Review of my home broadband router logs (suspicious activity

Paul M. Cook wrote:
On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

I've heard the word "DMZ" for years, but I really don't know what it is.
So, AFAIK, I don't even *have* a DMZ.

My router is set up like most home routers, which is to say the only
thing that is not default is the SSID login/password and admin login/password.

DMZ = "De-Militarized Zone" it is the name given to a port on your
router that can be configured to be completely OPEN to the internet, no
firewall, no port blocking, nothing. This may be advantageous for
someone running a particular type of server on their home network - an
FTP server or Web Server or something that they want to expose to the
internet so that it can be accessed from the outside. In such
configurations that device usually will have a software type firewall
installed to prevent hackers from gaining access.

Most routers I have seen include this feature and it has is uses, but it
must be used with extreme caution!

S Sinzig.
 
On 12/24/2015 11:03 PM, Paul M. Cook wrote:
On Thu, 24 Dec 2015 21:49:08 -0700, Don Y wrote:

An SSID that's not being broadcast will not disclose your AP when
you're not using it. But, it doesn't buy you much of anything.

I think we're sort of saying the same thing, but, I don't know if
we agree on the broadcast details.

We both agree that telling your ROUTER not to broadcast the SSID
is a false security measure.

But, fact is, you *must* broadcast your SSID somehow.

a. So, either the router broadcasts your SSID.
b. Or your mobile device broadcasts your SSID.

Here's how I understand it to work:

1. Let's assume your SSID is "DonY".
2. Let's assume you told your router *not* to broadcast your SSID.
3. Guess what happens when you boot your laptop?
a. Your laptop shouts out "Hey DonY, are you there?"
b. Your router answers "Yes. I am here. I was being quiet".
c. Your laptop connects to your router by that so-called hidden SSID.

Now, guess what your cellphone does?
HINT: Same thing.

So, guess what happens when you boot your laptop at a starbucks?
HINT: Your laptop shouts out "Hey DonY, are you here?"

So, in effect, an SSID that is not being broadcast *by your router*
at home, is broadcast *by your laptop* both at home, and at Starbucks.

Okay, I understand that explanation. Now please tell me how my iPad or
laptop broadcasting my home SSID willy nilly at the Starbucks or the
passenger terminal at SFO or PHX is going to compromise my home network?

Not saying it couldn't be done but... Talk about freakin' remote...<g>

I don't bother to hide my SSID at home. Anyone who cares to clone a MAC
address to by-pass the MAC filter and decrypt a 26 alpha-numeric pass
phrase can have it. Good luck with that
 
Paul M. Cook wrote:
On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:

Some one is connceting to one of your device connected. (
what is this in your family?) using port 9000. You can trace route the
other ip address to see what or who this belongs to. Trace route is a
DOS command.

The 192.168.1.5 IP address belonged to the Sony Playstation.
So, for some reason, the port 9000 was being used.

What does this mean though?
Is this correct?

Assuming my static public IP address was 1.2.3.4, does this mean that someone,
on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
hit my router and then the router "port forwarded" it to the Sony Playstation at
192.168.1.5 at port 9000?

In short, yes. Your game console or computer or whatever needs to
"talk" to another computer on the internet, in this case is uses Port
9000. The router opens Port 9000 and the packets get through to that
other computer out there on the internet. To reply, that other computer
only knows your static public IP, ie. "1.2.3.4" and sends its packets
back to you at that IP on the same port, 9000. Your router receives
these packets, and does NAT (Network address translation) translating
the packets from 1.2.3.4:9000 (Your public IP) to 192.168.1.5:9000 your
private home network IP and sending them there.
This happens all time when you are accessing the web, either through
HTTP, FTP, SSL, whatever. They all use their own specific ports, (ie
HTTP is usually port 80, FTP 20 or 21, etc.)

S Sinzig.
 
On 12/22/2015 7:55 PM, Paul M. Cook wrote:
Does this activity found accidentally in my home broadband
wireless router log seem suspicious to you?

Who the fuck knows or really cares?
It's all just fucking numbers, you arsehole.
 
On Fri, 25 Dec 2015 13:31:01 -0500, ssinzig <ssinzig@outlook.com>
wrote:

DMZ = "De-Militarized Zone" it is the name given to a port on your
router that can be configured to be completely OPEN to the internet, no
firewall, no port blocking, nothing. This may be advantageous for
someone running a particular type of server on their home network - an
FTP server or Web Server or something that they want to expose to the
internet so that it can be accessed from the outside. In such
configurations that device usually will have a software type firewall
installed to prevent hackers from gaining access.

Most routers I have seen include this feature and it has is uses, but it
must be used with extreme caution!

True; however, some ISP's will block some ports. Mine blocks FTP
20/21, Web server 80 and another I can't think off at the moment.
 
[snip]

> Hiding SSID increases security? Wrong. Not much really.

Not much, but not none either. Consider that most people won't know
there's a network there.

> Modem/router combo is always worse than separate router.

I've never had a combination, but agree that it would be less secure.

Put the supplied modem in bridge mode and use your own router.
If you can't or ISP won't put in to bridge mode for you , there is
another way using DMZ in your modem. I have only DOCIS III cable modem,
my router at present is Linksys EA8500 which never went down since
I first boot in summer time. Very stable router.

I had DOCSIS II until June, when my ISP increased the speed to 50Mbps
which is too fast for a single channel so I had to get a new modem. I
needed a new router too, but that (thankfully) was a completely separate
thing.

--
Currently: happy holidays (Friday December 25, 2015 12:00:00 AM for 1
day).

Mark Lloyd
http://notstupid.us/

"The dogma of the divinity of Jesus should have died on the cross, when
the man of Nazareth gave up the ghost." [Lemuel K. Washburn, _Is The
Bible Worth Reading And Other Essays_]
 
On 12/24/2015 11:03 PM, Paul M. Cook wrote:

[snip]

a. Either the router broadcasts the SSID,
b. Or the device does.

If your router is broadcasting the SSID, EVERY wireless device in range
will receive it and most will show it to the user.

Compare this to what happens when your device is broadcasting it. Will
others even see that?

--
Currently: happy holidays (Friday December 25, 2015 12:00:00 AM for 1
day).

Mark Lloyd
http://notstupid.us/

"The dogma of the divinity of Jesus should have died on the cross, when
the man of Nazareth gave up the ghost." [Lemuel K. Washburn, _Is The
Bible Worth Reading And Other Essays_]
 
Paul M. Cook wrote:
> Security is a thousand little things, all put together.

Instead of hidding the SSID I use an intermediate solution: increase the beacon transmission interval time. This setting is usually found in the Advanced tab of many home routers and sets the time elapsed between SSID broadcasts.

By default it is 100ms, using longer times stops some devices from seeing the network and reduces the chance a pass-by car or walker sees it. It requires some testing to find the longest time that will work with the intended devices.
It also reduces electrosmog and intereference with other wifi or analog video senders (a transmission every 100 ms is very annoying but every 5000ms goes unnoticed).

Up to 20000ms (20 seconds) has worked successfully with some laptops - at turn on it requires some wait up to one minute until they see the network, then they work fine as usual and no dropped connections. Some devices will not see the network no matter how long you wait even if you had it set up before. Some devices see the network but drop the connection frequently.

5000ms (5 seconds) works fine with most devices and reduces dropped connections, still a few devices (one laptop and a D-link wifi repeater) do not see the network.

1000ms (1 second) seems the best compromise between compatibility and electrosmog/interference. No problems found with any device.
 
On Fri, 25 Dec 2015 12:34:13 -0600, Unquestionably Confused wrote:

Okay, I understand that explanation. Now please tell me how my iPad or
laptop broadcasting my home SSID willy nilly at the Starbucks or the
passenger terminal at SFO or PHX is going to compromise my home network?

Not saying it couldn't be done but... Talk about freakin' remote...<g

Security is a thousand good practices, just like grammar is, or
cleanliness or politeness or class. They're all a thousand little things.

SSID good practices are what we're talking about here.

There are a few problems with the scenario you proposed, but I have to
manually *insert* an attacker who cares, in order for it to matter.

For example, let's say you're cheating on your wife, and, let's say,
you connected to your girlfriend's SSID, called "GIRLFRIEND" and,
let's say, for now, she's *not* hiding her SSID. Guess what?

Your laptop (or phone) *still* has a record of that connection, which,
if your wife cared to snoop, can see by looking at your laptop or phone.

Now, let's say, for argument's sake, that your wife doesn't have physical
access to your laptop or phone, but, your girlfriend told her router
to not broadcast her SSID, but that you connected to her SSID.

Guess what?

When you're at home, your laptop or phone first shouts out "Hey GIRLFRIEND,
are you there?" and only when the router doesn't respond to that request,
does your laptop or phone bother to go down the list of other stored or
located SSIDs.

I don't bother to hide my SSID at home. Anyone who cares to clone a MAC
address to by-pass the MAC filter and decrypt a 26 alpha-numeric pass
phrase can have it. Good luck with that.

