×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: Logging for all products

CharlotteEL
Tutor

Logging for all products

I am really surprised and dissapointed that with routers today being quad core Netgear has not beefed up their security options in particular logging. Which such a heavy emphasis on cyber security this is one area you all have really fallen behind. The fact that you have basically horrible logging to begin with is really bad but the fact that you have routers and gateways that can only email logs is rediculous. I have seen routers with current firmware updates that still do not allow any port other than port 25 and no encryption options... 

 

Area of opportunity!!! and disgusted i would even have to mention it. Please address it quickly.

Message 1 of 18
ekhalil
Master

Re: Logging for all products

Can you please give more details about the events that you are missing in in the Orbi logs.

I know that logging in Orbi currently has some bugs and does not work as it's meant to. Basically, in orbi you can get logging for:

Namnlöst.png

And since the log space is limited, you can ask Orbi to email you the log before it's cleared. You can also get the log emailed to you periodically on a schedule that you can set.

As I saiid this functionality has currently issues and I hope that it will soon be fixed.

I did not understand though the following statement: 


@CharlotteEL wrote:

........... I have seen routers with current firmware updates that still do not allow any port other than port 25 and no encryption options... 

............


🙂

 

Message 2 of 18
CrimpOn
Guru

Re: Logging for all products

So, the request is for something like Open PGP to encrypt the contents of the log file before sending it, or .....?

As far as I know, Orbi's do not receive email, so there is no security vulnerability to the Orbi.  The fear is (1) that the log file will be entercepted along the way and an evil person will learn... (what?), or (2) a spurious log file will be sent that provides misleading information and causes someone to ... (what?)

 

Or, is the request to use a message service that hides even the recipient of the log file?

 

By-the-way, MY observation is that the Orbi log file does NOT function as described.  At one point, my Orbi log contained DoS attacks and port scans, but it has not after the last couple of software updates.  Also, my Orbi used to record DHCP assignments, and no longer does.  ALL my Orbi log file contains is restarts, admin logins, and NTP syncs.  (I do not use VPN, port forwarding, or restrict internet sites, so I have no idea if those functions work.)  I understand why Netgear might remove evidence of DoS and port scans.  They were recognized and blocked, so "who cares".  I found the DHCP business interesting, becasue it would show some devices getting DHCP every two minutes, which all the others behaved as expected.

 

Rather than have logs encrypted, I would like them to WORK.

Message 3 of 18
ekhalil
Master

Re: Logging for all products


@CrimpOn wrote:

................  Also, my Orbi used to record DHCP assignments, and no longer does.  ALL my Orbi log file contains is restarts, admin logins, and NTP syncs.  .............

 

Rather than have logs encrypted, I would like them to WORK.


I still see the DHCP events and DDNS updates beside what you mentioned (restarts, admin logins, and NTP syncs). Try to do the following to get the logging to -somehow- "reset":

Under the Logs tab:

- Click "Apply"

- Click "Clear Log"

- Clear "Apply" again

I use this method to get the Logs to work everytime it stops emailing logs when full. 🙂

Message 4 of 18
CharlotteEL
Tutor

Re: Logging for all products

No leave email all together. format the logs into a parsable format and have options to export csv on a schedule to share or best allow them to be piped directly into a SIEM 🙂
Message 5 of 18
CharlotteEL
Tutor

Re: Logging for all products

also encryption i meant the connections. most providers require TLS or SSL. But they should move away from emailing logs all together. my provider happens to allow local up addresses only to send unencrypted only over 25 to local addresses only. but for the life of me i can’t even get that to work. i’m also not using orbi. i’m still on an older (updated firmware) c7000 gateway/router. Docsis 3.0 24/8 channels. does the job for the most part although my needs have changed.
Message 6 of 18
ekhalil
Master

Re: Logging for all products


@CharlotteEL wrote:
also encryption i meant the connections. most providers require TLS or SSL...............

You need to specify the SMTP server to use to send your emails from and the encryption protocol used (TLS or SSL) and the destination email address.


@CharlotteEL wrote:
........ my provider happens to allow local ip addresses only to send unencrypted only over 25 to local addresses only. but for the life of me i can’t even get that to work. i’m also not using orbi. i’m still on an older (updated firmware) c7000 gateway/router. Docsis 3.0 24/8 channels. does the job for the most part although my needs have changed.

