 CET; 3h 12min ago
Trigger: Mon 2026-02-16 16:05:00 CET; 12min left
Triggers: ● ids-analytics-aggregator.service
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
 Prossime esecuzioni:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2026-02-16 16:05:00 CET 12min left Mon 2026-02-16 15:05:00 CET 47min ago ids-analytics-aggregator.timer ids-analytics-aggregator.service
1 timers listed.
Pass --all to see loaded but inactive timers, too.
╔═══════════════════════════════════════════════╗
║ ✅ ANALYTICS TIMER CONFIGURATO ║
╚═══════════════════════════════════════════════╝
📝 Comandi utili:
Stato timer: sudo systemctl status ids-analytics-aggregator.timer
Prossime run: sudo systemctl list-timers
Log aggregazione: sudo journalctl -u ids-analytics-aggregator -f
Test manuale: sudo systemctl start ids-analytics-aggregator
[root@ids ids]# systemctl status ids-analytics-aggregator.timer
● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
Active: active (waiting) since Mon 2026-02-16 12:40:08 CET; 3h 12min ago
Until: Mon 2026-02-16 12:40:08 CET; 3h 12min ago
Trigger: Mon 2026-02-16 16:05:00 CET; 11min left
Triggers: ● ids-analytics-aggregator.service
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh
Usage: ./deployment/run_analytics.sh {hourly|daily}
[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {1}
Errore: modo deve essere 'hourly' o 'daily'
[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {hourly}
Errore: modo deve essere 'hourly' o 'daily'
[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {hourly=1}
Errore: modo deve essere 'hourly' o 'daily'

4
database-schema/schema.sql
View File

@ -2,7 +2,7 @@
-- PostgreSQL database dump
--
\restrict zKJmTXfD2mDCILkBGmMKFqMblgFsSpKpVUZfa2oGLibXRmd9rKoFVgOjrXmJtIh
\restrict WwxshcNPCZDO53sICch8FJx8zLgCWQYAbqqfzalUyoBM5kXuVbXnc0maGAhWbkA
-- Dumped from database version 16.11 (df20cf9)
-- Dumped by pg_dump version 16.10
@ -387,5 +387,5 @@ ALTER TABLE ONLY public.public_blacklist_ips
-- PostgreSQL database dump complete
--
\unrestrict zKJmTXfD2mDCILkBGmMKFqMblgFsSpKpVUZfa2oGLibXRmd9rKoFVgOjrXmJtIh
\unrestrict WwxshcNPCZDO53sICch8FJx8zLgCWQYAbqqfzalUyoBM5kXuVbXnc0maGAhWbkA

9
deployment/systemd/ids-auto-block.service
View File

@ -1,7 +1,8 @@
[Unit]
Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs
After=network.target postgresql-16.service
Wants=ids-ml-backend.service
Documentation=https://github.com/yourusername/ids
After=network.target ids-ml-backend.service postgresql-16.service
Requires=ids-ml-backend.service
[Service]
Type=oneshot
@ -22,8 +23,8 @@ SyslogIdentifier=ids-auto-block
NoNewPrivileges=true
PrivateTmp=true
# Timeout: max 5 minuti per detection+blocking
TimeoutStartSec=300
# Timeout: max 3 minuti per detection+blocking
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target