It's actually easier than that *if* you use an existing SSID and password
since the rainbow tables will already have the hash value stored.

I'm not saying "I" care to to that, but someone might.
As always, security is a thousand little things done right.
 
On Fri, 25 Dec 2015 13:51:02 -0600, Mark Lloyd wrote:

If your router is broadcasting the SSID, EVERY wireless device in range
will receive it and most will show it to the user.

Compare this to what happens when your device is broadcasting it. Will
others even see that?

Fair enough point.

Security is a thousand little things, all put together.
 
On Thu, 24 Dec 2015 22:18:59 -0700, Don Y wrote:

If you have a good passphrase *and* good encryption, this doesn't
buy him anything. It's like knowing you have an email address
at gmail.com (because he saw one of your messages in someone's
inbox -- assuming you don't correspond with him!) but not knowing
what your password is!

The real risk is that you can leave security off (weak passphrase)
and his knowledge of the SSID now lets him get past that (ineffective)
hiding of the network name!

Depends on what you mean by "good" passphrase because you don't need
*any* passphrase to break into WPA2/PSK encryption because the "salt"
is known (it's the SSID!) and if you use an *existing* passphrase,
you're already doomed.

https://security.stackexchange.com/questions/92903/rainbow-tables-hash-tables-versus-wpa-wpa2

So, you have to substitute *unique* for "good", and only then the
rainbow table hack won't work to break into your router.
 
On Fri, 25 Dec 2015 13:39:04 -0600, Mark Lloyd wrote:

Hiding SSID increases security? Wrong. Not much really.

Not much, but not none either. Consider that most people won't know
there's a network there

Just remember that there are negative security ramifications at Starbucks
when you decide not to broadcast your SSID at home.

If you're OK with that tradeoff, then you're fine.

If you're unaware of that tradoff - then - you need to understand it.
 
On Fri, 25 Dec 2015 08:45:23 +0000, Adrian Caspersz wrote:

But you must worry about other things. Are you sure letting a child play
some of these (mostly violent) video games is a sensible introduction to
becoming an adult?

Every boy (practically) in the USA plays those violent games.
 
On 25/12/15 21:29, Paul M. Cook wrote:
On Fri, 25 Dec 2015 08:45:23 +0000, Adrian Caspersz wrote:

But you must worry about other things. Are you sure letting a child play
some of these (mostly violent) video games is a sensible introduction to
becoming an adult?

Every boy (practically) in the USA plays those violent games.

If you don't have much control what he does on the internet, then
perhaps you might feel more secure getting yourself a different ISP.

That can't cost that much.

--
Adrian C
 
On Wed, 23 Dec 2015 18:19:36 -0500, Micky <NONONOmisc07@bigfoot.com>
wrote:

On Wed, 23 Dec 2015 11:24:16 -0500, Micky <NONONOmisc07@bigfoot.com
wrote:

On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmcook@gte.net
wrote:

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning?
That's my time, right? or GMT?

I just logged into my Netgear WNDR3400v2 router, and went to the
advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is:
Current Time: Wednesday, Dec 23,2015 08:03:08

Mine doesn't show the time anywhere, but if yours shows the current
time, that's good enough for me.

I figured out a way to verify the time zone, and that's to watch the
log for a new event, or to create a new event, like by trying to send
an email (since I have all 5 kinds of events checked now).

So I did that a couple hours ago and the time that showed in the log
was 7 minutes later than the current time!

I went out for a couple hours and when I tried it just now, the time
the log showed was 11 minutes later than the current time.

Put that in your pipe and smoke it.

I found the answer to this, where the computer boys play.

The router has its own clock, which can be wrong, like anything else.

To keep it correct, it has two possibilities.
Automatic (Automatic time update with pre-defined NTP servers or
enter customized NTP)
Manual is the alternative, but I have Automatic checked.

I don't have anything in the customized NTP field and I have the
interval for Automatic as 24 hours, the default, so that lets it get
wronger and wronger for 24 hours until it gets corrected.

If the log were important, I could set the interval at as little as
one hour. (it goes up to 72.) But I'll let it stay at 24. I'm glad
to know how it can be wrong, when other times are a lot closer.

It's a shame I can't use this to peer into the future.

>>>Looking at the clock, that's the local time in my time zone.
 
On Fri, 25 Dec 2015 23:12:49 +0000, Adrian Caspersz wrote:

If you don't have much control what he does on the internet, then
perhaps you might feel more secure getting yourself a different ISP.

That can't cost that much.

I have no idea what that advice is trying to tell me.
 