This is a common issue in most SMTP servers. The only SMTP server I found accepting local addresses is hotmail's and is working fine for me. If you don't already have a hotmail/live account you can create a free account and use it just to be able to make use of hotmail's SMTP server to send emails from your NG router to your preferred destination email address. This is how I configured Orbi to email Logs:

Namnlöst.png

 

Message 7 of 18
CrimpOn
Guru

Re: Logging for all products

Wow, threads in this forum produce amazing discussions!  Had not heard of a SEIM, and I wonder what the cost would be.  My guess is 99% of Netgear residential customers never look at a log file.  I am sending logs through smtp.gmail.com, port 465, which seems to be SSL.  Maybe Netgear gives users a choice to smtp as plain text or encrypted based on the smtp server they specify? 

 

I guess a .csv file could offer benefits over a text file.  What sort of mechanism would people want Netgear to develop?  Dump into a cloud service? (Drop Box, Google Drive, Apple/Microsoft (whatever?), etc.)  Send to an FTP server?

Message 8 of 18
CrimpOn
Guru

Re: Logging for all products

Still not logging.  I did the "Apply, Clear, Apply" yesterday and just checked my log today:

 

[admin login] from source 192.168.1.2, Monday, December 24, 2018 08:19:38
[admin login] from source 192.168.1.2, Sunday, December 23, 2018 23:48:01
[admin login] from source 192.168.1.2, Sunday, December 23, 2018 14:33:48
[Log Cleared] Sunday, December 23, 2018 11:38:00

 

i.e. in 21 hours, no NTP, no DHCP, no intrusion.  Nada.  Every box is checked.  Orbi has been up for 27 days.  (When I thought that Netgear Level II was going to call me about "testing the log files", I went into debug_htm, turned on "Start Debug Log Capture", restarted Orbi, collected a log file for 10 minutes, saved the debug log, unchecked the box, and restarted.)

 

Willing to try almost anything.

Message 9 of 18
ekhalil
Master

Re: Logging for all products


@CrimpOn wrote:

Still not logging.  I did the "Apply, Clear, Apply" yesterday and just checked my log today:

 

[admin login] from source 192.168.1.2, Monday, December 24, 2018 08:19:38
[admin login] from source 192.168.1.2, Sunday, December 23, 2018 23:48:01
[admin login] from source 192.168.1.2, Sunday, December 23, 2018 14:33:48
[Log Cleared] Sunday, December 23, 2018 11:38:00

 

i.e. in 21 hours, no NTP, no DHCP, no intrusion.  Nada.  Every box is checked.  Orbi has been up for 27 days.  (When I thought that Netgear Level II was going to call me about "testing the log files", I went into debug_htm, turned on "Start Debug Log Capture", restarted Orbi, collected a log file for 10 minutes, saved the debug log, unchecked the box, and restarted.)

 

Willing to try almost anything.


I tried the following steps once and it worked for me. Please try it and see if this will get the DHCP events to be logged:

- From browser go to the router's debug page (http://192.168.1.1/debug.htm). Use your router's IP address

- Tick "Enable Telnet" option

- Use Telnet to connect to your Router telnet 192.168.1.1 and enter admin and the password

- Enter the command 

root@RBR50:/# config get log_mobile_conn

You will probably get 0. This means not activated.

- Enter the commands:

root@RBR50:/# config set log_mobile_conn=1

root@RBR50:/# config commit

- Now reboot Orbi from the GUI

 

See if this helps 🙂

Message 10 of 18
CharlotteEL
Tutor

Re: Logging for all products

Is anyone from Netgear following this thread? I really wish they would and address thie it would ad value to their consumer line. I think the solutions would be to provide options for:

1. Email Logs yes/no - Scheduled or Live events

  • Server Address
  • Port Number
  • authentication Yes/No
  • Encryption Yes/No
    • a. TLS (and offer the latest v. of TLS)
    • b.SSL
  • From
  • To

2. Export Logs (CSV) Yes/No - Scheduled

  • Share Yes/No
    • Share Path
    • ID/PW
  • Upload to Cloud (provide netgear space and web front end to display, sort, filter, etc) - Live Events
    • Login information for Netgear

3. Send to syslog/splunk - Live events

  • connection information
  • IP/host name
  • Port Number
  • ID/Password
Message 11 of 18
ekhalil
Master

Re: Logging for all products


@CharlotteEL wrote:

Is anyone from Netgear following this thread? I really wish they would and address thie it would ad value to their consumer line. I think the solutions would be to provide options for:

1. Email Logs yes/no - Scheduled or Live events

  • Server Address
  • Port Number
  • authentication Yes/No
  • Encryption Yes/No
    • a. TLS (and offer the latest v. of TLS)
    • b.SSL
  • From
  • To

2. Export Logs (CSV) Yes/No - Scheduled

  • Share Yes/No
    • Share Path
    • ID/PW
  • Upload to Cloud (provide netgear space and web front end to display, sort, filter, etc) - Live Events
    • Login information for Netgear

3. Send to syslog/splunk - Live events

  • connection information
  • IP/host name
  • Port Number
  • ID/Password

@CharlotteEL Good suggestion. Please add this as a new idea in: https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

Message 12 of 18
CrimpOn
Guru

Re: Logging for all products

It has been five hours since my telnet to the Orbi, config set log_mobile_conn=1, and reboot.  (Have confirmed that it remains "=1" rather than "=0")

 

[admin login] from source 192.168.1.2, Monday, December 24, 2018 16:03:59
[admin login] from source 192.168.1.2, Monday, December 24, 2018 12:20:15
[admin login] from source 192.168.1.2, Monday, December 24, 2018 11:32:16
[Time synchronized with NTP server] Monday, December 24, 2018 11:14:47
[admin login] from source 192.168.1.2, Monday, December 24, 2018 11:13:12
[Initialized, firmware version: V2.2.1.210] Monday, December 24, 2018 11:12:52

 

Still  no evidence of DHCP activity, DoS, port scans, etc.  I went through the files in /etc/config and did not find any mention of "log_mobil_conn", nor did Google turn up a reference to it.  Are there any settings besides "0" and "1"?  Or, any other ideas.

Message 13 of 18
ekhalil
Master

Re: Logging for all products


@CrimpOn wrote:

It has been five hours since my telnet to the Orbi, config set log_mobile_conn=1, and reboot.  (Have confirmed that it remains "=1" rather than "=0")

 

[admin login] from source 192.168.1.2, Monday, December 24, 2018 16:03:59
[admin login] from source 192.168.1.2, Monday, December 24, 2018 12:20:15
[admin login] from source 192.168.1.2, Monday, December 24, 2018 11:32:16
[Time synchronized with NTP server] Monday, December 24, 2018 11:14:47
[admin login] from source 192.168.1.2, Monday, December 24, 2018 11:13:12
[Initialized, firmware version: V2.2.1.210] Monday, December 24, 2018 11:12:52

 

Still  no evidence of DHCP activity, DoS, port scans, etc.  I went through the files in /etc/config and did not find any mention of "log_mobil_conn", nor did Google turn up a reference to it.  Are there any settings besides "0" and "1"?  Or, any other ideas.


Sorry for this! 😞 I then think that your only option would be factory reset. 

I'm also missing the DoS in the log, but I see everything else.

This is how my log looks like today:

[admin login] from source 192.168.1.20, Tuesday, December 25, 2018 13:36:20
[admin login] from source 192.168.1.20, Tuesday, December 25, 2018 13:25:36
[DHCP IP: 192.168.1.30] to MAC address 98:01:a7:c7:b0:f9, Tuesday, December 25, 2018 13:20:46
[admin login] from source 192.168.1.20, Tuesday, December 25, 2018 13:10:29
[DHCP IP: 192.168.1.20] to MAC address a0:99:9b:0b:3f:5b, Tuesday, December 25, 2018 13:04:35
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Tuesday, December 25, 2018 12:53:00
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Tuesday, December 25, 2018 12:16:44
[DHCP IP: 192.168.1.83] to MAC address b4:07:f9:3f:87:62, Tuesday, December 25, 2018 11:28:51
[DHCP IP: 192.168.1.76] to MAC address c8:69:cd:58:26:f4, Tuesday, December 25, 2018 11:12:03
[DHCP IP: 192.168.1.22] to MAC address 60:d9:c7:a3:e3:36, Tuesday, December 25, 2018 10:38:58
[Dynamic DNS] host name xx.xx.xx.xx registeration successful, Tuesday, December 25, 2018 10:29:35
[Dynamic DNS] host name xx.xx.xx.xx registeration failure, Tuesday, December 25, 2018 10:29:25
[DHCP IP: 192.168.1.4] to MAC address dc:a4:ca:b9:85:8d, Tuesday, December 25, 2018 09:47:25
[DHCP IP: 192.168.1.26] to MAC address f4:31:c3:4f:71:1c, Tuesday, December 25, 2018 09:34:52
[DHCP IP: 192.168.1.195] to MAC address c8:02:10:62:c7:01, Tuesday, December 25, 2018 08:28:09
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Tuesday, December 25, 2018 08:22:33
[DHCP IP: 192.168.1.155] to MAC address 00:09:34:42:64:ba, Tuesday, December 25, 2018 07:58:11
[DHCP IP: 192.168.1.166] to MAC address 00:09:34:2c:d1:ec, Tuesday, December 25, 2018 06:46:14
[DHCP IP: 192.168.1.70] to MAC address 7c:e9:d3:99:a3:03, Tuesday, December 25, 2018 06:06:07
[DHCP IP: 192.168.1.28] to MAC address 28:a0:2b:3b:8d:a0, Tuesday, December 25, 2018 06:02:50
[DHCP IP: 192.168.1.2] to MAC address 78:d2:94:b5:06:17, Tuesday, December 25, 2018 06:00:35
[DHCP IP: 192.168.1.73] to MAC address 00:04:20:eb:c0:54, Tuesday, December 25, 2018 06:00:15
[DHCP IP: 192.168.1.72] to MAC address 00:04:20:f3:af:6e, Tuesday, December 25, 2018 06:00:05
[DHCP IP: 192.168.1.194] to MAC address 30:a9:de:3c:e1:4d, Tuesday, December 25, 2018 05:59:58
[DHCP IP: 192.168.1.189] to MAC address 30:a9:de:bf:8e:53, Tuesday, December 25, 2018 05:59:49
[DHCP IP: 192.168.1.75] to MAC address 5c:f9:38:dc:11:cc, Tuesday, December 25, 2018 05:59:39
[DHCP IP: 192.168.1.188] to MAC address 30:a9:de:bf:86:89, Tuesday, December 25, 2018 05:59:31
[DHCP IP: 192.168.1.199] to MAC address c8:02:10:0e:7c:7c, Tuesday, December 25, 2018 05:59:27
[DHCP IP: 192.168.1.198] to MAC address c8:02:10:0e:7b:b0, Tuesday, December 25, 2018 05:59:27
[DHCP IP: 192.168.1.76] to MAC address c8:69:cd:58:26:f4, Tuesday, December 25, 2018 05:59:26
[DHCP IP: 192.168.1.187] to MAC address c4:36:6c:d9:3d:ed, Tuesday, December 25, 2018 05:59:23
[DHCP IP: 192.168.1.196] to MAC address e8:f2:e2:ad:b6:8a, Tuesday, December 25, 2018 05:59:23
[DHCP IP: 192.168.1.193] to MAC address c8:02:10:62:c7:55, Tuesday, December 25, 2018 05:59:23
[DHCP IP: 192.168.1.77] to MAC address ac:ca:54:01:da:25, Tuesday, December 25, 2018 05:58:48
[DHCP IP: 192.168.1.71] to MAC address 70:ee:50:2d:8f:94, Tuesday, December 25, 2018 05:31:27
[DHCP IP: 192.168.1.197] to MAC address 30:a9:de:b7:35:07, Tuesday, December 25, 2018 05:06:32
[DHCP IP: 192.168.1.31] to MAC address 8c:2d:aa:45:f4:f9, Tuesday, December 25, 2018 05:00:18
[DHCP IP: 192.168.1.85] to MAC address 80:d2:1d:15:83:b7, Tuesday, December 25, 2018 03:37:11
[DHCP IP: 192.168.1.22] to MAC address 60:d9:c7:a3:e3:36, Tuesday, December 25, 2018 02:16:41
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Tuesday, December 25, 2018 02:03:13
[DHCP IP: 192.168.1.83] to MAC address b4:07:f9:3f:87:62, Tuesday, December 25, 2018 01:53:22
[DHCP IP: 192.168.1.22] to MAC address 60:d9:c7:a3:e3:36, Tuesday, December 25, 2018 01:51:18
[DHCP IP: 192.168.1.31] to MAC address 8c:2d:aa:45:f4:f9, Tuesday, December 25, 2018 01:49:11
[DHCP IP: 192.168.1.22] to MAC address 60:d9:c7:a3:e3:36, Tuesday, December 25, 2018 01:36:42
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Tuesday, December 25, 2018 01:31:29
