available log levels changes in security logging

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Fri Mar 24, 2023 16:55    Post subject: available log levels changes in security logging Reply with quote
Noticing differences in what is being logged in /Log_incoming.asp

hardware: WRT3200ACM

DD-WRT v3.0-r51440 (Behavior changed shortly after this version)
DD-WRT v3.0-r52095 (current version)


On the security tab (/Firewall.asp), the bottom section for log management changed recently. Before the options for log level were Low/Med/High. These corresponded to nvram values for log_level as such: 0:low, 1:med, 2:high.

At some point the log level settings changed such that values in the gut now correspond to the following log_levels: 0:disabled, 1:med, 2:high.

Before setting used was: log_level=0, corresponding to a setting of "low" in the GUI. In this configuration brute force attempts were caught, logged, and dropped accordingly. Now running the latest version a setting of log_level=0 does in fact appear to do nothing. The problems is with log_level=1, corresponding to Medium logging. When this setting is in use, it appears to be logging some traffic as being dropped much more than dos attacks are actually occurring, or other traffic is erroneously being written to the /Log_incoming.asp as if they were attacks. The traffic now being reported here look like out of sequence packets or those which timed-out versus actual dos attacks.

Can you clarify exactly what is being logged in the current versions with regard to disable/med/high log levels? Also what happened to what was formerly "low" logging?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Mar 25, 2023 7:58    Post subject: Reply with quote
You analysis is correct log_level 0 has been deprecated.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Sat Mar 25, 2023 21:06    Post subject: Reply with quote
What was formerly log_level=0 (low) showed traffic which was actually dropped due to malicious activity. What is now log_level=1 (medium), shows a bunch of traffic which isn't malicious, and appears to be timed-out, out of sequence (possibly due to retries) packets, or removed from state table (guessing).

The reason why this matters is I was using information for malicious traffic to create permanent bans for those IPs. With the way 'medium' logging now works, there is tons of traffic there which isn't actually bad traffic per se.

Attached is a graph showing the rate of 'bad traffic' when the filter was set to 'low' and then switched to 'med', and back to 'low'. Why was 'low' removed... it showed valuable information which is no longer available?


Last edited by inetquestion on Mon Mar 27, 2023 22:08; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sun Mar 26, 2023 6:15    Post subject: Reply with quote
Yes I kow, there was a bug in the code logic and two options were discussed one elaborate one and a simple one, having ockham's razor in mind, the simpler solution was chosen.

The traffic you see could be from the newly instated INVALID rules.

You can manually delete these rules with:
iptables -D FORWARD -o $(get_wanface) -p tcp ! -s $(nvram get wan_ipaddr) -m state --state INVALID -j DROP
iptables -D INPUT -m state --state INVALID -j DROP
ip6tables -D INPUT -m conntrack --ctstate INVALID -j DROP

Maybe that mitigates your problem?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Tue Mar 28, 2023 13:43; edited 2 times in total
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Mon Mar 27, 2023 22:07    Post subject: Reply with quote
Thank you! Will give it a test as time permits.

Is the former and/or current condition documented as to what its supposed to be doing? Reason for asking, if this is currently built on shifting sand, its unlikely I'll stick with the platform or will be stuck on an old version until things settle in this area. Seems like an important change to make with little public discussion as to what the changes were intended to do, coupled with the ability for others to test/verify.

I'm not an iptables expert, so leveraging this platform seemed like a good idea at the time. Shocked with this recent change, as I'm struggling to understand how users would benefit from the change. Sure its more complicated than I'm aware...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Mar 30, 2023 9:05    Post subject: Reply with quote
One step back, do you use this because you have remote administration/telnet/SSH enabled and you want to mitigate the risk of attack?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Fri Mar 31, 2023 11:27    Post subject: Reply with quote
Remote admin not enabled.

Mitigate attacks, yes... It was an easy indicator to pull data from. Probably other/better ways to go about it.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Mar 31, 2023 11:47    Post subject: Reply with quote
Remote telnet and remote administration is a no go.

SSH with strong key only is OK but then there is no chance that it can be broken.

Do what most users do to get access to their home and that is using WireGuard or OpenVPN.

I have made a patch to bring back log level low again but I do not know if it will be accepted.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Fri Mar 31, 2023 17:37    Post subject: Reply with quote
Cool, thanks for the effort!

Hard to imagine this would face any opposition. Such is life when more than one has to agree... :)
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Fri Mar 31, 2023 19:41    Post subject: Re: available log levels changes in security logging Reply with quote
inetquestion wrote:
Noticing differences in what is being logged in /Log_incoming.asp

hardware: WRT3200ACM

DD-WRT v3.0-r51440 (Behavior changed shortly after this version)
DD-WRT v3.0-r52095 (current version)


On the security tab (/Firewall.asp), the bottom section for log management changed recently. Before the options for log level were Low/Med/High. These corresponded to nvram values for log_level as such: 0:low, 1:med, 2:high.

At some point the log level settings changed such that values in the gut now correspond to the following log_levels: 0:disabled, 1:med, 2:high.

Before setting used was: log_level=0, corresponding to a setting of "low" in the GUI. In this configuration brute force attempts were caught, logged, and dropped accordingly. Now running the latest version a setting of log_level=0 does in fact appear to do nothing. The problems is with log_level=1, corresponding to Medium logging. When this setting is in use, it appears to be logging some traffic as being dropped much more than dos attacks are actually occurring, or other traffic is erroneously being written to the /Log_incoming.asp as if they were attacks. The traffic now being reported here look like out of sequence packets or those which timed-out versus actual dos attacks.

Can you clarify exactly what is being logged in the current versions with regard to disable/med/high log levels? Also what happened to what was formerly "low" logging?


low / 0 means off. this was always the cause. we just corrected the behaviour to not confuse people anymore

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Sun Apr 02, 2023 13:48    Post subject: Re: available log levels changes in security logging Reply with quote
[quote="BrainSlayer"]

low / 0 means off. this was always the cause. we just corrected the behaviour to not confuse people anymore[/quote]


In removing what was level:0 where data was being logged, the data which used to show up here was valuable by itself. That data is either not available at all or has been munged along with other data which taints the result. If wanting a level which actually does nothing, get that. The current incarnation lost something useful. Would it be possible to have 4 levels?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum