cancel
Showing results for 
Search instead for 
Did you mean: 

Is there a guide to router event logs?

larkim
Dabbler
Posts: 22
Registered: ‎17-05-2012

Is there a guide to router event logs?

With having had some issues recently, I've spent more time glancing at the event logs in the technicolor router.
Is there a wiki / guide to what the messages actually mean in practice?  I'm not completely dumb, so with most of them I can make an educated guess, but it would be good to read if anyone has put together a guide to the messages that the firewall / IDS / router displays in case there are additional security steps etc I can take.
Thanks!
Matt
5 REPLIES 5
Townman
Superuser
Superuser
Posts: 22,923
Thanks: 9,542
Fixes: 159
Registered: ‎22-08-2007

Re: Is there a guide to router event logs?

Hi Matt,
Not that I know of - these questions have been asked before.  Generally these messages are indication that the firewall is doing its job properly.
IDS = Intrusion Detection System - so anything having this marker is an indication of attempted intrusions being blocked.
It can be beneficial to set the PlusNet firewall - see here https://portal.plus.net/my.html?action=firewall - to at least LOW.  This will put the boundary for some attacks at the other end of your "phone" line and slightly reduce your bandwidth utilisation.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Is there a guide to router event logs?

Most of the stuff that the Plusnet Broadband Firewall "Low" (or higher) member centre setting would block doesn't get logged by the 582n anyway. By default the main Internet security related things it logs are messages from the IDS and of course those ICMP check messages.
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Is there a guide to router event logs?

Quote from: ejs
Most of the stuff that the Plusnet Broadband Firewall "Low" (or higher) member centre setting would block doesn't get logged by the 582n anyway.

Could you give some examples of those please, ,just so we can see what sort of things they are, thanks.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Is there a guide to router event logs?

On Friday 6th February, my netgear had logged 102 connections attempts to port 23. To be fair, my netgear doesn't log them by default either, but I can configure it to. It then gives the standard Linux kernel log message for one of those packets, which looks like this:
IN=ppp0 OUT= MAC= SRC=112.241.190.113 DST=87.112.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=45 ID=30223 DF PROTO=TCP SPT=49993 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 

There were typically 100 to 200 connection attempts to port 23 over the course of a day.
Over the 24 hours of yesterday, I have 2 log entries mentioning port 23 from my 582n, and I've only got those log messages because I've enabled tcpchecks=exact. The default is tcpchecks=none so wouldn't even log those.
<81> Feb 20 04:18:01 FIREWALL exact tcp state check (1 of 1): Protocol: TCP  Src ip: 23.120.237.114 Src port: 53561 Dst ip: 87.112.my.ip Dst port: 23 
<81> Feb 20 20:55:40 FIREWALL exact tcp state check (1 of 1): Protocol: TCP  Src ip: 162.201.120.153 Src port: 50934 Dst ip: 87.113.my.ip Dst port: 23

Changing that setting also logs the stuff you get from the forum servers if you use https to access these forums
<81> Feb 21 09:13:14 FIREWALL exact tcp state check (1 of 8): Protocol: TCP  Src ip: 84.93.230.178 Src port: 44340 Dst ip: 87.113.my.ip Dst port: 10878

Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Is there a guide to router event logs?

Thanks very much for that extremely useful information.