SecAst：未能禁止 IP ''

D世代：

這是觀察到此問題時的設置：帶有 Asterisk 11.10.2 的 Ubuntu 12.04.4 Server LTS 上的 secast-1.0.1.0-x86_64-ub12。

離開 seacast (build secast-1.0.1.0-x86_64-ub12) 執行後，在 /var/log/secast 中擷取並觀察了以下事件：

Sun Jun 22 14:22:45 2014, 00001403, D, Asterisk, IP '' added to watch list
Sun Jun 22 14:22:45 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40102' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'
Sun Jun 22 14:23:05 2014, 00001402, D, Asterisk, IP '' on IP watch list with 2 potential intrusion attempts
Sun Jun 22 14:23:05 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40102' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'
Sun Jun 22 14:23:07 2014, 00001402, D, Asterisk, IP '' on IP watch list with 3 potential intrusion attempts
Sun Jun 22 14:23:07 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'
Sun Jun 22 14:23:27 2014, 00001402, D, Asterisk, IP '' on IP watch list with 4 potential intrusion attempts
Sun Jun 22 14:23:27 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'.  Requesting ban.
Sun Jun 22 14:23:27 2014, 00000902, D, ThreatInfo, Adding IP address  to banned IP list
Sun Jun 22 14:23:27 2014, 00000608, S, EventQueue, Banning detected IP  as managed
Sun Jun 22 14:23:27 2014, 00000710, E, SystemCommand, Failed to add rule to iptables chain.  Run result 0; exitcode 2
:
:
Sun Jun 22 14:24:08 2014, 00001402, D, Asterisk, IP '' on IP watch list with 5 potential intrusion attempts
Sun Jun 22 14:24:08 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'.  Requesting ban.
Sun Jun 22 14:24:08 2014, 00000900, D, ThreatInfo, Ignoring attempt to add duplicate IP  to banned IP list
Sun Jun 22 14:25:28 2014, 00001402, D, Asterisk, IP '' on IP watch list with 6 potential intrusion attempts
Sun Jun 22 14:25:28 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'.  Requesting ban.
Sun Jun 22 14:25:28 2014, 00000900, D, ThreatInfo, Ignoring attempt to add duplicate IP  to banned IP list
Sun Jun 22 14:35:36 2014, 00001405, D, Asterisk, IP '' removed from IP watch list due to expiration

請注意對 IP ’’ 的引用，其中沒有顯示實際的 IP 地址。嘗試將規則添加到 iptables 鏈時，此空 IP 引用似乎導致失敗。此外，將其添加到數據庫的嘗試似乎失敗了（上面省略了行）。

也許這表明應該檢測 IP ’’ 的大小寫，以避免對 iptables 和數據庫的無效嘗試。

以下是 /var/log/asterisk/messages 中對應於上述事件的行（我們的 IP 地址替換為 IP_REMOVED）：

[Jun 22 14:22:45] NOTICE[7420] chan_sip.c: Registration from '<sip:%40102@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:22:48] NOTICE[7420][C-0000005a] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=17280b03
[Jun 22 14:22:55] NOTICE[7420][C-0000005b] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=394a4856
[Jun 22 14:23:01] NOTICE[7420][C-0000005c] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=022a0438
[Jun 22 14:23:05] NOTICE[7420] chan_sip.c: Registration from '<sip:%40102@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:23:07] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:23:09] NOTICE[7420][C-0000005d] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=93209c36
[Jun 22 14:23:12] NOTICE[7420][C-0000005e] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=cf5b9246
[Jun 22 14:23:13] NOTICE[7420][C-0000005f] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=ae0ff835
[Jun 22 14:23:27] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:24:08] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:24:21] NOTICE[7420][C-00000060] chan_sip.c: Failed to authenticate device 201<sip:201@IP_REMOVED>;tag=ba38c3c8
[Jun 22 14:25:28] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password

鑑於我從中讀到的內容，我預計 IP 176.58.69.112 已被禁止。

為什麼會出現“IP”的情況，有哪些措施可以解決這個問題？

**** 更新 ****

今天在 /var/log/secast 中觀察到以下消息：

2014-06-27T09:43:23, 00001403, D, Asterisk, IP '5.11.41.130' added to watch list
2014-06-27T09:43:23, 00000510, I, Asterisk, Detected potential intrustion attempt by username '1000' at IP '5.11.41.130' using protocol 'SIP' through security log '/var/log/asterisk/messages'
2014-06-27T09:43:43, 00001402, D, Asterisk, IP '5.11.41.130' on IP watch list with 2 potential intrusion attempts
2014-06-27T09:43:43, 00000510, I, Asterisk, Detected potential intrustion attempt by username '1000' at IP '5.11.41.130' using protocol 'SIP' through security log '/var/log/asterisk/messages'
2014-06-27T09:53:52, 00001405, D, Asterisk, IP '5.11.41.130' removed from IP watch list due to expiration

這些來自 /var/log/asterisk/messages 中的以下行：

[Jun 27 09:43:23] NOTICE[1309] chan_sip.c: Registration from '<sip:1000@69.165.131.4>' failed for '5.11.41.130:12736' - Wrong password
[Jun 27 09:43:43] NOTICE[1309] chan_sip.c: Registration from '<sip:1000@69.165.131.4>' failed for '5.11.41.130:12736' - Wrong password

雖然導致禁令發生的嘗試次數不足，但 IP 地址 5.11.41.130 似乎已按預期獲取。如果有更多的嘗試，我猜這次的禁令嘗試會成功。

請注意，這次使用者名只是“1000”；而在使用者名之前是：“%40102”和“%40”

% 字元是否可能導致 Asterisk 消息行的 secast 解析出錯，導致 IP 地址的提取失敗？

我將繼續監視日誌以查找實際的禁令事件並進行報告。

176.58.69.112 的攻擊者正在間隔他的連接嘗試以避免檢測。確保將 maxintrusioninterval 設置得足夠高以查看多次嘗試，並將 maxintrusion 設置得足夠低以觸發該間隔內的檢測。你能把你的設置從

$$ credentials $$secast.conf 的節？（或將整個配置文件通過電子郵件發送至 support@generationd.com） 我們看到越來越多的 VoIP 黑客將他們的攻擊間隔開以避免被發現——有些人甚至在兩次嘗試之間等待一天或更長時間。（我們已經將檢測間隔設置的最大值從 1 小時增加到 1 週來解決這個問題）。

’’ IP 相關消息是 SecAst 在星號消息文件中發現無法解釋的內容的警告。（我們將在某一天發布更智能的消息）我們收到了您的日誌文件，並將通過我們的解析器執行它，並為有問題的行添加適當的檢測。（Digium 會定期對日誌格式進行小幅更改，我們總是針對我們的測試腳本測試最新的 Asterisk 建構以擷取這些）。

** 更新：從 SecAst 版本 1.0.6 開始，這些消息現在已添加到簽名數據庫中。

引用自：https://serverfault.com/questions/607940