src/tasks/top_attacking_ips.py

# tasks/export_malicious_ips.py

import os
from datetime import datetime, timedelta
from zoneinfo import ZoneInfo
from logger import get_app_logger
from database import get_database
from models import AccessLog
from sqlalchemy import distinct

app_logger = get_app_logger()

# ----------------------
# TASK CONFIG
# ----------------------
TASK_CONFIG = {
    "name": "export-malicious-ips",
    "cron": "*/5 * * * *",
    "enabled": True,
    "run_when_loaded": True
}

EXPORTS_DIR = "exports"
OUTPUT_FILE = os.path.join(EXPORTS_DIR, "malicious_ips.txt")

# ----------------------
# TASK LOGIC
# ----------------------
def has_recent_honeypot_access(session, minutes: int = 5) -> bool:
    """Check if honeypot was accessed in the last N minutes."""
    cutoff_time = datetime.now() - timedelta(minutes=minutes)
    count = session.query(AccessLog).filter(
        AccessLog.is_honeypot_trigger == True,
        AccessLog.timestamp >= cutoff_time
    ).count()
    return count > 0

def main():
    """
    Export all IPs flagged as suspicious to a text file.
    TasksMaster will call this function based on the cron schedule.
    """
    task_name = TASK_CONFIG.get("name")
    app_logger.info(f"[Background Task] {task_name} starting...")

    try:
        db = get_database()
        session = db.session

        # Check for recent honeypot activity
        if not has_recent_honeypot_access(session):
            app_logger.info(f"[Background Task] {task_name} skipped - no honeypot access in last 5 minutes")
            return

        # Query distinct suspicious IPs
        results = session.query(distinct(AccessLog.ip)).filter(
            AccessLog.is_suspicious == True
        ).all()

        # Ensure exports directory exists
        os.makedirs(EXPORTS_DIR, exist_ok=True)

        # Write IPs to file (one per line)
        with open(OUTPUT_FILE, 'w') as f:
            for (ip,) in results:
                f.write(f"{ip}\n")

        app_logger.info(f"[Background Task] {task_name} exported {len(results)} IPs to {OUTPUT_FILE}")

    except Exception as e:
        app_logger.error(f"[Background Task] {task_name} failed: {e}")
    finally:
        db.close_session()
Add background task to export suspicious IPs to text file - Implement export-malicious-ips task that queries distinct IPs flagged as is_suspicious from database and writes to exports/malicious_ips.txt - Add exports volume mount to docker-compose.yaml for host persistence - Update entrypoint.sh to fix ownership of exports directory for krawl user - Update Dockerfile to create /app/exports directory during build Other tasks can be added by creating them in the tasks dir using the same setup as this task. All tasks MUST include a TASK_CONFIG dict and a main method in the file to work correctly. 2026-01-05 11:54:02 -06:00			`# tasks/export_malicious_ips.py`

			`import os`
Optimize scheduled tasks to reduce unnecessary processing - Add conditional execution to export-malicious-ips task: only runs when honeypot was accessed in last 5 minutes - Add since_minutes parameter to get_access_logs() for time filtering - Optimize analyze-ips task to only process IPs with activity in the last minute, fetching full history per-IP instead of all logs - Exclude RFC1918 private addresses and non-routable IPs from IP reputation enrichment (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x) 2026-01-15 13:30:35 -06:00			`from datetime import datetime, timedelta`
			`from zoneinfo import ZoneInfo`
Add background task to export suspicious IPs to text file - Implement export-malicious-ips task that queries distinct IPs flagged as is_suspicious from database and writes to exports/malicious_ips.txt - Add exports volume mount to docker-compose.yaml for host persistence - Update entrypoint.sh to fix ownership of exports directory for krawl user - Update Dockerfile to create /app/exports directory during build Other tasks can be added by creating them in the tasks dir using the same setup as this task. All tasks MUST include a TASK_CONFIG dict and a main method in the file to work correctly. 2026-01-05 11:54:02 -06:00			`from logger import get_app_logger`
			`from database import get_database`
			`from models import AccessLog`
			`from sqlalchemy import distinct`

			`app_logger = get_app_logger()`

			`# ----------------------`
			`# TASK CONFIG`
			`# ----------------------`
			`TASK_CONFIG = {`
			`"name": "export-malicious-ips",`
			`"cron": "/5 * * *",`
			`"enabled": True,`
			`"run_when_loaded": True`
			`}`

			`EXPORTS_DIR = "exports"`
			`OUTPUT_FILE = os.path.join(EXPORTS_DIR, "malicious_ips.txt")`

