6 changed files with 38 additions and 204 deletions
--- a/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
+++ b/attached_assets/Pasted-journalctl-u-ids-analytics-aggregator-timer-f-Feb-16-12_1771254164972.txt
@ -1,77 +0,0 @@
-journalctl -u ids-analytics-aggregator.timer -f
-Feb 16 12:18:50 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: ids-analytics-aggregator.timer: Deactivated successfully.
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
-^C
-[root@ids ids]# systemctl status ids-ml-backend
-● ids-ml-backend.service - IDS ML Backend (FastAPI)
-     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
-     Active: active (running) since Mon 2026-02-16 15:51:26 CET; 9min ago
-   Main PID: 13099 (python3)
-      Tasks: 26 (limit: 100409)
-     Memory: 402.9M (max: 2.0G available: 1.6G)
-        CPU: 15.905s
-     CGroup: /system.slice/ids-ml-backend.service
-             └─13099 /opt/ids/python_ml/venv/bin/python3 main.py
-
-Feb 16 15:51:26 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
-[root@ids ids]# cat /var/log/ids/backend.log | tail -20
-[Mon Feb 16 15:40:04 CET 2026] Backend riavviato con PID: 12165
-INFO:     Started server process [12165]
-INFO:     Waiting for application startup.
-INFO:     Application startup complete.
-ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
-INFO:     Waiting for application shutdown.
-INFO:     Application shutdown complete.
-[WARNING] Extended Isolation Forest not available, using standard IF
-[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
-[HYBRID] Ensemble classifier loaded
-[HYBRID] Models loaded (version: latest)
-[HYBRID] Selected features: 18/25
-[HYBRID] Mode: Hybrid (IF + Ensemble)
-[ML] ✓ Hybrid detector models loaded and ready
- Starting IDS API on http://0.0.0.0:8000
- Docs available at http://0.0.0.0:8000/docs
-[Mon Feb 16 15:45:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
-[Mon Feb 16 15:45:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
-[Mon Feb 16 15:50:01 CET 2026] Backend Python NON attivo, riavvio via systemctl...
-[Mon Feb 16 15:50:04 CET 2026] ERRORE: Backend non si è avviato. Controlla: journalctl -u ids-ml-backend
-[root@ids ids]# systemctl status ids-auto-block
-journalctl -u ids-auto-block --no-pager | tail -20
-× ids-auto-block.service - IDS Auto-Blocking Service - Detect and Block Malicious IPs
-     Loaded: loaded (/etc/systemd/system/ids-auto-block.service; disabled; preset: disabled)
-     Active: failed (Result: signal) since Mon 2026-02-16 12:47:58 CET; 3h 13min ago
-TriggeredBy: ○ ids-auto-block.timer
-       Docs: https://github.com/yourusername/ids
-   Main PID: 2896 (code=killed, signal=TERM)
-        CPU: 155ms
-
-Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
-Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
-Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
-Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
-Feb 16 12:38:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
-Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
-Feb 16 12:40:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
-Feb 16 12:40:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
-Feb 16 12:40:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
-Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
-Feb 16 12:42:46 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
-Feb 16 12:42:46 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
-Feb 16 12:42:46 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
-Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
-Feb 16 12:44:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
-Feb 16 12:44:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
-Feb 16 12:44:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
-Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=exited, status=1/FAILURE
-Feb 16 12:46:47 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'exit-code'.
-Feb 16 12:46:47 ids.alfacom.it systemd[1]: Failed to start IDS Auto-Blocking Service - Detect and Block Malicious IPs.
-Feb 16 12:46:47 ids.alfacom.it systemd[1]: Starting IDS Auto-Blocking Service - Detect and Block Malicious IPs...
-Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Main process exited, code=killed, status=15/TERM
-Feb 16 12:47:58 ids.alfacom.it systemd[1]: ids-auto-block.service: Failed with result 'signal'.
-Feb 16 12:47:58 ids.alfacom.it systemd[1]: Stopped IDS Auto-Blocking Service - Detect and Block Malicious IPs.
-[root@ids ids]# curl -X POST http://localhost:5000/api/ml/block-all-critical \
-  -H "Content-Type: application/json" \
-  -d '{"min_score": 80, "limit": 200}'
--- a/attached_assets/Pasted-sudo-opt-ids-deployment-setup-analytics-timer-sh--17712_1771253681344.txt
+++ b/attached_assets/Pasted-sudo-opt-ids-deployment-setup-analytics-timer-sh--17712_1771253681344.txt
@ -1,57 +0,0 @@
-sudo /opt/ids/deployment/setup_analytics_timer.sh
-╔═══════════════════════════════════════════════╗
-║   IDS Analytics Timer Setup                  ║
-╚═══════════════════════════════════════════════╝
-
- Copia file systemd...
- Reload systemd daemon...
-⚙  Enable e start timer...
-
- Stato timer:
-● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
-     Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
-     Active: active (waiting) since Mon 2026-02-16 12:40:08 CET; 3h 12min ago
-      Until: Mon 2026-02-16 12:40:08 CET; 3h 12min ago
-    Trigger: Mon 2026-02-16 16:05:00 CET; 12min left
-   Triggers: ● ids-analytics-aggregator.service
-
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
-
- Prossime esecuzioni:
-NEXT                        LEFT       LAST                        PASSED    UNIT                           ACTIVATES
-Mon 2026-02-16 16:05:00 CET 12min left Mon 2026-02-16 15:05:00 CET 47min ago ids-analytics-aggregator.timer ids-analytics-aggregator.service
-
-1 timers listed.
-Pass --all to see loaded but inactive timers, too.
-
-╔═══════════════════════════════════════════════╗
-║   ✅ ANALYTICS TIMER CONFIGURATO              ║
-╚═══════════════════════════════════════════════╝
-
-📝 Comandi utili:
-   Stato timer:        sudo systemctl status ids-analytics-aggregator.timer
-   Prossime run:       sudo systemctl list-timers
-   Log aggregazione:   sudo journalctl -u ids-analytics-aggregator -f
-   Test manuale:       sudo systemctl start ids-analytics-aggregator
-
-[root@ids ids]# systemctl status ids-analytics-aggregator.timer
-● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
-     Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
-     Active: active (waiting) since Mon 2026-02-16 12:40:08 CET; 3h 12min ago
-      Until: Mon 2026-02-16 12:40:08 CET; 3h 12min ago
-    Trigger: Mon 2026-02-16 16:05:00 CET; 11min left
-   Triggers: ● ids-analytics-aggregator.service
-
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
-Feb 16 12:40:08 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
-[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh
-Usage: ./deployment/run_analytics.sh {hourly|daily}
-[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {1}
-Errore: modo deve essere 'hourly' o 'daily'
-[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {hourly}
-Errore: modo deve essere 'hourly' o 'daily'
-[root@ids ids]# cd /opt/ids && ./deployment/run_analytics.sh {hourly=1}
-Errore: modo deve essere 'hourly' o 'daily'
--- a/database-schema/schema.sql
+++ b/database-schema/schema.sql
@ -2,7 +2,7 @@
 -- PostgreSQL database dump
 --

