[Linux] what could be killing my linux router?
Larry Kagan
linux@flux.org
Sun, 17 Jun 2007 20:54:11 -0400
This is a multi-part message in MIME format.
--------------070806080807000008000308
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
If you believe your machine is being scanned, you may want to block
ICMP packets so that your machine will 'disappear' from the Internet.
There are two schools of though on this practice, however. One is that
ICMP is used for network maintenance and disabling an ACK response is
breaking network protocol standards. The other is that standards should
act as a guide and not a hard and fast rule.
But what seems to be the two most common (in my experience) problems
associated with sporadic wifi outages is overheating and wireless
phones. Try ensuring your wireless phone and/or base is away from the
router and ensure there is plenty of airflow around the unit. Ensure it
still has it's rubber/plastic feet so air can flow underneath.
Good luck.
Larry
Michael Beal wrote:
> Seems your router isn't the only one that gets knocked down. I've got
> a Belkin Wireless thing that gets knocked down routinely about every 3
> weeks. A simple reset brings it back. Must be the hackers
> sweepin'-n-probin' to find a weakling...
>
>
>
>
> --- Terry Richards <sn00per1@bellsouth.net> wrote:
>
>
>> Phil Smith wrote:
>>
>>
>>> Terry Richards wrote:
>>>
>>>
>>>
>>>
>>>> how do i find out when<exact time> the connection
>>>>
>>>>
>>>>
>>> goes off and what
>>> triggers the disconnection?
>>>
>>> Terry,
>>>
>>> I was making an assumption that your older machine
>>> might be running outdated software leading to
>>> eventual, successful attacks. Debian based systems
>>> have a /var/log/auth.log where failed SSH logins from
>>> China, Italy, etc. are stored, listing the attempted
>>> userid. Perhaps Gentoo stores this in another file or
>>> logging has to be activated.
>>>
>>> I'd look for whatever files you do have in /var/log:
>>> syslog, kern.log, messages, etc., especially looking
>>> for a TCP window shrinkage issue that show up logged
>>> as "Treason uncloaked" that is a kernel vulnerability
>>> for which no real fix exists yet, mainly because some
>>> are still arguing whether the existing kernel code
>>> works "well enough" or not, even when confronted with
>>> system crash reports.
>>>
>>>
>>>
>> i think i found it.
>>
>> faillog -u root
>> |faillog -a|
>> both turn up only 8 failed login attempts.
>>
>> grep "authentication failure" /var/log/messages|awk '{ print $13 }' |
>> cut -b7- | sort | uniq -c
>> 6 192.168.0.102
>> sysipus terry # faillog -u root
>> Login Failures Maximum Latest On
>> root 8 0 05/16/07 11:03:12 -0400
>> sysipus terry # faillog -a
>> Login Failures Maximum Latest On
>> root 8 0 05/16/07 11:03:12 -0400
>> sysipus terry # grep "Treason uncloaked" /var/log/messages|awk '{
>> print
>> $13 }' | cut -b7- | sort | uniq -c
>>
>>
>>
>>> You didn't state your ISP. I recently had problems
>>> with a Bellsouth DSL 6 upgrade, they shipped a very
>>> low quality "Westell WindRiver" DSL modem that lost
>>> connectivity at the slightest rumble of thunder (18
>>> times in one hour!), and the Cat 5 patch cable they
>>> provided failed a continuity test. I've reverted to
>>> the older Westell DSL 3 modem for now and in the
>>> future, the new AT&T will not be providing me any more
>>> "hardware", apparently you can buy your own DSL modem.
>>>
>>> Most DSL modems seem to require a complete power-down
>>> reset at least every few months for reliable
>>> operation.
>>>
>>>
>>>
>>>
>> i'm leaning towards the thunderbolts now. the other day my tv went
>> out
>> for a few seconds and i am on an antennea! it was pretty cool. the
>> power
>> grid i am on is famous for brown outs and i have a power ups on the
>> 'puters. BUT if they went down for 20 minutes while i am outside,
>> they
>> wouldn't have the uptimes they do. . . hmmm. might still be something
>> to
>> do with static<thunder> bringing down the link, i guess i should run
>> the
>> tele-line through the ups too. - 'bout time i did that.