			`# ----------------------`
			`# TASK LOGIC`
			`# ----------------------`
Optimize scheduled tasks to reduce unnecessary processing - Add conditional execution to export-malicious-ips task: only runs when honeypot was accessed in last 5 minutes - Add since_minutes parameter to get_access_logs() for time filtering - Optimize analyze-ips task to only process IPs with activity in the last minute, fetching full history per-IP instead of all logs - Exclude RFC1918 private addresses and non-routable IPs from IP reputation enrichment (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x) 2026-01-15 13:30:35 -06:00			`def has_recent_honeypot_access(session, minutes: int = 5) -> bool:`
			`"""Check if honeypot was accessed in the last N minutes."""`
feat:removed manual timezone management, delegate timezone configuration to execution environment removed code that manages timezone setup from config file, krawl now obeys to the environment configuration 2026-01-17 18:06:09 +01:00			`cutoff_time = datetime.now() - timedelta(minutes=minutes)`
Optimize scheduled tasks to reduce unnecessary processing - Add conditional execution to export-malicious-ips task: only runs when honeypot was accessed in last 5 minutes - Add since_minutes parameter to get_access_logs() for time filtering - Optimize analyze-ips task to only process IPs with activity in the last minute, fetching full history per-IP instead of all logs - Exclude RFC1918 private addresses and non-routable IPs from IP reputation enrichment (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x) 2026-01-15 13:30:35 -06:00			`count = session.query(AccessLog).filter(`
			`AccessLog.is_honeypot_trigger == True,`
			`AccessLog.timestamp >= cutoff_time`
			`).count()`
			`return count > 0`

Add background task to export suspicious IPs to text file - Implement export-malicious-ips task that queries distinct IPs flagged as is_suspicious from database and writes to exports/malicious_ips.txt - Add exports volume mount to docker-compose.yaml for host persistence - Update entrypoint.sh to fix ownership of exports directory for krawl user - Update Dockerfile to create /app/exports directory during build Other tasks can be added by creating them in the tasks dir using the same setup as this task. All tasks MUST include a TASK_CONFIG dict and a main method in the file to work correctly. 2026-01-05 11:54:02 -06:00			`def main():`
			`"""`
			`Export all IPs flagged as suspicious to a text file.`
			`TasksMaster will call this function based on the cron schedule.`
			`"""`
			`task_name = TASK_CONFIG.get("name")`
			`app_logger.info(f"[Background Task] {task_name} starting...")`

			`try:`
			`db = get_database()`
			`session = db.session`

Optimize scheduled tasks to reduce unnecessary processing - Add conditional execution to export-malicious-ips task: only runs when honeypot was accessed in last 5 minutes - Add since_minutes parameter to get_access_logs() for time filtering - Optimize analyze-ips task to only process IPs with activity in the last minute, fetching full history per-IP instead of all logs - Exclude RFC1918 private addresses and non-routable IPs from IP reputation enrichment (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x) 2026-01-15 13:30:35 -06:00			`# Check for recent honeypot activity`
			`if not has_recent_honeypot_access(session):`
			`app_logger.info(f"[Background Task] {task_name} skipped - no honeypot access in last 5 minutes")`
			`return`

Add background task to export suspicious IPs to text file - Implement export-malicious-ips task that queries distinct IPs flagged as is_suspicious from database and writes to exports/malicious_ips.txt - Add exports volume mount to docker-compose.yaml for host persistence - Update entrypoint.sh to fix ownership of exports directory for krawl user - Update Dockerfile to create /app/exports directory during build Other tasks can be added by creating them in the tasks dir using the same setup as this task. All tasks MUST include a TASK_CONFIG dict and a main method in the file to work correctly. 2026-01-05 11:54:02 -06:00			`# Query distinct suspicious IPs`
			`results = session.query(distinct(AccessLog.ip)).filter(`
			`AccessLog.is_suspicious == True`
			`).all()`

			`# Ensure exports directory exists`
			`os.makedirs(EXPORTS_DIR, exist_ok=True)`

			`# Write IPs to file (one per line)`
			`with open(OUTPUT_FILE, 'w') as f:`
			`for (ip,) in results:`
			`f.write(f"{ip}\n")`

			`app_logger.info(f"[Background Task] {task_name} exported {len(results)} IPs to {OUTPUT_FILE}")`

			`except Exception as e:`
			`app_logger.error(f"[Background Task] {task_name} failed: {e}")`
			`finally:`
			`db.close_session()`