69
python_ml/auto_block.py
View File

@ -3,92 +3,59 @@
IDS Auto-Blocking Script
Rileva e blocca automaticamente IP con risk_score >= 80
Eseguito periodicamente da systemd timer (ogni 5 minuti)
Flusso:
1. Chiama Node.js /api/ml/detect per eseguire detection ML
2. Chiama Node.js /api/ml/block-all-critical per bloccare IP critici sui router
"""
import requests
import sys
from datetime import datetime
NODE_API_URL = "http://localhost:5000"
ML_API_URL = "http://localhost:8000"
def auto_block():
"""Esegue detection e blocking automatico degli IP critici"""
timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
print(f"[{timestamp}] Starting auto-block cycle...")
print(f"[{timestamp}] 🔍 Starting auto-block detection...")
# Step 1: Esegui detection via ML Backend (se disponibile)
try:
print(f"[{timestamp}] Step 1: Detection ML...")
# Chiama endpoint ML /detect con auto_block=true
response = requests.post(
f"{ML_API_URL}/detect",
json={
"max_records": 50000,
"hours_back": 1.0,
"risk_threshold": 75.0,
"auto_block": False
"max_records": 5000, # Analizza ultimi 5000 log
"hours_back": 1.0, # Ultima ora
"risk_threshold": 80.0, # Solo IP critici (score >= 80)
"auto_block": True # BLOCCA AUTOMATICAMENTE
},
timeout=120
timeout=120 # 2 minuti timeout
)
if response.status_code == 200:
data = response.json()
detections = len(data.get("detections", []))
print(f"[{timestamp}] Detection completata: {detections} anomalie rilevate")
else:
print(f"[{timestamp}] Detection API error: HTTP {response.status_code}")
except requests.exceptions.ConnectionError:
print(f"[{timestamp}] ML Backend non raggiungibile, skip detection (blocco IP esistenti continua)")
except requests.exceptions.Timeout:
print(f"[{timestamp}] ML Detection timeout, skip (blocco IP esistenti continua)")
except Exception as e:
print(f"[{timestamp}] Detection error: {e}")
# Step 2: Blocca IP critici (score >= 80) via Node.js
try:
print(f"[{timestamp}] Step 2: Blocco IP critici sui router...")
response = requests.post(
f"{NODE_API_URL}/api/ml/block-all-critical",
json={
"min_score": 80,
"limit": 200,
"list_name": "ddos_blocked"
},
timeout=120
)
if response.status_code == 200:
data = response.json()
blocked = data.get("blocked", 0)
failed = data.get("failed", 0)
skipped = data.get("skipped", 0)
remaining = data.get("remaining", 0)
if blocked > 0:
print(f"[{timestamp}] {blocked} IP bloccati sui router, {failed} falliti, {skipped} gia' bloccati")
print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati")
else:
print(f"[{timestamp}] Nessun nuovo IP da bloccare ({skipped} gia' bloccati)")
if remaining > 0:
print(f"[{timestamp}] Rimangono {remaining} IP critici da bloccare")
print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare")
return 0
else:
print(f"[{timestamp}] Block API error: HTTP {response.status_code} - {response.text[:200]}")
print(f"✗ API error: HTTP {response.status_code}")
print(f" Response: {response.text}")
return 1
except requests.exceptions.ConnectionError:
print(f"[{timestamp}] ERRORE: Node.js backend non raggiungibile su {NODE_API_URL}")
print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000")
print(" Verifica che ids-ml-backend.service sia attivo:")
print(" sudo systemctl status ids-ml-backend")
return 1
except requests.exceptions.Timeout:
print(f"[{timestamp}] ERRORE: Timeout blocco IP (120s)")
print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?")
return 1
except Exception as e:
print(f"[{timestamp}] ERRORE imprevisto: {type(e).__name__}: {e}")
print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}")
import traceback
traceback.print_exc()
return 1
if __name__ == "__main__":

16
version.json
View File

@ -1,13 +1,7 @@
{
"version": "1.0.117",
"lastUpdate": "2026-02-16T15:49:34.102Z",
"version": "1.0.116",
"lastUpdate": "2026-02-16T14:49:08.274Z",
"changelog": [
{
"version": "1.0.117",
"date": "2026-02-16",
"type": "patch",
"description": "Deployment automatico v1.0.117"
},
{
"version": "1.0.116",
"date": "2026-02-16",
@ -301,6 +295,12 @@
"date": "2025-11-24",
"type": "patch",
"description": "Deployment automatico v1.0.68"
},
{
"version": "1.0.67",
"date": "2025-11-24",
"type": "patch",
"description": "Deployment automatico v1.0.67"
}
]
}