Proper way to block connections and watch requests

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
jdosh
DD-WRT Novice


Joined: 28 Jun 2020
Posts: 4

PostPosted: Sun Jun 28, 2020 22:42    Post subject: Proper way to block connections and watch requests Reply with quote
I have a computer with SSH server that has been exposed to the wild with root login enabled for over a year. I don't have evidences of a break-in, but I'd like to assess this machine before using it again.

My home network consists of the ISP modem in bridge mode connected to the main router. I'm considering to setup a secondary router with dd-wrt between the main router and the suspected computer. Then, I'd block all connections to/from the computer and use wireshark to monitor the requests to check any suspicious IP coming up.

Is this setup possible with dd-wrt? or is there a more clever way to monitor this computer?
Sponsor
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 185

PostPosted: Mon Jun 29, 2020 16:27    Post subject: Reply with quote
One possible solution:
Activate SSH on your router (use a strong Password!) change the standard Port 22 to something else, connect to your router via ssh and from this device connect to your Server: ssh user@address -p(ort 12345).
It is possible to enable firewall logging in DD-WRT, entries in Syslog will appear and forward your syslog via syslog server in DD WRT towards your Server.
On your Server grep for interesting entries in the logfile.
jdosh
DD-WRT Novice


Joined: 28 Jun 2020
Posts: 4

PostPosted: Tue Jun 30, 2020 13:48    Post subject: Reply with quote
I'm sorry for being too concise.

The SSH exposure happened in a network other than my home network, this is why I brought it home. So, the compromise has nothing to do with my home setup.

Regarding my home setup, I'm planning to have the secondary router with dd-wrt to monitor the activities coming from the potential compromised computer to check any unknown IP requests in a way to assess the activity of a rootkit or malware. My goal is to assess the sanity of the system somehow.

Then, I'm trying to investigate it using the tool that dd-wrt offers.
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 185

PostPosted: Tue Jun 30, 2020 16:52    Post subject: Reply with quote
Hmmm, some devices have tcpdump included into their toolkit.
If yours is also capable of this tool... tcpdump into a file, maybe network drive and later review it with wireshark.
But no experience for this kind of audition, hopefully eibgrad will chime in again Smile
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3642
Location: UK, London, just across the river..

PostPosted: Tue Jun 30, 2020 18:54    Post subject: Reply with quote
jdosh wrote:
I'm sorry for being too concise.

The SSH exposure happened in a network other than my home network, this is why I brought it home. So, the compromise has nothing to do with my home setup.

Regarding my home setup, I'm planning to have the secondary router with dd-wrt to monitor the activities coming from the potential compromised computer to check any unknown IP requests in a way to assess the activity of a rootkit or malware. My goal is to assess the sanity of the system somehow.

Then, I'm trying to investigate it using the tool that dd-wrt offers.


option 1
just install wireshark on that computer and monitor as much as you want, whatever comes in/out...
option 2
use tap mode + wireshark...(you'd need a switch)...

option 3
via tcpdump on router level on isolated bridge or vlan..

TCPDUMP its present on high grade routers only...
but, you can install it via entware on any router that has DDWRT / USB and supports entware, preferably 16MB+ flash size ram and dual core CPU...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 43334 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 43028 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 43516 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 43334 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 43334 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 43334 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
jdosh
DD-WRT Novice


Joined: 28 Jun 2020
Posts: 4

PostPosted: Wed Jul 01, 2020 15:50    Post subject: Reply with quote
Thank you all for the advices.

I have a spare WRT54Gv8 that I can use for that, but it's limited in view of your recommendations for tcpdump, unless dd-wrt in this router would support entware.

@eibgrad: have you used entware with WRT54Gs? It might be an option for me.

Besides, is it possible to config the WRT54G as bridge using dd-wrt? I see that the original firmware doesn't include such option.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3642
Location: UK, London, just across the river..

PostPosted: Wed Jul 01, 2020 18:54    Post subject: Reply with quote
best bet for bridge..
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

other ways to link routers
https://wiki.dd-wrt.com/wiki/index.php/Linking_Routers

https://wiki.dd-wrt.com/wiki/index.php/Category:Linking_Routers

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 43334 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 43028 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 43516 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 43334 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 43334 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 43334 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
jdosh
DD-WRT Novice


Joined: 28 Jun 2020
Posts: 4

PostPosted: Thu Jul 02, 2020 22:07    Post subject: Reply with quote
Thanks @alozaros.

Just to clarify one question that remains: can I block all connections from the compromised computer and still see the requests coming from it?

It may be possible that the router with dd-wrt just ignores everything since the connections are blocked to the outside.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum