Track rogue client behavior only under Basic128Rsa15 security policy

OPCFoundation · Nov 20, 2024 · 9d1b738 · 9d1b738
1 parent ae96ded
commit 9d1b738
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs b/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs
@@ -268,8 +268,9 @@ protected void ForceChannelFault(ServiceResult reason)
 
                 if (close)
                 {
-                    // mark the RemoteAddress as potential rogue
-                    if (reason.StatusCode == StatusCodes.BadSecurityChecksFailed || reason.StatusCode == StatusCodes.BadTcpMessageTypeInvalid)
+                    // mark the RemoteAddress as potential rogue if Basic128Rsa15
+                    if ((SecurityPolicyUri == SecurityPolicies.Basic128Rsa15) &&
+                        (reason.StatusCode == StatusCodes.BadSecurityChecksFailed || reason.StatusCode == StatusCodes.BadTcpMessageTypeInvalid))
                     {
                         var tcpTransportListener = m_listener as TcpTransportListener;
                         if (tcpTransportListener != null)

diff --git a/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs b/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs
@@ -551,7 +551,11 @@ public void Start()
         {
             lock (m_lock)
             {
-                m_rogueClientTracker = new RogueClientTracker();
+                // Track rogue client behavior only if Basic128Rsa15 security policy is offered
+                if (m_descriptions.Any(d => d.SecurityPolicyUri == SecurityPolicies.Basic128Rsa15))
+                {
+                    m_rogueClientTracker = new RogueClientTracker();
+                }
 
                 // ensure a valid port.
                 int port = m_uri.Port;
@@ -734,8 +738,8 @@ public void CertificateUpdate(
         /// <param name="remoteEndpoint"></param>
         internal void MarkAsPotentialRogue(IPAddress remoteEndpoint)
         {
-            Utils.LogError("MarkClientAsPotentialRogue address: {0} ", remoteEndpoint.ToString());
-            m_rogueClientTracker.AddRogueClientAction(remoteEndpoint);
+            Utils.LogInfo("MarkClientAsPotentialRogue address: {0} ", remoteEndpoint.ToString());
+            m_rogueClientTracker?.AddRogueClientAction(remoteEndpoint);
         }
         #endregion
 
@@ -752,13 +756,17 @@ private void OnAccept(object sender, SocketAsyncEventArgs e)
             {
                 bool isRogue = false;
 
-                // Filter out the Remote IP addresses which are detected with rogue behavior
-                IPAddress ipAddress = ((IPEndPoint)e?.AcceptSocket?.RemoteEndPoint)?.Address;
-                if (ipAddress != null && m_rogueClientTracker.IsBlocked(ipAddress))
+                // Track rogue client behavior only if Basic128Rsa15 security policy is offered
+                if (m_rogueClientTracker != null)
                 {
-                    Utils.LogError("OnAccept: RemoteEndpoint address: {0} refused access for behaving as potential rogue ",
-                        ((IPEndPoint)e.AcceptSocket.RemoteEndPoint).Address.ToString());
-                    isRogue = true;
+                    // Filter out the Remote IP addresses which are detected with rogue behavior
+                    IPAddress ipAddress = ((IPEndPoint)e?.AcceptSocket?.RemoteEndPoint)?.Address;
+                    if (ipAddress != null && m_rogueClientTracker.IsBlocked(ipAddress))
+                    {
+                        Utils.LogError("OnAccept: RemoteEndpoint address: {0} refused access for behaving as potential rogue ",
+                            ((IPEndPoint)e.AcceptSocket.RemoteEndPoint).Address.ToString());
+                        isRogue = true;
+                    }
                 }
 
                 repeatAccept = false;