Review of my home broadband router logs (suspicious activity?)

Page 3 of 6  
On Wed, 23 Dec 2015 11:24:52 -0500, Micky wrote:

If you can get an IP address like I did on my router logs, you can run a "whois" command which will reverse IP check.
https://duckduckgo.com/?q=reverse+ip+address+lookup
If it's coming from Apple, whois will tell you that.
Of course, most of the time "I" run it, the IP address is coming from China, but even that can be spoofed with VPN or some other means.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 7:58 AM, Paul M. Cook wrote:

Sometimes there are two different places to look: - the DHCP page will tell you CURRENT lease holders - the log will often include "informational" messages telling you when leases were assigned
The buffer available for a log may not be deep enough to "go back far enough" to see some old events (depends on how much "traffic" got injected into the log in the time since the lease was "logged").
Also, some devices allow you to specify which *types* of messages you want to see in your log.
The actual lease holder is only of minor importance; it tells you *what* device was targeted or involved in the exchange. The actual nature of the transaction is still indeterminate; it can be a legitimate application *or* an exploit running on *anything*!
(E.g., Philips has some high end color-adjustable LED light bulbs that can be attacked, remotely. Would you think of them as a likely "target" on your network? :> )
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 12:35:09 -0700, Don Y

I've always hated colored light bulbs, ever since my pet rabbit Snooky was attacked by a gang of them.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
That's interesting. I didn't know routers kept logs. Did you find that by logging in to the "control panel"?
I used to get a lot of attempts to get into my computer when I had dialup. That mostly stopped with cable, though I have caught my cable company, RCN, trying to get in. I have no idea why. Apparently they just go around snooping on customers, perhaps tracking how many machines are at each address, or some such.
First, do you have a good, long password for your router? You should. Maybe 20 characters.
You didn't mention what computers you have. Assuming Windows...
It's important to understand that most Windows computers are full of holes. The default configuration has numerous unsafe services running. Many people now also enable remote Desktop functionality for tech support. You should have a firewall that blocks all incoming and asks permission for all outgoing processes. (In many cases it's also possible to block svchost from going out, which takes care of most or all Microsoft spyware.)
Some may remember there was a problem with XP in the early days. A service called Messenger (not Windows Messenger) was running by default. It was intended for sys admin people in corporations to be able to pop up notices to employees on the network. (Like "Don't forget: Company picnic on Saturday.") It was being used to show people ads. The problem is that Windows NT (2000/XP/Vista/7/8/10) is designed to be a corporate workstation. It's a sieve, set up with the assumption that the network is safe while the users can't be trusted. If you want to set up reasonable security see here:
http://www.blackviper.com/
You can use that site to adjust services. And get a firewall.
I don't know much about Playstation, but that's a good example of increasing intrusion online. Online services and spyware operating systems are changing the norm. Most software is now designed to call home without asking. A few years ago that was known as spyware. Windows 10 is a new level of spyware. It now has a privacy policy and TOS that claim Microsoft has a legal right to spy on virtually everything you do. (I suspect Playstation is probably worse in that regard.)
At the same time, more people want more of those services. Without selling out to Apple you can't get all those nifty apps. Without selling out to Adobe you can no longer use Photoshop without it spying on you. The latest version is still installed on your computer, but it's officially marketed as an online service. The difference is not so much in the software but in the fact that you have to accept it as spyware. MS Office and many other programs are going the same way. They want to steal your car and rent you a taxi.
So there may be different, conflicting concerns for you. One concern is preventing malware/spyware intrusion by strengthening your security. But then there's also the issue of whether you're actually willing and able to do that in the context of how you want to use your connected devices. If you want to accept and use online services then you must accept that you're now in a shopping mall. The mall cameras, marketing data collectors and security guards will be watching. You're on their property, not your own.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

I don't know of *any* router that does *not* keep logs. Usually they start at reboot time, and go on forever from there. For my Netgear router, I log in and then go to: Advanced > Administration > Logs

Cable should be the worst, as I understand it, since anyone in your neighborhood on the same cable is essentially connected to you as I understand it.
So, I'd be sure to have a router, but, as we all know, anyone who knows what they're doing can get past our cheap routers.

The thing is that most routers don't allow a password greater than 8 characters (from my experience). Sure, they'll *let* you type a long password - but they'll take anything (or nothing) after the first 8 characters.
Try it. That's how "my" router works.

Oh, I have everything. Windows. Linux. OS/X. iOS, Android. Printers. And other devices (like the playstation).
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| > First, do you have a good, long password for | > your router? You should. Maybe 20 characters. | | The thing is that most routers don't allow a password greater | than 8 characters (from my experience). Sure, they'll *let* | you type a long password - but they'll take anything (or nothing) | after the first 8 characters. | | Try it. That's how "my" router works. |
I tried it. I entered the first 13 characters. It didn't let me in. I've never heard of an 8-char limit.
| > You didn't mention what computers you have. | > Assuming Windows... | | Oh, I have everything. Windows. Linux. OS/X. iOS, Android. | Printers. And other devices (like the playstation). |
I don't see any scanning or contact in my logs, but I also only use computers, with no networking, and get informed by my firewall about unrequested incoming. You may not have much option with Playstation. I assume it's not under your control. But you should have firewalls on your computers that will drop incoming requests. (Though that's one of the many shortcomings of Linux in my book. Last I checked, Linux firewalls could stop incoming but didn't monitor outgoing.)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 12:03:34 -0500, Mayayana wrote:

Are we talking about the ROUTER "admin" password? Or are we talking about the ESSID encryption passcode?
They're different things. "I" was talking about the router admin password.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| Are we talking about the ROUTER "admin" password? | Or are we talking about the ESSID encryption passcode? | | They're different things. | "I" was talking about the router admin password. |
Yes. I don't know why people are making this so complicated. There have been cases of routers being hacked, sometimes because they're set with default passwords that don't get changed. Not a big issue. Just one thing to make sure you have covered.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

Which router password are you talking about?
1. The Admin password? 2. The SSID WPA2/PSK passphrase?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
M. Stradbury wrote:

PSK? How about AES?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 09:20:13 -0700, Tony Hwang wrote:

I think you're talking about different things that have nothing to do with each other.
AFAIK, WPA2 is the strongest "we" can generally get (being normal homeowners and not corporations) on our routers.
For us, the PSK (pre-shared key) is the way "we" homeowners do WPA2. It just is.
However, if we were a corporation, we could do more with WPA2 than pre-shared keys, which, I don't remember what it's called, but it's some kind of rotating or assigned key that the IT department of the company can manage (instead of the router).a
What you seem to be talking about is the difference between various security options, such as: * WPA-PSK [TKIP] * WPA-PSK [AES] * WPA-PSK [TKIP] + WPA-PSK [AES]
All of those above are WPA2/PSK.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 9:15 AM, M. Stradbury wrote:

There are several issues.
First, the SSID is effectively public. Even if you turn off SSID broadcasts, it's trivial to detect your SSID. So, any sort of access control you expect to gain from *hiding* it is laughable! Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't buy you anything.
The administrator's password is used to access the configuration parameters (usually via a web interface) in the router/appliance. So, if it is guessable (e.g., left at the default setting), then anyone determined to do so can access that page and reconfigure the router to their goals. (details omitted, here).
Some routers also have provisions for *remote* administration. I.e., they expose the web interface to the outside world so some remote agency can manage the router on your behalf (think "cable modem"). Leaving this access "enabled" exposes more attack surface to "the outside"; folks you probably trust a lot less than the ones sitting in your bedrooms, office, etc.!
The "shared secret" passkey is, in theory, confidential -- assuming the router's configuration pages can't be accessed! However, a determined adversary can get past this, as well. There are (paid) services that will deliver you the secret passphrase for some given "sniffed" traffic in 24 hours (48 if you want to save a few dollars). As most folks don't change their passphrases often (every day?), this is a viable attack vector (is your stuff "worth" $X of someone else's money??)
If you have *physical* access to a device (router/appliance/PC/etc.) then the bar is much lower. E.g., it's usually pretty trivial to go poking around someone's "locked" PC.
Moral: don't put anything valuable anyplace folks can get to it!
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Don Y wrote, on Wed, 23 Dec 2015 12:57:02 -0700:

Jeff Liebermann knows this stuff much better than I do, but here is what he taught me.
WORSE THAN YOU SAID:
1. If you hide your SSID, then your laptop has to look for it on purpose, which it dutifully does (that's how it finds it). However, that also means that when you boot your laptop at Starbucks, it *still* looks *first* for your hidden IP (because your laptop has no idea you're at Starbucks yet). Only after your laptop can no longer find the SSID it wanted first, does the laptop look for *other* broadcast SSIDs.
Hence, you have *worse* privacy at a hotspot when you decide to not broadcast your SSID at home.
MOSTLY TRUE WHAT YOU SAID: 2. Making your SSID obscure is critical if you want to stay out of rainbow hash tables. Anyone who knows YOUR SSID already can download a hash table that allows them to log into your router using the SSID as a "salt".
So you really really really want to have a UNIQUE ESSID! https://security.stackexchange.com/questions/92903/rainbow-tables-hash-tables-versus-wpa-wpa2
MORE CONSIDERATIONS: 3. In addition, you don't want your unique ESSID to pinpoint you, so don't name it after your last name or your address.
4. One more thing, the BSSID (i.e., the MAC address) of your router is what Google puts into its database when that spycar drives down your road. Short of putting up a sign saying "private road", you can't stop them from driving past your home and gathering your BSSID and those of your neighbors.
One thing you can do is change your ESSID to have "_nomap" on the end of it, which Google says they won't keep. Yes, I know, they expect the entire world to opt out manually that way, which is silly, but that's what they do.
Otherwise, you'll need to change *both* your ESSID and your BSSID (MAC address) periodically, so that Google databases no longer have accurate records. (You can't do anything about your stupid neighbors though, so, you're already doomed.)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 1:06 PM, Danny D. wrote:
[big snip]