-\restrict zKJmTXfD2mDCILkBGmMKFqMblgFsSpKpVUZfa2oGLibXRmd9rKoFVgOjrXmJtIh
+\restrict WwxshcNPCZDO53sICch8FJx8zLgCWQYAbqqfzalUyoBM5kXuVbXnc0maGAhWbkA

 -- Dumped from database version 16.11 (df20cf9)
 -- Dumped by pg_dump version 16.10
@ -387,5 +387,5 @@ ALTER TABLE ONLY public.public_blacklist_ips
 -- PostgreSQL database dump complete
 --

-\unrestrict zKJmTXfD2mDCILkBGmMKFqMblgFsSpKpVUZfa2oGLibXRmd9rKoFVgOjrXmJtIh
+\unrestrict WwxshcNPCZDO53sICch8FJx8zLgCWQYAbqqfzalUyoBM5kXuVbXnc0maGAhWbkA

--- a/deployment/systemd/ids-auto-block.service
+++ b/deployment/systemd/ids-auto-block.service
@ -1,7 +1,8 @@
 [Unit]
 Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs
-After=network.target postgresql-16.service
-Wants=ids-ml-backend.service
+Documentation=https://github.com/yourusername/ids
+After=network.target ids-ml-backend.service postgresql-16.service
+Requires=ids-ml-backend.service

 [Service]
 Type=oneshot
@ -22,8 +23,8 @@ SyslogIdentifier=ids-auto-block
 NoNewPrivileges=true
 PrivateTmp=true

-# Timeout: max 5 minuti per detection+blocking
-TimeoutStartSec=300
+# Timeout: max 3 minuti per detection+blocking
+TimeoutStartSec=180

 [Install]
 WantedBy=multi-user.target
--- a/python_ml/auto_block.py
+++ b/python_ml/auto_block.py
@ -3,92 +3,59 @@
 IDS Auto-Blocking Script
 Rileva e blocca automaticamente IP con risk_score >= 80
 Eseguito periodicamente da systemd timer (ogni 5 minuti)
-
-Flusso:
-1. Chiama Node.js /api/ml/detect per eseguire detection ML
-2. Chiama Node.js /api/ml/block-all-critical per bloccare IP critici sui router
 """
 import requests
 import sys
 from datetime import datetime

