章节：未能禁止IP“

代D：

这是在观察到这个问题时的设置：Ubuntu 12.04.4服务器LTS上的secast-1.0.1.0-x86_64-ub12，带有Asterisk 11.10.2。

在离开seacast（build secast-1.0.1.0-x86_64-ub12）运行后，/ var / log / secast中捕获并观察到以下事件：

Sun Jun 22 14:22:45 2014, 00001403, D, Asterisk, IP '' added to watch list Sun Jun 22 14:22:45 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40102' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages' Sun Jun 22 14:23:05 2014, 00001402, D, Asterisk, IP '' on IP watch list with 2 potential intrusion attempts Sun Jun 22 14:23:05 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40102' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages' Sun Jun 22 14:23:07 2014, 00001402, D, Asterisk, IP '' on IP watch list with 3 potential intrusion attempts Sun Jun 22 14:23:07 2014, 00000510, I, Asterisk, Detected potential intrustion attempt by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages' Sun Jun 22 14:23:27 2014, 00001402, D, Asterisk, IP '' on IP watch list with 4 potential intrusion attempts Sun Jun 22 14:23:27 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'. Requesting ban. Sun Jun 22 14:23:27 2014, 00000902, D, ThreatInfo, Adding IP address to banned IP list Sun Jun 22 14:23:27 2014, 00000608, S, EventQueue, Banning detected IP as managed Sun Jun 22 14:23:27 2014, 00000710, E, SystemCommand, Failed to add rule to iptables chain. Run result 0; exitcode 2 : : Sun Jun 22 14:24:08 2014, 00001402, D, Asterisk, IP '' on IP watch list with 5 potential intrusion attempts Sun Jun 22 14:24:08 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'. Requesting ban. Sun Jun 22 14:24:08 2014, 00000900, D, ThreatInfo, Ignoring attempt to add duplicate IP to banned IP list Sun Jun 22 14:25:28 2014, 00001402, D, Asterisk, IP '' on IP watch list with 6 potential intrusion attempts Sun Jun 22 14:25:28 2014, 00000510, S, Asterisk, Detected excessive intrustion attempts by username '%40' at IP '' using protocol 'SIP' through security log '/var/log/asterisk/messages'. Requesting ban. Sun Jun 22 14:25:28 2014, 00000900, D, ThreatInfo, Ignoring attempt to add duplicate IP to banned IP list Sun Jun 22 14:35:36 2014, 00001405, D, Asterisk, IP '' removed from IP watch list due to expiration 

请注意，对IP地址的引用，其中没有显示实际的IP地址。 看来这个空的IP引用在尝试将规则添加到iptables链时导致失败。 此外，尝试将其添加到数据库似乎失败（上面省略的行）。

• nginx不在目录中显示内部
• 有没有免费的远程嗅探器（即免费的远程服务器上的嗅探器）？
• 我可以阻止来自某个ISP的入站stream量吗？
• networking安全：Lan Manager身份validation级别
• 如何使用iptables从源文件中删除第一个udp数据包？

也许这表明应该检测到IP“的情况，以避免无效尝试调用iptables和数据库。

以下是从/ var / log / asterisk / messages（我们的IP地址replace为IP_REMOVED）中对应于以上事件的行：

 [Jun 22 14:22:45] NOTICE[7420] chan_sip.c: Registration from '<sip:%40102@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password [Jun 22 14:22:48] NOTICE[7420][C-0000005a] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=17280b03 [Jun 22 14:22:55] NOTICE[7420][C-0000005b] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=394a4856 [Jun 22 14:23:01] NOTICE[7420][C-0000005c] chan_sip.c: Failed to authenticate device <sip:%40102@IP_REMOVED>;tag=022a0438 [Jun 22 14:23:05] NOTICE[7420] chan_sip.c: Registration from '<sip:%40102@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password [Jun 22 14:23:07] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password [Jun 22 14:23:09] NOTICE[7420][C-0000005d] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=93209c36 [Jun 22 14:23:12] NOTICE[7420][C-0000005e] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=cf5b9246 [Jun 22 14:23:13] NOTICE[7420][C-0000005f] chan_sip.c: Failed to authenticate device <sip:%40@IP_REMOVED>;tag=ae0ff835 [Jun 22 14:23:27] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password [Jun 22 14:24:08] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password [Jun 22 14:24:21] NOTICE[7420][C-00000060] chan_sip.c: Failed to authenticate device 201<sip:201@IP_REMOVED>;tag=ba38c3c8 [Jun 22 14:25:28] NOTICE[7420] chan_sip.c: Registration from '<sip:%40@IP_REMOVED>' failed for '176.58.69.112:14398' - Wrong password 

根据我读到的内容，我预计IP 176.58.69.112已被禁止。

为什么会发生知识产权案件，以及采取哪些措施来纠正这一问题？

****更新****

今天在/ var / log / secast中观察到以下消息：

 2014-06-27T09:43:23, 00001403, D, Asterisk, IP '5.11.41.130' added to watch list 2014-06-27T09:43:23, 00000510, I, Asterisk, Detected potential intrustion attempt by username '1000' at IP '5.11.41.130' using protocol 'SIP' through security log '/var/log/asterisk/messages' 2014-06-27T09:43:43, 00001402, D, Asterisk, IP '5.11.41.130' on IP watch list with 2 potential intrusion attempts 2014-06-27T09:43:43, 00000510, I, Asterisk, Detected potential intrustion attempt by username '1000' at IP '5.11.41.130' using protocol 'SIP' through security log '/var/log/asterisk/messages' 2014-06-27T09:53:52, 00001405, D, Asterisk, IP '5.11.41.130' removed from IP watch list due to expiration 

这些来自/ var / log / asterisk / messages中的以下行：

 [Jun 27 09:43:23] NOTICE[1309] chan_sip.c: Registration from '<sip:[email protected]>' failed for '5.11.41.130:12736' - Wrong password [Jun 27 09:43:43] NOTICE[1309] chan_sip.c: Registration from '<sip:[email protected]>' failed for '5.11.41.130:12736' - Wrong password 

虽然没有足够的尝试来引起禁令，但似乎IP地址5.11.41.130是按预期收集的。 如果有更多的尝试，我猜这次禁令的尝试本来是成功的。

请注意，这次用户名只是'1000'; 而在用户名是'％40102'和'％40'之前

是否有可能是％字符跳过Asterisk消息行的secastparsing，导致提取的IP地址失败？

我将继续监视日志中的实际禁止事件并报告回来。