There are no free lunches. Said another way, there's no such thing as "win/win".
Wireless makes life easier for users -- no cords, etc. As such, it comes with a cost (privacy, vulnerability to DoS, eavesdropping, etc.).
I have three wireless access points scattered around the house (typically affixed to the ceilings in closets so they are unobtrusive yet give me good coverage, if needed). The radios in each are always "OFF". Every machine, here, uses a hardwired network drop (I have 72 of them; 24 are "available" for devices/48 are dedicated to specific devices -- and that doesn't count the network switches *in* individual rooms that act as port multipliers). They exist primarily for "guests" who are willing to expose their traffic for the convenience of not being tethered to a particular network drop (though you can "plug in" virtually anywhere in the house with a 10 ft patch cord!).
I have my own OUI so that gives me a bit of obscurity but, by the same token, uniquely identifies *my* stuff! (in the privacy world, you want to be COMMONPLACE, *not* unique! :> )
I've given serious consideration to painting the interior walls with aluminized paint to block "RF leakage" but fear that may eventually result in a problem -- someone trying to dial 911 from a cell phone and getting "no signal", etc.
So, the wireless appliances that I've been developing use proprietary protocols -- google can sniff away and not be able to identify anything (other than "something wacky happening in this vicinity"). Fortunately, this isn't done to confound google but, rather, to offer capabilities that existing protocols *don't* offer! (As such, it's not a "wasted effort" but, rather, an "essential effort")
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 02:32 PM, Don Y wrote:
[snip]

And Don't forget complexity (two transceivers, RF link, etc..) means Wireless is a lot more complex than a few copper wires. More to go wrong.
That's why I know there's something wrong when people just say they want WiFi for something like a desktop PC, printer, or DVR where wired is nearly always a better choice.
[snip]
--
1 day until the winter celebration (Friday December 25, 2015 12:00:00 AM
for 1 day).
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/24/2015 1:45 PM, Mark Lloyd wrote:

Neighbor's alarm system is wireless. This, of course, makes sense from the standpoint of the folks who want to sell the *service* ("Only $29.95/month -- in perpetuity!") and want to keep the "cost of admission" (installation) low -- soas not to discourage potential suckers ^H^H^H customers; stringing wire to every door and window would quickly eat any profit they might glean in the following *decade*!
OK, so I'm sure (?) the system designers put some effort into dealing with "loss of connectivity" -- i.e., if they don't get a periodic "report" from each node, they probably err on the side that there *might* be a break-in.
[The approach of sitting passively and waiting for a sensor to signal an *exception* is too easily hacked; you want positive confirmation that "all is well" in addition to "exception" reporting]
And, I'm sure they figure any "outages" in the normal course of events are few and far between. "Noise" that they can ignore or absorb as part of the cost of doing business...
So, what happens if someone sits out front in their vehicle and jams the band these devices communicate over? (wouldn't be hard to determine) Doesn't enter the property. Just sits nearby and mucks with the operation of the system. Does it report an intrusion attempt? Does it just set a flag for the homeowner ("Check sensors")?
What happens if you do this every day? When does the nuisance factor (assume the police are NOT notified of each of these "alarms", just the homeowner) cause the homeowner to abandon the system? I.e., an adversary has compromised their "investment" without putting himself at risk...
I have a PLC modem that I use, in a pinch, to avoid running a cable from <someplace> to <someplace else>. Plug the transceivers into the wall socket "here" and "there"; plug the two devices into the two transceivers and, magic! Exploit the power line to connect A to B.
But, I'd never rely on it -- anymore than I'd rely on wireless. (there are lots of limitations) It's not a "closed" system.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 24 Dec 2015 14:02:17 -0700, Don Y

But witha wired alarm, what happens if someone forces a door or window every day?

When does the homeowner abandon the system?

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 01:57 PM, Don Y wrote:
[snip]

SSID blocking will still deter the 99% (or more) of people who don't know how to detect it, or don't even know there's a network there. Still, I don't consider it worthwhile (security / usability tradeoff), and would not use it if better security is available.
[snip]
--
2 days until the winter celebration (Friday December 25, 2015 12:00:00
AM for 1 day).
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 1:58 PM, Mark Lloyd wrote:

Yes. But so will a passphrase.

I find looking at SSID's that folks have chosen to be entertaining (using my little WiFi sniffer mentioned elsewhere).
"Penny's_Room" "Cornali_WiFi" "SSID-123" "MrStudley" etc.
People don't think about the sorts of information they "leak" with these voluntary choices!
My best friend in school had a license plate: FML mdd First Middle Last initial BIRTH mONTH ddAY
Really? So, you want everyone to know who you are and your birthdate? Give me a couple of tries and I can probably guess the year -- from your appearance and other things you leak about yourself! :<
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 03:38 PM, Don Y wrote:
[snip]

Yes, it will. The point of what I posted is that SSID blocking is NOT useless. I didn't say anything about it being better than anything else.

Here, I have (current SSID list):
notstupid1 AlsoNotTheWifiYou'reLookingFor Cisco80710 FBI Surveillance Karma WiFi
I know I'm missing some since this isn'a a dual-band WiFi card.
[snip]
--
1 day until the winter celebration (Friday December 25, 2015 12:00:00 AM
for 1 day).
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.