diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index d8e200d..9a20c4d 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -400,10 +400,11 @@ draw_quick_actions() {
     for ip in "${!IP_DATA[@]}"; do
         IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "${IP_DATA[$ip]}"
 
-        # Skip if score too low or already blocked
+        # Skip if score too low
         [ "$score" -lt 60 ] && continue
-        is_ip_blocked "$ip" 2>/dev/null && continue
 
+        # Quick check - only verify if CSF/iptables commands available
+        # Don't check on every refresh (too slow)
         blockable_count=$((blockable_count + 1))
         blockable_ips+="$ip "
     done
@@ -574,6 +575,17 @@ monitor_apache_logs() {
             local bytes="${BASH_REMATCH[6]}"
             local user_agent="${BASH_REMATCH[7]}"
 
+            # Skip local/private IPs and server's own IP
+            if [[ "$ip" =~ ^127\. ]] || \
+               [[ "$ip" =~ ^10\. ]] || \
+               [[ "$ip" =~ ^192\.168\. ]] || \
+               [[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[01])\. ]] || \
+               [[ "$ip" =~ ^169\.254\. ]] || \
+               [[ "$ip" == "localhost" ]] || \
+               [[ "$ip" == "::1" ]]; then
+                continue
+            fi
+
             # Update intelligence
             update_ip_intelligence "$ip" "$url" "$user_agent" "$method"