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Tuesday, December 25, 2018 00:58:43
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Tuesday, December 25, 2018 00:41:30
[DHCP IP: 192.168.1.31] to MAC address 8c:2d:aa:45:f4:f9, Tuesday, December 25, 2018 00:31:27
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Tuesday, December 25, 2018 00:27:37
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Tuesday, December 25, 2018 00:24:36
[DHCP IP: 192.168.1.20] to MAC address a0:99:9b:0b:3f:5b, Monday, December 24, 2018 23:55:00
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Monday, December 24, 2018 23:54:53
[DHCP IP: 192.168.1.4] to MAC address dc:a4:ca:b9:85:8d, Monday, December 24, 2018 23:44:23
[admin login] from source 192.168.1.20, Monday, December 24, 2018 23:38:12
[admin login] from source 192.168.1.20, Monday, December 24, 2018 23:38:11
[admin login] from source 192.168.1.20, Monday, December 24, 2018 23:31:23
[admin login failure] from source 192.168.1.20, Monday, December 24, 2018 23:31:15
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Monday, December 24, 2018 23:26:22
[admin login failure] from source 192.168.1.20, Monday, December 24, 2018 23:16:41
[admin login] from source 192.168.1.20, Monday, December 24, 2018 23:16:04
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, December 24, 2018 22:57:48
[DHCP IP: 192.168.1.20] to MAC address a0:99:9b:0b:3f:5b, Monday, December 24, 2018 22:51:13
[admin login] from source 192.168.1.20, Monday, December 24, 2018 22:18:19
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Monday, December 24, 2018 22:15:48
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, December 24, 2018 22:09:51
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Monday, December 24, 2018 21:55:40
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, December 24, 2018 21:45:21
[DHCP IP: 192.168.1.26] to MAC address f4:31:c3:4f:71:1c, Monday, December 24, 2018 21:32:10
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Monday, December 24, 2018 21:26:41
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, December 24, 2018 21:18:31
[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Monday, December 24, 2018 21:01:14
[DHCP IP: 192.168.1.85] to MAC address 80:d2:1d:15:83:b7, Monday, December 24, 2018 20:42:32
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, December 24, 2018 20:41:15
[DHCP IP: 192.168.1.28] to MAC address 28:a0:2b:3b:8d:a0, Monday, December 24, 2018 20:28:17
[DHCP IP: 192.168.1.195] to MAC address c8:02:10:62:c7:01, Monday, December 24, 2018 20:07:57
[DHCP IP: 192.168.1.155] to MAC address 00:09:34:42:64:ba, Monday, December 24, 2018 19:58:10
[DHCP IP: 192.168.1.195] to MAC address c8:02:10:62:c7:01, Monday, December 24, 2018 19:54:06
[DHCP IP: 192.168.1.28] to MAC address 28:a0:2b:3b:8d:a0, Monday, December 24, 2018 19:37:10
[DHCP IP: 192.168.1.84] to MAC address 10:08:c1:dd:94:74, Monday, December 24, 2018 19:36:20
[DHCP IP: 192.168.1.28] to MAC address 28:a0:2b:3b:8d:a0, Monday, December 24, 2018 19:10:49
[Dynamic DNS] host name xx.xx.xx.xx registeration successful, Monday, December 24, 2018 19:02:56
[Dynamic DNS] host name xx.xx.xx.xx registeration failure, Monday, December 24, 2018 19:02:55
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Monday, December 24, 2018 19:01:16
[admin login] from source 192.168.1.20, Monday, December 24, 2018 19:00:25
[admin login failure] from source 192.168.1.20, Monday, December 24, 2018 18:54:42
[admin login] from source 192.168.1.20, Monday, December 24, 2018 18:54:36
[admin login failure] from source 192.168.1.20, Monday, December 24, 2018 18:54:32
[DHCP IP: 192.168.1.30] to MAC address 98:01:a7:c7:b0:f9, Monday, December 24, 2018 18:47:56
[DHCP IP: 192.168.1.166] to MAC address 00:09:34:2c:d1:ec, Monday, December 24, 2018 18:46:11
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, December 24, 2018 18:26:24
[DHCP IP: 192.168.1.84] to MAC address 10:08:c1:dd:94:74, Monday, December 24, 2018 18:20:15
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Monday, December 24, 2018 18:05:46
[DHCP IP: 192.168.1.70] to MAC address 7c:e9:d3:99:a3:03, Monday, December 24, 2018 18:03:57
[Log Cleared] Monday, December 24, 2018 18:03:20

