Good monitoring software for Linksys NAT router/Firewall (1 Viewer)

[Vince Maskeeper]

I have a Linksys router that generates a log- and I'd like to pipe it to an application where i can monitor traffic a little better... however so far it seems that there aren't really any tools but linklogger.

I know some folks run ZONE ALARM or BLACK ICE for their personal machines connected directly to the cable/dsl-- but if I'm behind a firewall- would these apps do anything for me? I really am not looking for a norton style program, rather just something to monitor the logs coming in and maybe offer me some info on what the ports they're hitting are for?

-Vince

 

[SethH]

I don't have an answer for you about the log files and such, but in regard to



The only thing they would do (since you're behind a firewall) is prevent information from leaving your computer. For instance, if you were to get a worm like Sasser or Blaster that scans the internet looking for other computers to attack, something like ZoneAlarm would know that application should not be accessing the internet and stop it. You linksys won't do that. BUT, the odds are fairly low of you getting something like that being behind a firewall already.

 

[Vince Maskeeper]

I would assume the outgoing logs would have record of this, and a logging application would be able to flag it as a potential issue. This is what i'm looking for, something that will make the log files graphical and offer flagging on stuff that seems out of the ordinary.

-V

 

[Vince Maskeeper]

I'm surprised at how many people use these things, yet no one seems to know much about security or monitoring. I would figure for as popular as these tools are there would be a dozen monitoring applications.

The reason I concerned is:

1) A friend with a wireless laptop and the exepensive version of Norton Internet Security was at my place the other night and NIS showed that one of my machines (my main junk desktop for internetting and email) was attempting to connect to the laptop on a port traditionally associated with the Deepthroat backdoor trojan (ok, so there are 3 words that usually don't pop up together anywhere outside the back of a porno box). My virus scans (both on the machine and using active scanners on the web like panda and Trend's Housecall antivirus.com tool) show nothing on that machine.

2) I recently opened up my main audio desktop for remote desktop. After running it for a day or two, I was working on the machine doing some mixing, and the machine locked itself twice. This is the usual reaction when someone makes a remote connection using the same account. I checked my linksys logs, and sure enough, someone had been hitting the Remote Desktop port a couple times. This normally wouldnt bother me, but the fact that the machine LOCKED shows they made a successful log in! This means that my VERY STRONG admin password was compromised, and I image it probably wasn't guessed at (more than 8 characters, non-english, mix of numbers and letter and other characters). Given that they probably didn't guess, I'm wondering if there is something running on one of my machines which is sending out my passwords.


So i'd like to monitor the incoming/outgoing activity on the router. Just wondering why it seems such a common device doesn't have more people out there paying attention to what's coming/going on their networks.

I finally found Linksys's utility for this- although it leaves a bit to be desired. I'm going to check sourceforge and versiontracker to see if there are any open source projects current in working form.

 

[Rob Gillespie]

Vince, could you not just import the router's log file into Excel? The auto-filter feature would make light work of seeing attacks on specific ports, dates, times, etc etc.

I have a third-party app named ZoneLog which examines ZoneAlarm's log files and analyses it. It's quite nice for a freebie.

 

[Jesse Leonard]

I don't know what Linksys you have, but if you have a WRT54G then you can change it's firmware so that it is running linux. This will allow you to run Snort and Kismet.

Read more here: http://216.239.53.104/search?q=cache...rmw are&hl=en

 

[Mike_J_Potter]

/quote
2) I recently opened up my main audio desktop for remote desktop. After running it for a day or two, I was working on the machine doing some mixing, and the machine locked itself twice. This is the usual reaction when someone makes a remote connection using the same account. I checked my linksys logs, and sure enough, someone had been hitting the Remote Desktop port a couple times. This normally wouldnt bother me, but the fact that the machine LOCKED shows they made a successful log in! This means that my VERY STRONG admin password was compromised, and I image it probably wasn't guessed at (more than 8 characters, non-english, mix of numbers and letter and other characters). Given that they probably didn't guess, I'm wondering if there is something running on one of my machines which is sending out my passwords.
/end Quote

A easy to figure out if a application is connecting to someone else on the internet and sending out passwords is go to the command line and type netstat -a or use a application called active ports utility located at ntutility.com or on most shareware sites. These will show you every process and what ports they are using and wether or not they are connecting to a outside address. Keep in mind some trojans will use port 80 to connect to bypass firewalls so if you applications other then IE, or another web browser is connecting to someone using port 80 be suspicious, or even if the svchost is connecting to 80 be cautious.

 

[BrianML]

You should defiantly run a firewall app on each of your pc’s connected to the internet. I have a linksys and run zone alarm pro. When I installed Zone Alarm I was really surprised to see people attempting to connect to me from the internet thru the linksys. The linksys is not really a firewall, it employs NAT (Network Address Translation) which in itself is like a natural firewall, but it is easily defeatable.

 

[Vince Maskeeper]

Problem is that the linksys doesn't generate "files" - it can broadcast the log into on the network, but I need something to read it. I'm not sure how to write the incoming data to a text file (although i guess it might not be too hard)-- but at that point I'd like to deal with a utility that gives me quicker access of info on port numbers (what the hell a scan on port Blah-Blah-Blah means) and easy WHOIS lookups. So far, LINKLOGGER is the only guy.


I've gone to PCflank.com and run the majority of their port scans, and they all test out fine on all the machines in my network (everything shows stealth, except the ports I have specifically forwarded). There was one weird port reply on this machine (the one I think might be infected with something)-- but it just showed it as "closed" and not stealthed... while all the other machines showed it as stealth. The trojan accosicated with it wa called "theef" and I think it was port 7000 (?).

-Vince

 

[BrianML]

Zone Alarm will show you the app or executable trying to access the internet