对于 D 代:
这是观察到此问题时的设置:Ubuntu 12.04.4 Server LTS 上的 secast-1.0.1.0-x86_64-ub12 和 Asterisk 11.10.2。
在 seacast(build secast-1.0.1.0-x86_64-ub12)运行后,在 /var/log/secast 中捕获并观察到以下事件:
Sun Jun 22 14:22:45 2014, 00001403, D, Asterisk, IP '' added to watch list
Sun Jun 22 14:22:45 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40102' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'
Sun Jun 22 14:23:05 2014, 00001402, D, Asterisk, IP '' on IP watch list with 2 potential intrusion attempts
Sun Jun 22 14:23:05 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40102' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'
Sun Jun 22 14:23:07 2014, 00001402, D, Asterisk, IP '' on IP watch list with 3 potential intrusion attempts
Sun Jun 22 14:23:07 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'
Sun Jun 22 14:23:27 2014, 00001402, D, Asterisk, IP '' on IP watch list with 4 potential intrusion attempts
Sun Jun 22 14:23:27 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'. Requesting ban.
Sun Jun 22 14:23:27 2014, 00000902, D, ThreatInfo, Adding IP address to banned IP list
Sun Jun 22 14:23:27 2014, 00000608, S, EventQueue, Banning detected IP as managed
Sun Jun 22 14:23:27 2014, 00000710, E, SystemCommand, Failed to add rule to iptables chain. Run result 0; exitcode 2
:
:
Sun Jun 22 14:24:08 2014, 00001402, D, Asterisk, IP '' on IP watch list with 5 potential intrusion attempts
Sun Jun 22 14:24:08 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'. Requesting ban.
Sun Jun 22 14:24:08 2014, 00000900, D, ThreatInfo, Ignoring attempt to add duplicate IP to banned IP list
Sun Jun 22 14:25:28 2014, 00001402, D, Asterisk, IP '' on IP watch list with 6 potential intrusion attempts
Sun Jun 22 14:25:28 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'. Requesting ban.
Sun Jun 22 14:25:28 2014, 00000900, D, ThreatInfo, Ignoring attempt to add duplicate IP to banned IP list
Sun Jun 22 14:35:36 2014, 00001405, D, Asterisk, IP '' removed from IP watch list due to expiration
请注意,IP '' 的引用中未显示实际 IP 地址。似乎这个空的 IP 引用导致在尝试将规则添加到 iptables 链时失败。此外,将其添加到数据库的尝试似乎失败了(上面省略了行)。
这可能表明应该检测 IP '' 的大小写,以避免无效尝试调用 iptables 和数据库。
以下是 /var/log/asterisk/messages 中的与上述事件相对应的行(其中我们的 IP 地址被 IP_REMOVED 替换):
[Jun 22 14:22:45] NOTICE[7420] chan_sip.c: Registration from '<sip:%40102@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:22:48] NOTICE[7420][C-0000005a] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=17280b03
[Jun 22 14:22:55] NOTICE[7420][C-0000005b] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=394a4856
[Jun 22 14:23:01] NOTICE[7420][C-0000005c] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=022a0438
[Jun 22 14:23:05] NOTICE[7420] chan_sip.c: Registration from '<sip:%40102@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:23:07] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:23:09] NOTICE[7420][C-0000005d] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=93209c36
[Jun 22 14:23:12] NOTICE[7420][C-0000005e] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=cf5b9246
[Jun 22 14:23:13] NOTICE[7420][C-0000005f] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=ae0ff835
[Jun 22 14:23:27] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:24:08] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
[Jun 22 14:24:21] NOTICE[7420][C-00000060] chan_sip.c: Failed to authenticate device 201<sip:201@IP_REMOVED>;tag=ba38c3c8
[Jun 22 14:25:28] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password
根据我从中读到的内容,我预计 IP 176.58.69.112 已被禁止。
为什么会出现IP“”的情况,采取什么措施可以补救?
**** 更新 ****
今天在 /var/log/secast 中观察到以下消息:
2014-06-27T09:43:23, 00001403, D, Asterisk, IP '5.11.41.130' added to watch list
2014-06-27T09:43:23, 00000510, I, Asterisk, Detected potential intrustion attempt by username '1000' at IP '5.11.41.130' using protocol 'SIP' through security log '/var/log/asterisk/messages'
2014-06-27T09:43:43, 00001402, D, Asterisk, IP '5.11.41.130' on IP watch list with 2 potential intrusion attempts
2014-06-27T09:43:43, 00000510, I, Asterisk, Detected potential intrustion attempt by username '1000' at IP '5.11.41.130' using protocol 'SIP' through security log '/var/log/asterisk/messages'
2014-06-27T09:53:52, 00001405, D, Asterisk, IP '5.11.41.130' removed from IP watch list due to expiration
这些结果来自 /var/log/asterisk/messages 中的以下几行:
[Jun 27 09:43:23] NOTICE[1309] chan_sip.c: Registration from '<sip:[email protected]>' failed for '5.11.41.130:12736' - Wrong password
[Jun 27 09:43:43] NOTICE[1309] chan_sip.c: Registration from '<sip:[email protected]>' failed for '5.11.41.130:12736' - Wrong password
虽然尝试的次数不足以导致封禁,但看起来 IP 地址 5.11.41.130 确实按预期被选中。如果尝试次数更多,我猜这次封禁尝试会成功。
请注意,这次用户名只是“1000”;而之前的用户名是:“%40102”和“%40”
% 字符是否会妨碍 Asterisk 消息行的 secast 解析,从而导致 IP 地址提取失败?
我将继续监控日志以了解实际的禁令事件并报告结果。
答案1
176.58.69.112 上的攻击者正在间隔连接尝试以避免被发现。请确保将 maxinruptioninterval 设置得足够高以查看多次尝试,并将 maxinruptions 设置得足够低以触发该间隔内的检测。您可以从 secast.conf 的 [credentials] 节发布您的设置吗?(或将整个配置文件通过电子邮件发送给[电子邮件保护])
我们发现越来越多的 VoIP 黑客会分散攻击时间以避免被发现 - 有些黑客甚至会在两次攻击之间等待一天或更长时间。(为了解决这个问题,我们已经将检测间隔设置的最大值从 1 小时增加到 1 周)。
“IP 相关消息”是一条警告,表示 SecAst 在星号消息文件中发现了一些无法解释的内容。(我们将在将来的某一天添加一条更智能的消息)我们收到了您的日志文件,并将通过我们的解析器运行它,并为有问题的行添加适当的检测。(Digium 定期对日志格式进行细微更改,我们始终根据我们的测试脚本测试最新的 Asterisk 版本以捕获这些更改)。
** 更新:从 SecAst 1.0.6 版本开始,这些消息现已添加到签名数据库中。
答案2
您会发现黑客/扫描器也在减少他们的暴力攻击尝试,甚至每天只尝试一次(同样是为了避免被发现)。如果您想加强安全性,您可以将最大入侵次数减少到 1 次,并将间隔延长到 2 天或更长时间。(这就是为什么您的日志中显示的攻击可能在 2 次尝试后停止的原因)。
根据我们通过支持合同监控的系统,我们发现巴勒斯坦和非洲的黑客经常这样做。他们试图躲避雷达或入侵检测系统的监视。
另一种选择(也是更主动的阻止方法)是使用 SecAst 内置的地理 IP 防护,并阻止这些攻击来自的整个国家/大陆。查看这个 serverfault 问题了解更多信息。