Message 14 of 18
ekhalil
Master

Re: Logging for all products


@ekhalil wrote:


.........

I'm also missing the DoS in the log, but I see everything else.

..........

 

The other day I was testing a SIP telephony switch and I made port forwarding in Orbi to direct RTP packets in to the SIP switch, directly after that I got DoS events in the logs. I really don't know what the relation between the two events:

 

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.53, port 443, Friday, January 04, 2019 22:49:38

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.8, port 80, Friday, January 04, 2019 22:49:36

[DoS Attack: ACK Scan] from source: 157.240.194.63, port 443, Friday, January 04, 2019 22:49:34

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Friday, January 04, 2019 22:49:29

[LAN access from remote] from xxxxxxxxxxxxxxxx: 44075 to 192.168.1.100:xxxx, Friday, January 04, 2019 22:46:48

 

When I search information about those DoS source IP addresses (31.13.72.8, 31.13.72.53 and 157.240.194.63) I see that they are somehow related to Facebook!!!

Those events disappeared directly in the Log when I removed the port forwarding!

Message 15 of 18
ekhalil
Master

Re: Logging for all products


@ekhalil wrote:

@ekhalil wrote:


.........

I'm also missing the DoS in the log, but I see everything else.

..........

 

The other day I was testing a SIP telephony switch and I made port forwarding in Orbi to direct RTP packets in to the SIP switch, directly after that I got DoS events in the logs. I really don't know what the relation between the two events:

 

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.53, port 443, Friday, January 04, 2019 22:49:38

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.8, port 80, Friday, January 04, 2019 22:49:36

[DoS Attack: ACK Scan] from source: 157.240.194.63, port 443, Friday, January 04, 2019 22:49:34

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Friday, January 04, 2019 22:49:29

[LAN access from remote] from xxxxxxxxxxxxxxxx: 44075 to 192.168.1.100:xxxx, Friday, January 04, 2019 22:46:48

 

When I search information about those DoS source IP addresses (31.13.72.8, 31.13.72.53 and 157.240.194.63) I see that they are somehow related to Facebook!!!

Those events disappeared directly in the Log when I removed the port forwarding!


Just checked now and it seems that making the port forwarding -somehow- just "activated" the DoS logging! Today my log if full of DoS attacks!

 

[DHCP IP: 192.168.1.70] to MAC address 7c:e9:d3:99:a3:03, Sunday, January 06, 2019 13:14:05

[DHCP IP: 192.168.1.83] to MAC address b4:07:f9:3f:87:62, Sunday, January 06, 2019 13:06:58

[DHCP IP: 192.168.1.199] to MAC address c8:02:10:0e:7c:7c, Sunday, January 06, 2019 12:53:58

[DoS Attack: SYN/ACK Scan] from source: 34.225.98.72, port 443, Sunday, January 06, 2019 12:33:38

[DHCP IP: 192.168.1.20] to MAC address a0:99:9b:0b:3f:5b, Sunday, January 06, 2019 12:30:59

[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Sunday, January 06, 2019 12:15:28

[DHCP IP: 192.168.1.20] to MAC address a0:99:9b:0b:3f:5b, Sunday, January 06, 2019 11:48:21

[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.125, port 31720, Sunday, January 06, 2019 08:13:29

[DHCP IP: 192.168.1.155] to MAC address 00:09:34:42:64:ba, Sunday, January 06, 2019 06:42:20

[DoS Attack: ACK Scan] from source: 17.252.105.117, port 5223, Sunday, January 06, 2019 05:04:41

[DHCP IP: 192.168.1.87] to MAC address 44:07:0b:b0:df:a6, Sunday, January 06, 2019 04:53:23

[DHCP IP: 192.168.1.83] to MAC address b4:07:f9:3f:87:62, Sunday, January 06, 2019 04:40:30

[DoS Attack: TCP/UDP Chargen] from source: 212.64.111.52, port 407, Sunday, January 06, 2019 04:24:49

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Sunday, January 06, 2019 04:20:00

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Sunday, January 06, 2019 03:44:16

[DHCP IP: 192.168.1.88] to MAC address 20:df:b9:8e:0c:17, Sunday, January 06, 2019 02:39:38

[DoS Attack: ACK Scan] from source: 17.252.108.212, port 5223, Sunday, January 06, 2019 02:32:23

[DHCP IP: 192.168.1.73] to MAC address 00:04:20:eb:c0:54, Sunday, January 06, 2019 01:20:46

[DoS Attack: ACK Scan] from source: 157.240.194.63, port 443, Sunday, January 06, 2019 01:12:24

[DHCP IP: 192.168.1.70] to MAC address 7c:e9:d3:99:a3:03, Sunday, January 06, 2019 01:08:13

[DHCP IP: 192.168.1.199] to MAC address c8:02:10:0e:7c:7c, Sunday, January 06, 2019 00:53:53

[DoS Attack: ACK Scan] from source: 205.251.219.116, port 443, Sunday, January 06, 2019 00:52:31

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Sunday, January 06, 2019 00:52:09

[DoS Attack: ACK Scan] from source: 205.251.219.116, port 443, Sunday, January 06, 2019 00:51:32

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Sunday, January 06, 2019 00:51:21

[DoS Attack: SYN/ACK Scan] from source: 205.251.219.116, port 443, Sunday, January 06, 2019 00:51:09

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.8, port 80, Sunday, January 06, 2019 00:51:06

[DoS Attack: ACK Scan] from source: 205.251.219.116, port 443, Sunday, January 06, 2019 00:51:04

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Sunday, January 06, 2019 00:50:57

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Sunday, January 06, 2019 00:50:31

[DoS Attack: SYN/ACK Scan] from source: 35.247.252.134, port 30120, Sunday, January 06, 2019 00:45:43

