Security =>incoming Log (Log_incoming.asp) what caused th

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Thu Feb 02, 2023 19:30    Post subject: Security =>incoming Log (Log_incoming.asp) what caused th Reply with quote
Looking at list of dropped connections in Log_incoming.asp

Are these entries due to port scanning?
Is there any reason you shouldn't block entries found in this list permanently?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Feb 02, 2023 20:00    Post subject: Reply with quote
what ... Rolling Eyes where Rolling Eyes as more we know the better it gets.. so, far tons of details missing...Rolling Eyes

in general SPI firewall works ok, unless you compromised it from inside...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Thu Feb 02, 2023 20:58    Post subject: Reply with quote
The contents change constantly... here is a snapshot.

Questions:
- what causes these to appear
- Is there any reason I shouldn't parse this list and block them permanently?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Thu Feb 02, 2023 20:59    Post subject: Reply with quote
If your WAN IP is public, you'll want to sanitize that information. This info is written to /var/log/messages as well. You should be able to 'cat /var/log/messages | grep DROP'
and sanitize any sensitive information and post.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Thu Feb 02, 2023 21:20    Post subject: Reply with quote
Doing this: grep -i drop /var/log/messages

results in lots of info about "authpriv.info dropbear".
There is nothing there about dropped connections.

Is there a reason to look here, since I've already parsed them out of the other page?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Feb 02, 2023 23:21    Post subject: Reply with quote
Question: do you have by any chance remote administration enabled...and which exactly...?

If ssh is exposed to WAN and you have lots of drop related to dropbear....than its under a pressure...
the correct way to use ssh via WAN is to secure it with key file only and disable password authorisation...change its port different from 22 something like above 40000 or even around 50000

In general as SPI firewall is working, if you activate the firewall log, you will see lots of DROP...
and those are normal as those are not related / established to your network...so, all Inbound is DROP by default, unless its not related/established/initiated from inside...

You could be in a very noisy WAN, so lots of DROP's...if something is very bad, it will be in the standard syslog even if firewall log is not set in Security/Firewall page...so you dont need it, unless very specific use...
You dont need firewall log set to high, as it will spam your syslog badly....

Last .. in the Security page enable those box's related to limit ssh, telnet and ect.
so those try's will be limited to a few and than blocked for a period of time...in general i disable telnet as its not secure at all...and for local(LAN) use it comes enabled by default...and shares the router password..one more good reason to have a strong pass..

If your remote administration is not enabled and you have those drops about dropbear than someone on your local LAN is trying your SSh...or compromised IoT/Smart device or malware...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Thu Feb 02, 2023 23:38    Post subject: Reply with quote
If you select anything to limit connections, it exposes those ports on the WAN, you don't have to enable remote anything. Also, there is a long-standing complaint about firewall log settings being reversed (high is low, low is high).
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Thu Feb 02, 2023 23:59    Post subject: Reply with quote
Tried log level on low & high, there is nothing there about dropped connections.

However, not concerned with figuring out why messages aren't logged in /var/log/messages as I've already parsed info produced by Log_incoming.asp with an auxiliary script.

If you have information as to what causes an entry to be shown there and what causes it to go away, that would be helpful. The list of IPs seems to change rapidly; curious what controls/causes it.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Feb 03, 2023 0:48    Post subject: Reply with quote
dale_gribble39 wrote:
If you select anything to limit connections, it exposes those ports on the WAN....
please elaborate this bit...even if those are not active/enabled... Question
so. if i disable limit SSh over WAN, my remote ssh will stay not exposed ?? Laughing Laughing this sounds kinky Laughing Laughing

although it does say:

Impede WAN DoS / Bruteforce - i dont think enabling those if there is no remote administration enabled, should expose those ports to WAN at least it doesn't sounds correct...
i also checked cat /tmp/.ipt and cant even see those rules are created if i check those boxes...I dont have any remote admin enabled...so i believe those are not exposed until you enable any related remote admin in general...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Fri Feb 03, 2023 1:25    Post subject: Reply with quote
Alozaros wrote:
dale_gribble39 wrote:
If you select anything to limit connections, it exposes those ports on the WAN....
please elaborate this bit...even if those are not active/enabled... Question
so. if i disable limit SSh over WAN, my remote ssh will stay not exposed ?? Laughing Laughing this sounds kinky Laughing Laughing

although it does say:

Impede WAN DoS / Bruteforce - i dont think enabling those if there is no remote administration enabled, should expose those ports to WAN at least it doesn't sounds correct...
i also checked cat /tmp/.ipt and cant even see those rules are created if i check those boxes...I dont have any remote admin enabled...so i believe those are not exposed until you enable any related remote admin in general...

How do you think it impedes it? It has to conntrack and listen to connection attempts on the ports via the firewall, which exposes the ports. You should probably search the tickets and forum <eyeroll>

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Feb 03, 2023 8:18    Post subject: Reply with quote
I already checked your idea...
so, if i have all limit box's checked / enabled ...and dont have any remote administration services enabled...via remote administration section in the GUI..those rules the you claim ware created are not present in the cat /tmp/.ipt output so myth busted.. no rules no exposure to the WAN with or without limits...

if you have any of remote administration services enabled and than corresponding service limit enabled than the rules appear in the cat /tmp/.ipt output ... and this is the expected behaviour...


dale_gribble3 wrote:
If you select anything to limit connections, it exposes those ports on the WAN, you don't have to enable remote anything.


Im sorry for the inconvenience if i misunderstood your post from above, but it seemed like you told us that if you enable any of the limits than your WAN gets exposed even without enabling any of the remote administration services... yep eye-roll Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Fri Feb 03, 2023 17:10    Post subject: Reply with quote
Unless something has changed in the code....

Someone tried to hack into my Network

New Build - 08/30/2021 - r47282

Limit ssh/telnet access

Impede WAN DoS/Bruteforce settings (not necessarily applicable to the discussion, but)

Rolling Eyes

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum