- Worldstart's Tech Tips And Computer Help - http://www.worldstart.com -

Router Logs & Firewall Hits

Posted By On March 22, 2005 @ 10:38 AM In Hardware & Peripherals,Security Help,Using The Internet | Comments Disabled

So you got broadband—congratulations. Now there are three PCs all online in your house, and guess who the Network Administrator is? Everyone’s enjoying the connection, but now you have three people online at once and you want to make sure that you network remains securely sound. I’m going to discuss how to view your router log which, in case you’re not familiar, is a list of what’s going on out at your router.

Some things that you will see in your router logs are where people on the network have been and also what, if anything, has been trying to get in to your network. Looking at the router log is important, so don’t feel like a sneak. If it’s your network you have every right to know what’s going on, not to mention I recommend looking at the logs every now and then for security reasons. Besides, if you tell the kiddies or whoever that you can and will be monitoring their Internet activity and there is nothing they can do on their PC to avoid it. I guarantee your users will think twice about going to questionable sites—this alone may keep your network a little “cleaner” and might even prove to be your first good defense against foreign threats

Most home routers have some sort of log (all that I’ve run across in my travels) and they can be accessed from your router’s management interface which is usually accessed via a web browser and the address of 192.168.1.X. or something similar. From here look for the Status section of the router’s interface, you may see the DHCP log here as well; this shows you all the network addresses of your network users. The Security log should be under the section of the interface labeled “Security” (you may want to check with your product documentation for the specific location for your router). Both of these logs present information that may at best seem”cryptic” to an end user with little experience with networking, but don’t worry it’s easy once you get the hang of it.

The logs will have rows and columns of IP addresses and MAC addresses. Your IP address, if you’re not familiar, is the address of your PC. The MAC address is the hardware address of the Network Interface Card, or NIC for short. Any device on the network has a MAC address, but not all have IP addresses (don’t let this confuse you—you really don’t need to know it for this). Other things like time and duration port number and so on may be available, this is a little different between manufacturers but they are all very similar.

image

What will you see, and why do you care? Well, the security log is going to let you know every little hit that your firewall took from an outside IP address. This is kinda neat and will convince any disbelievers of the importance of a firewall. You can actually use this information to find out where the “Hits” are coming from and with other factors, such as the port number, you can tell if this is really a threat or just some annoying maintenance. (I’ll show you how to do this next week).

You can also take a look at what IP addresses from inside the network went online, and where they went. With the help of your IP addresses list you can locate which IP is for what PC on your network and then follow their activity. Of course you can use this log to determine where your network users have been but you can also take this information to filter out addresses that you definitely don’t want accessed from you network.

image

Now let’s see where this information really comes in handy.

What to do about firewall hits

What should you do if you notice some strange activity on your firewall?

If you view your Firewall and notice some odd addresses coming in from outside the local network, the first thing you want to figure out is who this is and where this is coming from. Hackers can and often do cover their tracks by routing their information through other PCs (usually some infected system). This makes exposing the true attacker hard if not impossible. I think a good way to at least narrow down the candidates is to use a well known hacker technique: reverse engineering.

You can take any suspect IP address and attempt to resolve it to the actual host name. To do this there are a couple tricks we can use to try to uncover the reason behind these firewall hits . We are going to utilize the “Ping” and “NSLookup” commands for starters which are both Network Administrator tools to help locate the source of connection issues.

In order to use these command line tools you must have IP addresses as shown in the router log article linked above . Once you see any IP addresses coming into you network jot them down and let’s begin our procedure.

The Ping and Nslookup command must be run from a command line, so to start things off go to Start/Run and type “cmd” (without the quotes) for XP/2K users and “command” for the 95/98/ME users. This will bring up a DOS window and from here you can type the Ping command along with the switch such as “-a” and then the IP address of the suspicious service. It should look like this:

C:\Documents and Settings\Owner> ping –a 66.94.234.13

image

Note: With XP you can also try using the Nslookup command for this and may even be able to put the the IP address in the address field in your Internet browser which will work if they have a website.

This isn’t going to work for every situation, and this is why I mentioned the reverse engineering method. As I said earlier, hackers are trying to remain hidden and they do this by routing their transmissions through other’s infected machines, and some ISP’s may stop the commands at their servers. So by reverse engineering I mean that you can go through the list of IP addresses that you jotted down earlier and start pinging them all. Make marks in your notes as to which addresses could be resolved or pinged and which could not.

Next you might want to go through the list and try the other two techniques (nslookup and using you browser) if these two methods produce no useful results then consider blocking them. You can block sites and domains through your firewall quite easily and you shouldn’t notice any adverse affects like not being able to connect to a site or miss an update for you antivirus. You will not be blocking anything important out because if your firewall stopped it it never got into you network,

Another command line utility that can possibly help you narrow down and even locate the source of intrusion using the ‘tracert” command. This is short for traceroute , and what it does is show you everywhere youR packets are going online in order to get to the desired destination. For instance, if you type in “tracert google.com” from the command line you will come up with a strange looking list similar to the Ping list.

image

What this will show is the route your information (packets) uses to get to Google.com, including your local ISP and any other servers along the way. This can be useful because it can possibly track down where the IP address is being sent from and possibly display the ISP’s name, such as Netzero.com for example. You can use this along with the IP address that you can’t resolve and shed some light on where all this is coming from, and who to tell.

If you do get an ISP’s name you can look them up online for some sort of contact information and possibly send them an email describing what’s going on with one of their users. This may be news to the person caught in the middle as well, for they may have been infected with some sort of worm or Trojan and are not aware of the fact that they are a hacker relay.

With any of these methods it’s a crap shoot at best—clever hackers conceal who they are and where they come from. These tools will help you see who is not a threat and you can use that to your advantage.

Just a few other things you may want to keep in mind if your firewall hits are out of control. Call you ISP and tell them that you are getting constant hits on your firewall. They may do something for you as far as try to track them down (especially if they are a small ISP) and you may also request a new IP address. This should stop the intrusions—for a while at least.

Just as a last thought it may be a good idea to run your anti-virus/spyware after everything is cleaned up, to make sure you’re not a hacker relay.

Check out our website if you want to learn about nslookup…
http://www.worldstart.com/tips/tips.php/393

Stay safe out there,

~ Chad

Chad Stelnicki


Article printed from Worldstart's Tech Tips And Computer Help: http://www.worldstart.com

URL to article: http://www.worldstart.com/router-logs-firewall-hits/