>>
>>
>>> You could also be having an issue with DHCP leases
>>> expiring from your ISP and the Linux DHCP not agreeing
>>> with a Windows-based ISP's idea on DHCP license
>>> renewal. This would be expected to happen
>>> consistently after a certain number of hours of
>>> operation after acquiring a license.
>>>
>>>
>> it has been pretty consistant for over a year now, i have a static ip
>> so
>> that one is prolly off the table.
>>
>>
>>>
>>>
>>> You can probably find or write a tool to monitor the
>>> connection, for example, ping google.com once every 5
>>> minutes and log if ping was successful. In some
>>> cases, this keeps connections alive that drop perhaps
>>> because of some ISP inactivity policy.
>>>
>>>
>>>
>> i was thinking that was _the way_ to find out when or nearabouts when
>> it
>> comes off-line
>>
>>
>>> To diagnose a connection, you determine:
>>> 1) can you ping the default gateway at the ISP by ip
>>> address?
>>> 2) can you ping anything more distant by ip address?
>>> 3) can you ping anything by name, to determine if
>>> DNS/remote DNS servers are reachable.working.
>>>
>>> Many times I can ping by IP address but not name,
>>> there is a tool called 'dig' to figure out where the
>>> DNS failure is:
>>>
>>> dig @192.168.1.254 google.com # DSL modem
>>> dig @4.2.2.1 google.com # verizon DNS
>>>
>>> Phil
>>>
>>>
>>>
>>>
>>>
>>>
>> thanx for the tips on how to find if i am connected or not. i'll just
>> have to wait for some action or in this case non-action
>> in the mean time i found gentoo has denyhosts and swatch as well
>> which
>> may help with avoiding a brute force attack
>>
>>
>> :-)^2
>>
>>
>> _______________________________________________
>> Linux mailing list
>> Linux@flux.org
>> http://www.flux.org/mailman/listinfo/linux
>>
>>
>
>
>
>
> ____________________________________________________________________________________
> Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.
> http://mobile.yahoo.com/go?refer=1GNXIC
> _______________________________________________
> Linux mailing list
> Linux@flux.org
> http://www.flux.org/mailman/listinfo/linux
>
>
>
--------------070806080807000008000308
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Helvetica">If you believe your machine is
being scanned, you may want to block ICMP packets so that your machine
will 'disappear' from the Internet. There are two schools of though on
this practice, however. One is that ICMP is used for network
maintenance and disabling an ACK response is breaking network protocol
standards. The other is that standards should act as a guide and not a
hard and fast rule. <br>
<br>
But what seems to be the two most common (in my experience) problems
associated with sporadic wifi outages is overheating and wireless
phones. Try ensuring your wireless phone and/or base is away from the
router and ensure there is plenty of airflow around the unit. Ensure
it still has it's rubber/plastic feet so air can flow underneath. <br>
<br>
Good luck.<br>
<br>
Larry<br>
</font></font><br>
Michael Beal wrote:
<blockquote cite="mid:746809.73121.qm@web54505.mail.re2.yahoo.com"
type="cite">
<pre wrap="">Seems your router isn't the only one that gets knocked down. I've got
a Belkin Wireless thing that gets knocked down routinely about every 3
weeks. A simple reset brings it back. Must be the hackers
sweepin'-n-probin' to find a weakling...
--- Terry Richards <a class="moz-txt-link-rfc2396E" href="mailto:sn00per1@bellsouth.net"><sn00per1@bellsouth.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Phil Smith wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Terry Richards wrote:
</pre>
<blockquote type="cite">
<pre wrap="">how do i find out when<exact time> the connection
</pre>
</blockquote>
<pre wrap="">goes off and what
triggers the disconnection?
Terry,
I was making an assumption that your older machine
might be running outdated software leading to
eventual, successful attacks. Debian based systems
have a /var/log/auth.log where failed SSH logins from
China, Italy, etc. are stored, listing the attempted
userid. Perhaps Gentoo stores this in another file or
logging has to be activated.
I'd look for whatever files you do have in /var/log:
syslog, kern.log, messages, etc., especially looking
for a TCP window shrinkage issue that show up logged
as "Treason uncloaked" that is a kernel vulnerability
for which no real fix exists yet, mainly because some
are still arguing whether the existing kernel code
works "well enough" or not, even when confronted with
system crash reports.