-NODE_API_URL = "http://localhost:5000"
 ML_API_URL = "http://localhost:8000"

 def auto_block():
    """Esegue detection e blocking automatico degli IP critici"""
    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
-    print(f"[{timestamp}] Starting auto-block cycle...")
-
-    # Step 1: Esegui detection via ML Backend (se disponibile)
+    print(f"[{timestamp}] 🔍 Starting auto-block detection...")
+    
    try:
-        print(f"[{timestamp}] Step 1: Detection ML...")
+        # Chiama endpoint ML /detect con auto_block=true
        response = requests.post(
            f"{ML_API_URL}/detect",
            json={
-                "max_records": 50000,
-                "hours_back": 1.0,
-                "risk_threshold": 75.0,
-                "auto_block": False
+                "max_records": 5000,        # Analizza ultimi 5000 log
+                "hours_back": 1.0,          # Ultima ora
+                "risk_threshold": 80.0,     # Solo IP critici (score >= 80)
+                "auto_block": True          # BLOCCA AUTOMATICAMENTE
            },
-            timeout=120
+            timeout=120  # 2 minuti timeout
        )
-
+        
        if response.status_code == 200:
            data = response.json()
            detections = len(data.get("detections", []))
-            print(f"[{timestamp}] Detection completata: {detections} anomalie rilevate")
-        else:
-            print(f"[{timestamp}] Detection API error: HTTP {response.status_code}")
-
-    except requests.exceptions.ConnectionError:
-        print(f"[{timestamp}] ML Backend non raggiungibile, skip detection (blocco IP esistenti continua)")
-    except requests.exceptions.Timeout:
-        print(f"[{timestamp}] ML Detection timeout, skip (blocco IP esistenti continua)")
-    except Exception as e:
-        print(f"[{timestamp}] Detection error: {e}")
-
-    # Step 2: Blocca IP critici (score >= 80) via Node.js
-    try:
-        print(f"[{timestamp}] Step 2: Blocco IP critici sui router...")
-        response = requests.post(
-            f"{NODE_API_URL}/api/ml/block-all-critical",
-            json={
-                "min_score": 80,
-                "limit": 200,
-                "list_name": "ddos_blocked"
-            },
-            timeout=120
-        )
-
-        if response.status_code == 200:
-            data = response.json()
            blocked = data.get("blocked", 0)
-            failed = data.get("failed", 0)
-            skipped = data.get("skipped", 0)
-            remaining = data.get("remaining", 0)
-
+            
            if blocked > 0:
-                print(f"[{timestamp}] {blocked} IP bloccati sui router, {failed} falliti, {skipped} gia' bloccati")
+                print(f"✓ Detection completata: {detections} anomalie rilevate, {blocked} IP bloccati")
            else:
-                print(f"[{timestamp}] Nessun nuovo IP da bloccare ({skipped} gia' bloccati)")
-
-            if remaining > 0:
-                print(f"[{timestamp}] Rimangono {remaining} IP critici da bloccare")
-
+                print(f"✓ Detection completata: {detections} anomalie rilevate, nessun nuovo IP da bloccare")
+            
            return 0
        else:
-            print(f"[{timestamp}] Block API error: HTTP {response.status_code} - {response.text[:200]}")
+            print(f"✗ API error: HTTP {response.status_code}")
+            print(f"   Response: {response.text}")
            return 1
-
+            
    except requests.exceptions.ConnectionError:
-        print(f"[{timestamp}] ERRORE: Node.js backend non raggiungibile su {NODE_API_URL}")
+        print("✗ ERRORE: ML Backend non raggiungibile su http://localhost:8000")
+        print("   Verifica che ids-ml-backend.service sia attivo:")
+        print("   sudo systemctl status ids-ml-backend")
        return 1
    except requests.exceptions.Timeout:
-        print(f"[{timestamp}] ERRORE: Timeout blocco IP (120s)")
+        print("✗ ERRORE: Timeout dopo 120 secondi. Detection troppo lenta?")
        return 1
    except Exception as e:
-        print(f"[{timestamp}] ERRORE imprevisto: {type(e).__name__}: {e}")
+        print(f"✗ ERRORE imprevisto: {type(e).__name__}: {e}")
+        import traceback
+        traceback.print_exc()
        return 1

 if __name__ == "__main__":
--- a/version.json
+++ b/version.json
@ -1,13 +1,7 @@
 {
-  "version": "1.0.117",
-  "lastUpdate": "2026-02-16T15:49:34.102Z",
+  "version": "1.0.116",
+  "lastUpdate": "2026-02-16T14:49:08.274Z",
  "changelog": [
-    {
-      "version": "1.0.117",
-      "date": "2026-02-16",
-      "type": "patch",
-      "description": "Deployment automatico v1.0.117"
-    },
    {
      "version": "1.0.116",
      "date": "2026-02-16",
@ -301,6 +295,12 @@
      "date": "2025-11-24",
      "type": "patch",
      "description": "Deployment automatico v1.0.68"
+    },
+    {
+      "version": "1.0.67",
+      "date": "2025-11-24",
+      "type": "patch",
+      "description": "Deployment automatico v1.0.67"
    }
  ]
 }