Re: [PLUG] Verizon router's security log fills up too frequently

george on 31 Mar 2018 08:03:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Verizon router's security log fills up too frequently

From: george@georgesbasement.com
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Verizon router's security log fills up too frequently
Date: Sat, 31 Mar 2018 08:02:56 -0700
Cc: George Langford <george@georgesbasement.com>
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=georgesbasement.com; s=default; h=Message-ID:Subject:Cc:To:From:Date: Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=KVrbUuX7cFfYmE0U05jyPuf1b+mhBGnqlZMBM05fK3g=; b=d94167THHUfS4d6nMSKZw8wm+ nZ/HTIUUFAkkjJJ1q33E/ohbYKF3i/sF795U+rTEHnE8vot18Yzb4SITeL0o7d/z1k1S9RCyoe/iD RxvLM/9BClhkUId6jWWjZbnjs0CdjUlavmUqo/ig/bdi30wdRrhPsL521bruIPCu5UlkxhlJkQu/o uX5MbMRQ2Rf4TOxBI8zhSDKHt7AoU1nhn13h/3aisqVr4slfs+2Dxx6bY4pME4pYby2K0d2iDkUbZ kVDu3+y2st/ZKDsokDxGZL7mLjn1IvMX97X4L04WjvgNMW2YGvmtTYA1ZcLrQU2yMUyaPn2u7lRBr bJ0z665qw==;
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Roundcube Webmail/1.3.3

Keith Perry wrote:

224.0.0.22 is a multicast address (IGMP) so its weird for the typical
network to pass that traffic automatically but if you're not using it
maybe VZ is (173.49.200.99 is your FIOS address).


Beats me ... but I've blocked it with no untoward consequences so far.

Its probably something upstream from your local FIOS network since its
inbound to you. I would just drop that traffic so your logs don't fillup.


Getting the log not to tell me about 'em turns out to be a nonissue 'cuz

the log now is in "airplane voice recorder" mode, but at least hasbecomequite a bit longer ... Why ? you nmight ask ... more about that in abit.

The second block... sounds like it is working for Missus computerthough

so maybe the first packet is triggering a rule that finds the packet
invalid before it gets translated?  Seems benign.

The third block... probably more of the same.  The way this router logs
things appears to be on the noisier side of things.

Ultra-noisy ... I'm avoiding adding any rules to the Missus IPv4 LANaddr.

One instance - that CloudFlare connection - is to get our groceries, so
I'd better not obstruct that pair of IPv4 addresses !

I know you are saying you can't just run out and get another router but
I would strongly suggest eventually putting in your own router even if
its and old computer that you add another NIC to (I know... now I'm
saying get another NIC). One should should never trust the edge oftheir
network to your upstream provider.  The additional advantage of doing
this is that you can put in the type of router you want with theresourcesyou need. You can remove or dumb down the VZ router filter rules andmove
the bulk of your work to your device.

I once has a Smoothwall installation just like you describe, but theycameout with an improved version ... so much improved that I could not getitto work. I have two old desktop PC's that I rescued from the dead andput

trisquel inside ... with just such a use in mind ... so it should not be

beyond my grasp to hook up an ethernet cable from the VZ router to theNIC

inside the sacrificial PC and thence to a second wireless router to talk

to my laptop. Maybe I can learn to boot up that sacrificial PC thoughthe

second router so I won't have to make it run all the time.

There was a major glitch while I was delving into the mysteries of the

Advanced Filter Rules ... the router utterly froze while implementingone

change, so much so that I had to do a hard reset. Afterwards it actually
remembered its WPA2 settings, so it wasn't entirely traumatic - just had
to spend the entire day trying to get useful information from VZ and/or
Actiontec - who passed the ball back and forth until I gave up on them.

Now what I am seeing in the voluminous logs is really alarming - dozens

of "Accepted Remote Administration" forays, so many that I'm puttingmost

of my energy just into blocking the associated CN, RU & KR IPv4 ranges,
not to mention the rest of the world. BR is active, along with DE & FR.

I'm presuming that the router is accepting some Remote Administration
attempts, only to be still requiring the use of using a proper password
... the router isn't so stupid as to let these folks in gratis, is it ?

My router is _not_ set to allow remote administration, except throughthe

Actiontec "back door" that the VZ tech's can use to help their clients.

I'm waiting to see if the logs reveal that the router is blocking its
own IPv4 address from doing its own remote administration ... I haven't
recently succeeded in logging in with its newly "unguessable" password,

so that may actually be true. I can still log in from the LAN, ofcourse.

It's bad enough that there are hundreds of ordinary blocked port scansand

the like ... within just a few hours.

Thanks for thinking about this with me.

George Langford
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: Re: [PLUG] Cisco flaw
Previous by thread: Re: [PLUG] Verizon router's security log fills up too frequently
Next by thread: [PLUG] Cisco flaw
Index(es):
- Date
- Thread