diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index f1612c7..176408d 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -984,8 +984,14 @@ batch_block_ips() {
                 fi
 
                 # Add directly to CSF's chain_DENY ipset (instant kernel-level blocking)
-                if ipset add chain_DENY "$ip" -exist 2>/dev/null; then
-                    echo "[$(date +"%H:%M:%S")] BATCH_BLOCK: chain_DENY ipset SUCCESS for $ip" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
+                # Include 1-hour timeout if chain_DENY supports it
+                if ipset add chain_DENY "$ip" timeout 3600 -exist 2>/dev/null; then
+                    echo "[$(date +"%H:%M:%S")] BATCH_BLOCK: chain_DENY ipset SUCCESS for $ip (timeout 1h)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
+                    ((blocked++))
+                    echo "$ip" >> "$TEMP_DIR/blocked_ips_cache"
+                elif ipset add chain_DENY "$ip" -exist 2>/dev/null; then
+                    # Fallback: chain_DENY doesn't support timeout (CSF will manage via csf -td in background)
+                    echo "[$(date +"%H:%M:%S")] BATCH_BLOCK: chain_DENY ipset SUCCESS for $ip (no timeout - CSF managed)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
                     ((blocked++))
                     echo "$ip" >> "$TEMP_DIR/blocked_ips_cache"
                 else