RationalRabb
join:2009-07-04
Coeur D Alene, ID
| [Other] Linksys Incoming Log Table - What does it MEAN
I have looked everywhere for this information, I cannot find a clear definition, and it is very critical to me.
My BEFSR41 Router has an Incoming Log Table that gains a new entry every few seconds, from somewhere in the world.
I do not know whether this log is indicating IP addresses of actual intruders or wannabe intruders.
Can someone with some knowledge in this area explain to me just what this list indicates? |
|
Serbtastic
You Know How Many People I Have Buried?
Premium
join:2002-02-24
Stoney Creek | Can you post a snippet of the log? Edit out your own IP address but leave in those that do not belong to you. Also include ports that were accessed. |
|
tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
 ·Hollis Hosting
 ·Verizon Online DSL
·Fairpoint Communic..
| reply to RationalRabb
Unless you have enabled port forwarding, to run a server, router will drop all incoming requests. If you have enabled port forwarding the server needs to deal with the packet.
I'm curious what you mean by "actual intruder or wannabe intruders."
Once you start looking a logs you will find out there is a lot of junk floating around. Most of it is port scans, misaddressed/malformed packets and broken session.
Very old post about this type of issue:
»You pinged me you dog
/tom |
|
RationalRabb
join:2009-07-04
Coeur D Alene, ID
| Nope - no port forwarding.
The BEFSR41 has a very simple, temporary log list. It shows an IP address and the "destination" port. I label most of the addresses as "intruders" or "potential intruders" as the IPs, which usually resolve to a standard cable ISP block, are not from areas or sites I have any interrelation with.
The reason this is critical to me is that there are entities with good reason to want to hack into my computer. Three of these addresses appear to fit other criteria to make them suspect, and these are the three that appear most frequently. So it is imperative that I understand if these denote successful access or not.
I have blocked the port they most frequently seem to try to access, and the port number still appears on the list, so I assume that, as you say, they are being dropped. But I can't afford to assume.
Thanks |
|
tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
·Hollis Hosting
·Verizon Online DSL
·Fairpoint Communic..
| said by RationalRabb  : I have blocked the port they most frequently seem to try to access, and the port number still appears on the list,
When you say you have blocked ports I assume you mean using PC firewall. That really doesn't matter because router will not forward packet so it never gets to the PC.
/tom |
|
RationalRabb
join:2009-07-04
Coeur D Alene, ID
| The router software allows for "Port filtering" ranges, but, as I look again, it states "Filters enable you to prevent certain PCs on your network from accessing your Internet connection", so it rather sounds like it's non-effective for what I was trying to achieve.
"That really doesn't matter because router will not forward packet so it never gets to the PC."
If you'll bear with me  , I am still not fully understanding. Let's see if this makes sense:
There are legitimate incoming IPs as well - such as my server when I access my e-mail or, I would assume, when a site sets a cookie. So I am assuming what you are telling me is that an IP address on that list is meaningless as far as someone hacking into my computer - that I should look to my firewall or other means to determine if that is actually happening.
thanks for you help, Tom |
|
tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
·Hollis Hosting
·Verizon Online DSL
·Fairpoint Communic..
| said by RationalRabb :There are legitimate incoming IPs as well - such as my server when I access my e-mail or, I would assume, when a site sets a cookie. Not sure what you mean by "incoming IP."
When you connect to your email server (assuming you are not running one on your own network) your PC connects to port 25 (send mail) or 110 (retrieve mail) Ports 25 and 110 are called the well known ports. If server accepts connection request different ports are selected to actually exchange data, one on your PC and one on the server. Think of the well known port as a door bell, letting server know someone wants to connect.
If local PC is attempting to connect to a remote server that is an outgoing connection. If remote PC is attempting to connect to local server that is an incoming connection.
In both cases data travels in both directions. What is important is who initiates the request.
/tom |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
·Bay Area Internet ..
| reply to RationalRabb
said by RationalRabb :The router software allows for "Port filtering" ranges Port filtering prevents undesired outbound connections. That should only concern you if you think you might have a trojan that is opening an outbound connection (such as a spam bot).
said by RationalRabb :There are legitimate incoming IPs as well - such as my server when I access my e-mail or, I would assume, when a site sets a cookie.
Unless you are running a server (mail, web, ftp, etc), or file sharing software (torrents), you would not normally have any inbound ports open. When you connect to a mail server, or a web server, all requests are outbound. Most routers do Stateful Packet Inspection (SPI) meaning they only allow an inbound response to an outbound request. Cookies are stored by script code in the HTTP page retrieved by your browser. They are not the result of an inbound connection.
You router is logging unsuccessful inbound connection attempts. Since your WAN IP address is public, it can be found by any script kidde in the world that runs an IP address scan and find your IP address.
Be sure you have ICMP responses disabled in your router. This won't prevent port scans, but will make your router less visible by not responding to pings or trace route requests. |
|
RationalRabb
join:2009-07-04
Coeur D Alene, ID | Thanks to both of you. You've pretty well answered my questions and quelled my fears.  |
|