</pre>
</blockquote>
<pre wrap="">i think i found it.
faillog -u root
|faillog -a|
both turn up only 8 failed login attempts.
grep "authentication failure" /var/log/messages|awk '{ print $13 }' |
cut -b7- | sort | uniq -c
6 192.168.0.102
sysipus terry # faillog -u root
Login Failures Maximum Latest On
root 8 0 05/16/07 11:03:12 -0400
sysipus terry # faillog -a
Login Failures Maximum Latest On
root 8 0 05/16/07 11:03:12 -0400
sysipus terry # grep "Treason uncloaked" /var/log/messages|awk '{
print
$13 }' | cut -b7- | sort | uniq -c
</pre>
<blockquote type="cite">
<pre wrap="">You didn't state your ISP. I recently had problems
with a Bellsouth DSL 6 upgrade, they shipped a very
low quality "Westell WindRiver" DSL modem that lost
connectivity at the slightest rumble of thunder (18
times in one hour!), and the Cat 5 patch cable they
provided failed a continuity test. I've reverted to
the older Westell DSL 3 modem for now and in the
future, the new AT&T will not be providing me any more
"hardware", apparently you can buy your own DSL modem.
Most DSL modems seem to require a complete power-down
reset at least every few months for reliable
operation.
</pre>
</blockquote>
<pre wrap="">i'm leaning towards the thunderbolts now. the other day my tv went
out
for a few seconds and i am on an antennea! it was pretty cool. the
power
grid i am on is famous for brown outs and i have a power ups on the
'puters. BUT if they went down for 20 minutes while i am outside,
they
wouldn't have the uptimes they do. . . hmmm. might still be something
to
do with static<thunder> bringing down the link, i guess i should run
the
tele-line through the ups too. - 'bout time i did that.
</pre>
<blockquote type="cite">
<pre wrap="">You could also be having an issue with DHCP leases
expiring from your ISP and the Linux DHCP not agreeing
with a Windows-based ISP's idea on DHCP license
renewal. This would be expected to happen
consistently after a certain number of hours of
operation after acquiring a license.
</pre>
</blockquote>
<pre wrap="">it has been pretty consistant for over a year now, i have a static ip
so
that one is prolly off the table.
</pre>
<blockquote type="cite">
<pre wrap="">
You can probably find or write a tool to monitor the
connection, for example, ping google.com once every 5
minutes and log if ping was successful. In some
cases, this keeps connections alive that drop perhaps
because of some ISP inactivity policy.
</pre>
</blockquote>
<pre wrap="">i was thinking that was _the way_ to find out when or nearabouts when
it
comes off-line
</pre>
<blockquote type="cite">
<pre wrap="">To diagnose a connection, you determine:
1) can you ping the default gateway at the ISP by ip
address?
2) can you ping anything more distant by ip address?
3) can you ping anything by name, to determine if
DNS/remote DNS servers are reachable.working.
Many times I can ping by IP address but not name,
there is a tool called 'dig' to figure out where the
DNS failure is:
dig @192.168.1.254 google.com # DSL modem
dig @4.2.2.1 google.com # verizon DNS
Phil
</pre>
</blockquote>
<pre wrap="">thanx for the tips on how to find if i am connected or not. i'll just
have to wait for some action or in this case non-action
in the mean time i found gentoo has denyhosts and swatch as well
which
may help with avoiding a brute force attack
:-)^2
_______________________________________________
Linux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Linux@flux.org">Linux@flux.org</a>
<a class="moz-txt-link-freetext" href="http://www.flux.org/mailman/listinfo/linux">http://www.flux.org/mailman/listinfo/linux</a>
</pre>
</blockquote>
<pre wrap=""><!---->
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.
<a class="moz-txt-link-freetext" href="http://mobile.yahoo.com/go?refer=1GNXIC">http://mobile.yahoo.com/go?refer=1GNXIC</a>
_______________________________________________
Linux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Linux@flux.org">Linux@flux.org</a>
<a class="moz-txt-link-freetext" href="http://www.flux.org/mailman/listinfo/linux">http://www.flux.org/mailman/listinfo/linux</a>
</pre>
</blockquote>
</body>
</html>
--------------070806080807000008000308--