On 26/12/15 06:07, Paul M. Cook wrote:
On Fri, 25 Dec 2015 23:12:49 +0000, Adrian Caspersz wrote:

If you don't have much control what he does on the internet, then
perhaps you might feel more secure getting yourself a different ISP.

That can't cost that much.

I have no idea what that advice is trying to tell me.

Oh well. Bye.

--
Adrian C
 
On Sat, 26 Dec 2015 09:19:18 -0500, Micky wrote:

If there is already one AP on channel 1, 6, or 11, then you already have
What's an AP?

Heh heh ... An access point (AP) is just, for your purposes, an SSID.
So, if your neighbor's SSID is "NEIGHBOR1" and on channel 1, then that's
his "AP".

If another neighbor's SSID is "NEIGHBOR6",and on channel 6 then that's
his "AP".

If there's nothing on channel 11, then you should put your router on
channel 6.

However, if you have 5GHz available, then almost any 5GHz channel will
be better because there will be no interference.

a problem because your router is wasting time throwing away packets that
are meant for someone else.

An AP means there are dropped packets?

Each device you have is listening for an access point based on the
channel first (because that's how radios work).

If your neighbor is on the same channel, your device first receives
both his and your packets, but soon figures out which are from him and
which are from you, and then drops those packets from him.

But that takes time. So, it slows you down.

In any apartment complex, you'll find *tons* of APs on 1, 3, and 11.
Most homeowners too.

I don't live in an apartment, but it still sounds like 6 is good
becaus it's not 1, 3, or 11. ??

oops. I meant 1, 6, or 11. That "3" was a typo.

I said Thanks to be polite, but I really don't want to bother with
cell phone apps. I might be short of memory already.

Without knowing what channels are used around you, you're flying blind.

You "can" get the signal strength from the basic operating system,
no matter which platform you have, but it takes knowing which
buttons to press.

I just didn't understand why it used to be 11, but after upgrading the
firmware, it's 6. The modem didn't survey for congestion, did it?

You mean router, not modem.
Some "do" run a survey to see which channel is least congested.
Many don't.

Here's my advice:

1. Run a survey on your computer or cellphone
2. Use an empty 5GHz channel (which will be easy to find).
3. If you don't have 5GHz, then use the least congested 2.4GHz channel.
If possible, use 1, 6, or 11 if they're not already being used.
 
On Sat, 26 Dec 2015 12:39:07 -0500, Paul M. Cook wrote:

If there's nothing on channel 11, then you should put your router on
channel 6.

Typos again.

If there's nothing on channel 11, then you should put your router on
channel *11*.
 
Thanks again.


On Sat, 26 Dec 2015 12:39:07 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Sat, 26 Dec 2015 09:19:18 -0500, Micky wrote:

If there is already one AP on channel 1, 6, or 11, then you already have
What's an AP?

Heh heh ... An access point (AP) is just, for your purposes, an SSID.
So, if your neighbor's SSID is "NEIGHBOR1" and on channel 1, then that's
his "AP".

If another neighbor's SSID is "NEIGHBOR6",and on channel 6 then that's
his "AP".

If there's nothing on channel 11, then you should put your router on
channel 6.

However, if you have 5GHz available, then almost any 5GHz channel will
be better because there will be no interference.

a problem because your router is wasting time throwing away packets that
are meant for someone else.

An AP means there are dropped packets?

Each device you have is listening for an access point based on the
channel first (because that's how radios work).

If your neighbor is on the same channel, your device first receives
both his and your packets, but soon figures out which are from him and
which are from you, and then drops those packets from him.

But that takes time. So, it slows you down.

In any apartment complex, you'll find *tons* of APs on 1, 3, and 11.
Most homeowners too.

I don't live in an apartment, but it still sounds like 6 is good
becaus it's not 1, 3, or 11. ??

oops. I meant 1, 6, or 11. That "3" was a typo.

I said Thanks to be polite, but I really don't want to bother with
cell phone apps. I might be short of memory already.

Without knowing what channels are used around you, you're flying blind.

You "can" get the signal strength from the basic operating system,
no matter which platform you have, but it takes knowing which
buttons to press.

I just didn't understand why it used to be 11, but after upgrading the
firmware, it's 6. The modem didn't survey for congestion, did it?

You mean router, not modem.
Some "do" run a survey to see which channel is least congested.
Many don't.

Here's my advice:

1. Run a survey on your computer or cellphone
2. Use an empty 5GHz channel (which will be easy to find).
3. If you don't have 5GHz, then use the least congested 2.4GHz channel.
If possible, use 1, 6, or 11 if they're not already being used.
 

Welcome to EDABoard.com

Sponsor

Back
Top