I just recently starting using the log capabilities from my linksys router and I noticed things that were unbelievable.
Is there a software in Linux that I can use so that I won't have to log into my router to see the results? Furthermore, how dangerous is leaving this feature on? I've read that leaving this on can attract more hackers.
What kind of router is this that can actually store logs? It can't have that much memory, or am I wrong?
It's the BEFSR41 Cable/DSL router/switch.
Can that thing store logs? That's quite impressive. How long does it store log entries?
In any case, I cannot imagine that there would be any standard protocols to fetch the logs, so I guess that you will have to log into it. Of course, it's not like I have a similar router, so I can't tell for sure, but I'd be surprised.
Correct me if I'm wrong, but enabling logging doesn't alter the router's interaction with outside computers, right? Therefore, it shouldn't be dangerous to leave it on.
I'm just projecting my thoughts, though. Like I said, I don't have a router like this, so don't consider me authoritative.
Well, I think the reason behind these assumptions were because SNMP is utilized when the logging activity begins. As I don't have much knowledge in networking, I don't know how or if it could even be detected by others outside my network but reading from another forum, this is what he stated.
As for the router itself, yes, it has an option to save all logs. The logviewer program that I'm using for Windows is very simple. It just tells us the dates, time, src socket, dest socket for both incoming and outgoing. What amazes me is all these activities that are trying to probe my ports. Thank god I have all my ports blocked.
I did find a software for a logviewer in Linux but it was still in it's beta version. A full release never came out so I'm skeptical about using it but since this is the only one that I have found so far, I don't think I have much choice.
Ah, it uses SNMP. If the router's SNMP system is listening at the internet side as well, then it could very well be a bit insecure, since SNMP is inherently insecure. It would be rather stupid if it actually did listen at that side, though.
I don't think that many know how many are trying to crack their computer. I haven't checked recently, but I used to get up to fifty cracking attempts over HTTP per day, and I imagine that now with the MSBlaster worm going around, the SMB ports should be flooding. I also have all these spamscanners on me all the time, scanning me for insecure SMTP or SOCKS setups.
Sometimes, I take the time to report some of these to the attacker's ISPs, so that they can be made aware that they have worms on their computers.
After checking all my incoming messages, it looks like the favorite port they attack is 80 and another which dealt with Kazaa (I forget the port number). It seems to me that some people are more persistent than others but for the most part, I think they just leave up a bot that tries to see which computers are vulnerable. I too should report suspicious actvities but for now, I'm just glad that the router is doing it's job.
I also noticed that a trojan made it to my computer when my 3 of my ports were open for mirc service. I've closed them ever since and I don't think I'll be opening them again until I have a better understanding on how to protect it. By the way, how DO you protect open ports?
Most people attacking you are probably just worm victims, so just don't blame them too hard. Reporting them to their ISPs and getting their Internet shut down is enough. ;-)
The only two generic ways to protect open ports that I can think of are: Only run software without (known) vulnarabilities, and keep the configuration of the program running there secure.
If the program you're running has a known vulnarability and is just a slight bit common, then it's almost always a bad idea having it connected to the internet. For example, I ran my HTTP server on a RH7.1 system before that had a known vulnarability in OpenSSL, therefore making the HTTPS part vulnarable for attack. Before I realized that it was hopeless to hope that it would stop, it was cracked surely twenty times. Then I turned the HTTPS service (I later moved it to a RH9 server that isn't vulnarable). Lucky me that Apache isn't running as root is all I can say...