marco/ids.alfacom.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
42541724cf
ids.alfacom.it/deployment/AUTO_BLOCKING_SETUP.md
marco370 4d9ed22c39 Add automatic IP blocking system to enhance security 
Implement a systemd timer and Python script to periodically detect and automatically block malicious IP addresses based on risk scores, improving the application's security posture.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 05ab2f73-e195-4de9-a183-cd4729713b92
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/31VdIyL
2025-11-25 11:52:13 +00:00

261 lines
5.0 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Auto-Blocking Setup - IDS MikroTik
## 📋 Panoramica
Sistema di auto-blocking automatico che rileva e blocca IP con **risk_score >= 80** ogni 5 minuti.
**Componenti**:
1. `python_ml/auto_block.py` - Script Python che chiama API ML
2. `deployment/systemd/ids-auto-block.service` - Systemd service
3. `deployment/systemd/ids-auto-block.timer` - Timer esecuzione ogni 5 minuti
---
## 🚀 Installazione su AlmaLinux
### 1⃣ Prerequisiti
Verifica che questi servizi siano attivi:
```bash
sudo systemctl status ids-ml-backend # ML Backend FastAPI
sudo systemctl status postgresql-16 # Database PostgreSQL
```
### 2⃣ Copia File Systemd
```bash
# Service file
sudo cp /opt/ids/deployment/systemd/ids-auto-block.service /etc/systemd/system/
# Timer file
sudo cp /opt/ids/deployment/systemd/ids-auto-block.timer /etc/systemd/system/
# Verifica permessi
sudo chown root:root /etc/systemd/system/ids-auto-block.*
sudo chmod 644 /etc/systemd/system/ids-auto-block.*
```
### 3⃣ Rendi Eseguibile Script Python
```bash
chmod +x /opt/ids/python_ml/auto_block.py
```
### 4⃣ Installa Dipendenza Python (requests)
```bash
# Attiva virtual environment
cd /opt/ids/python_ml
source venv/bin/activate
# Installa requests
pip install requests
# Esci da venv
deactivate
```
### 5⃣ Crea Directory Log
```bash
sudo mkdir -p /var/log/ids
sudo chown ids:ids /var/log/ids
```
### 6⃣ Ricarica Systemd e Avvia Timer
```bash
# Ricarica systemd
sudo systemctl daemon-reload
# Abilita timer (autostart al boot)
sudo systemctl enable ids-auto-block.timer
# Avvia timer
sudo systemctl start ids-auto-block.timer
```
---
## ✅ Verifica Funzionamento
### Test Manuale (esegui subito)
```bash
# Esegui auto-blocking adesso (non aspettare 5 min)
sudo systemctl start ids-auto-block.service
# Controlla log output
journalctl -u ids-auto-block -n 30
```
**Output atteso**:
```
[2024-11-25 12:00:00] 🔍 Starting auto-block detection...
✓ Detection completata: 14 anomalie rilevate, 14 IP bloccati
```
### Verifica Timer Attivo
```bash
# Status timer
systemctl status ids-auto-block.timer
# Prossime esecuzioni
systemctl list-timers ids-auto-block.timer
# Ultima esecuzione
journalctl -u ids-auto-block.service -n 1
```
### Verifica IP Bloccati
**Database**:
```sql
SELECT COUNT(*) FROM detections WHERE blocked = true;
```
**MikroTik Router**:
```
/ip firewall address-list print where list=blocked_ips
```
---
## 📊 Monitoring
### Log in Tempo Reale
```bash
# Log auto-blocking
tail -f /var/log/ids/auto_block.log
# O via journalctl
journalctl -u ids-auto-block -f
```
### Statistiche Blocchi
```bash
# Conta esecuzioni ultimo giorno
journalctl -u ids-auto-block --since "1 day ago" | grep "Detection completata" | wc -l
# Totale IP bloccati oggi
journalctl -u ids-auto-block --since today | grep "IP bloccati"
```
---
## ⚙️ Configurazione
### Modifica Frequenza Esecuzione
Edita `/etc/systemd/system/ids-auto-block.timer`:
```ini
[Timer]
# Cambia 5min con frequenza desiderata (es: 10min, 1h, 30s)
OnUnitActiveSec=10min # Esegui ogni 10 minuti
```
Poi ricarica:
```bash
sudo systemctl daemon-reload
sudo systemctl restart ids-auto-block.timer
```
### Modifica Threshold Risk Score
Edita `python_ml/auto_block.py`:
```python
"risk_threshold": 80.0, # Cambia soglia (80, 90, 100, etc)
```
Poi riavvia timer:
```bash
sudo systemctl restart ids-auto-block.timer
```
---
## 🛠️ Troubleshooting
### Problema: Nessun IP bloccato
**Verifica ML Backend attivo**:
```bash
systemctl status ids-ml-backend
curl http://localhost:8000/health
```
**Verifica router configurati**:
```sql
SELECT * FROM routers WHERE enabled = true;
```
Deve esserci almeno 1 router!
### Problema: Errore "Connection refused"
ML Backend non risponde su porta 8000:
```bash
# Riavvia ML backend
sudo systemctl restart ids-ml-backend
# Verifica porta listening
netstat -tlnp | grep 8000
```
### Problema: Script non eseguito
**Verifica timer attivo**:
```bash
systemctl status ids-auto-block.timer
```
**Forza esecuzione manuale**:
```bash
sudo systemctl start ids-auto-block.service
journalctl -u ids-auto-block -n 50
```
---
## 🔄 Disinstallazione
```bash
# Stop e disabilita timer
sudo systemctl stop ids-auto-block.timer
sudo systemctl disable ids-auto-block.timer
# Rimuovi file systemd
sudo rm /etc/systemd/system/ids-auto-block.*
# Ricarica systemd
sudo systemctl daemon-reload
```
---
## 📝 Note
- **Frequenza**: 5 minuti (configurabile)
- **Risk Threshold**: 80 (solo IP critici)
- **Timeout**: 180 secondi (3 minuti max per detection)
- **Logs**: `/var/log/ids/auto_block.log` + journalctl
- **Dipendenze**: ids-ml-backend.service, postgresql-16.service
---
## ✅ Checklist Post-Installazione
- [ ] File copiati in `/etc/systemd/system/`
- [ ] Script `auto_block.py` eseguibile
- [ ] Dipendenza `requests` installata in venv
- [ ] Directory log creata (`/var/log/ids`)
- [ ] Timer abilitato e avviato
- [ ] Test manuale eseguito con successo
- [ ] IP bloccati su MikroTik verificati
- [ ] Monitoring attivo (journalctl -f)
Reference in New Issue View Git Blame Copy Permalink