[DHCP IP: 192.168.1.83] to MAC address b4:07:f9:3f:87:62, Sunday, January 06, 2019 00:44:50

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Sunday, January 06, 2019 00:30:30

[DoS Attack: ACK Scan] from source: 31.13.72.8, port 80, Sunday, January 06, 2019 00:25:55

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Sunday, January 06, 2019 00:08:28

[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Sunday, January 06, 2019 00:07:57

[DoS Attack: ACK Scan] from source: 157.240.194.18, port 80, Sunday, January 06, 2019 00:02:08

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.12, port 443, Sunday, January 06, 2019 00:01:50

[DoS Attack: SYN/ACK Scan] from source: 157.240.194.18, port 80, Sunday, January 06, 2019 00:01:48

[DoS Attack: ACK Scan] from source: 157.240.194.18, port 80, Sunday, January 06, 2019 00:01:40

[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Saturday, January 05, 2019 23:54:30

[DoS Attack: ACK Scan] from source: 31.13.72.8, port 80, Saturday, January 05, 2019 23:49:32

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:49:25

[DoS Attack: ACK Scan] from source: 31.13.72.8, port 80, Saturday, January 05, 2019 23:49:03

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:48:58

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Saturday, January 05, 2019 23:48:32

[DoS Attack: ACK Scan] from source: 31.13.72.8, port 80, Saturday, January 05, 2019 23:46:16

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:45:54

[DoS Attack: ACK Scan] from source: 31.13.72.8, port 80, Saturday, January 05, 2019 23:45:02

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:44:51

[DoS Attack: ACK Scan] from source: 31.13.72.8, port 80, Saturday, January 05, 2019 23:44:25

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:44:21

[DoS Attack: SYN/ACK Scan] from source: 31.13.72.8, port 80, Saturday, January 05, 2019 23:44:19

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:44:19

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Saturday, January 05, 2019 23:43:27

[DoS Attack: ACK Scan] from source: 157.240.194.18, port 80, Saturday, January 05, 2019 23:38:24

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:37:33

[DoS Attack: ACK Scan] from source: 157.240.194.18, port 80, Saturday, January 05, 2019 23:37:27

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:37:00

[DoS Attack: ACK Scan] from source: 157.240.194.18, port 80, Saturday, January 05, 2019 23:36:58

[DoS Attack: SYN/ACK Scan] from source: 194.132.191.49, port 443, Saturday, January 05, 2019 23:35:54

[DHCP IP: 192.168.1.29] to MAC address 8c:8e:f2:13:bd:87, Saturday, January 05, 2019 23:35:31

[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Saturday, January 05, 2019 23:34:32

[DoS Attack: ACK Scan] from source: 157.240.20.63, port 443, Saturday, January 05, 2019 23:34:12

 

@CrimpOn, please try this trick! Add a temporary port forwarding, and then remove it afer a while (not sure if you need to get some traffic through this port forwarding rule) and see if you will start seeing the DoS attempts in the Logs! 🙂

Message 16 of 18
CrimpOn
Guru

Re: Logging for all products

No Joy so far.  I set up port forwarding for FTP and HTTP (to a printer, but what the heck).  After five hours, no DoS and no DHCP.  I deleted those ports and set up one for IP_Phone (also to the printer).  Hmmm.  I wonder what happens if I open a port to a non-existant IP address?

 

Anyway, nothing yet.

 

Just as an aside, I would be a LOT happier if Netgear had chosen to "save configuration" as a text file (XML), rather than binary.  When I was writing software, it was so damn convenient to save a configuration by doing a binary write of a C structure.  One write and it's done!  I got in the habit of leaving blank spots in the struture for future use, but that didn't always work out.  If we could save the configuration in a way that could be read back in and "parsed", I would be happy to "reset to factory."  The thought of typing in all those MAC addresses makes me less eager to reset the Orbi and see what happens.

Message 17 of 18
ekhalil
Master

Re: Logging for all products


@CrimpOn wrote:

No Joy so far.  I set up port forwarding for FTP and HTTP (to a printer, but what the heck).  After five hours, no DoS and no DHCP.  I deleted those ports and set up one for IP_Phone (also to the printer).  Hmmm.  I wonder what happens if I open a port to a non-existant IP address?

 

Anyway, nothing yet.

 

Just as an aside, I would be a LOT happier if Netgear had chosen to "save configuration" as a text file (XML), rather than binary.  When I was writing software, it was so damn convenient to save a configuration by doing a binary write of a C structure.  One write and it's done!  I got in the habit of leaving blank spots in the struture for future use, but that didn't always work out.  If we could save the configuration in a way that could be read back in and "parsed", I would be happy to "reset to factory."  The thought of typing in all those MAC addresses makes me less eager to reset the Orbi and see what happens.


Very wired, I really don't know what makes the logging behavior suddenly change. I think that I now have all types of logging in, I don't dare to reboot the router so as not to loose this logging again!  This is how my log looks right now:

[admin login] from source 192.168.1.20, Monday, January 07, 2019 18:52:22
[DHCP IP: 192.168.1.11] to MAC address b0:2a:43:13:c2:73, Monday, January 07, 2019 18:38:27
[DoS Attack: SYN/ACK Scan] from source: 114.80.184.10, port 80, Monday, January 07, 2019 18:04:35
[DHCP IP: 192.168.1.26] to MAC address f4:31:c3:4f:71:1c, Monday, January 07, 2019 17:56:43
[DHCP IP: 192.168.1.22] to MAC address 60:d9:c7:a3:e3:36, Monday, January 07, 2019 14:20:12
[DoS Attack: TCP/UDP Echo] from source: 185.165.169.146, port 41369, Monday, January 07, 2019 14:02:21
[DHCP IP: 192.168.1.75] to MAC address 5c:f9:38:dc:11:cc, Monday, January 07, 2019 13:57:04
[DHCP IP: 192.168.1.27] to MAC address 14:10:9f:e8:12:1c, Monday, January 07, 2019 13:20:10
[DHCP IP: 192.168.1.70] to MAC address 7c:e9:d3:99:a3:03, Monday, January 07, 2019 13:18:22
[DoS Attack: SYN/ACK Scan] from source: 94.130.6.24, port 53, Monday, January 07, 2019 13:08:56
[DoS Attack: TCP/UDP Chargen] from source: 52.73.169.169, port 49011, Monday, January 07, 2019 13:07:48
[DHCP IP: 192.168.1.20] to MAC address a0:99:9b:0b:3f:5b, Monday, January 07, 2019 12:43:37
[DoS Attack: SYN/ACK Scan] from source: 94.130.6.24, port 53, Monday, January 07, 2019 12:40:14
[DHCP IP: 192.168.1.12] to MAC address 14:c2:13:04:8b:3a, Monday, January 07, 2019 12:31:15
[DHCP IP: 192.168.1.75] to MAC address 5c:f9:38:dc:11:cc, Monday, January 07, 2019 11:53:18
[DHCP IP: 192.168.1.73] to MAC address 00:04:20:eb:c0:54, Monday, January 07, 2019 09:16:23
[DHCP IP: 192.168.1.22] to MAC address 60:d9:c7:a3:e3:36, Monday, January 07, 2019 09:05:18
[DHCP IP: 192.168.1.21] to MAC address 10:02:b5:9f:b6:c7, Monday, January 07, 2019 08:46:53
[DoS Attack: TCP/UDP Chargen] from source: 54.249.206.188, port 44444, Monday, January 07, 2019 08:46:16
[DHCP IP: 192.168.1.21] to MAC address 10:02:b5:9f:b6:c7, Monday, January 07, 2019 08:45:08
[DHCP IP: 192.168.1.77] to MAC address ac:ca:54:01:da:25, Monday, January 07, 2019 08:43:09
[DHCP IP: 192.168.1.71] to MAC address 70:ee:50:2d:8f:94, Monday, January 07, 2019 08:33:02
[DoS Attack: SYN/ACK Scan] from source: 144.0.3.32, port 80, Monday, January 07, 2019 08:32:11
[DoS Attack: TCP/UDP Chargen] from source: 103.60.13.2, port 39245, Monday, January 07, 2019 07:52:29
[DHCP IP: 192.168.1.4] to MAC address dc:a4:ca:b9:85:8d, Monday, January 07, 2019 06:45:17
[DoS Attack: TCP/UDP Chargen] from source: 212.64.111.52, port 44926, Monday, January 07, 2019 04:25:09
[DHCP IP: 192.168.1.89] to MAC address 44:07:0b:cd:38:ed, Monday, January 07, 2019 04:14:41
[DHCP IP: 192.168.1.31] to MAC address 8c:2d:aa:45:f4:f9, Monday, January 07, 2019 03:02:04
[DHCP IP: 192.168.1.23] to MAC address 48:4b:aa:2d:52:5d, Monday, January 07, 2019 02:55:21
[DoS Attack: TCP/UDP Chargen] from source: 191.96.249.112, port 34717, Monday, January 07, 2019 02:48:10

Message 18 of 18
Top Contributors
Discussion stats
  • 17 replies
  • 6222 views
  • 4 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7