[Linux] what could be killing my linux router?
Michael Beal
linux@flux.org
Mon, 18 Jun 2007 17:37:15 -0700 (PDT)
I have already blocked ICMP packets and configured a lot of other
filters to keep things on the outside but every once in a while, just
about every three weeks, it gets knocked down. Not sure what protocol
their using to attack it but it really is irrelevant to me since they
aren't getting inside. I try to keep a pretty tight ship where my home
network is concerned, mainly because I'm a Data Pack Rat. Go figure...
But, hey, thanks for the tips Larry. I do appreciate when someone
shows equal, if not more, concern for network security.
Michael
--- Larry Kagan <me@larrykagan.com> wrote:
> If you believe your machine is being scanned, you may want to block
> ICMP packets so that your machine will 'disappear' from the Internet.
>
> There are two schools of though on this practice, however. One is
> that
> ICMP is used for network maintenance and disabling an ACK response is
>
> breaking network protocol standards. The other is that standards
> should
> act as a guide and not a hard and fast rule.
>
> But what seems to be the two most common (in my experience) problems
> associated with sporadic wifi outages is overheating and wireless
> phones. Try ensuring your wireless phone and/or base is away from
> the
> router and ensure there is plenty of airflow around the unit. Ensure
> it
> still has it's rubber/plastic feet so air can flow underneath.
>
> Good luck.
>
> Larry
>
> Michael Beal wrote:
> > Seems your router isn't the only one that gets knocked down. I've
> got
> > a Belkin Wireless thing that gets knocked down routinely about
> every 3
> > weeks. A simple reset brings it back. Must be the hackers
> > sweepin'-n-probin' to find a weakling...
> >
> >
> >
> >
> > --- Terry Richards <sn00per1@bellsouth.net> wrote:
> >
> >
> >> Phil Smith wrote:
> >>
> >>
> >>> Terry Richards wrote:
> >>>
> >>>
> >>>
> >>>
> >>>> how do i find out when<exact time> the connection
> >>>>
> >>>>
> >>>>
> >>> goes off and what
> >>> triggers the disconnection?
> >>>
> >>> Terry,
> >>>
> >>> I was making an assumption that your older machine
> >>> might be running outdated software leading to
> >>> eventual, successful attacks. Debian based systems
> >>> have a /var/log/auth.log where failed SSH logins from
> >>> China, Italy, etc. are stored, listing the attempted
> >>> userid. Perhaps Gentoo stores this in another file or
> >>> logging has to be activated.
> >>>
> >>> I'd look for whatever files you do have in /var/log:
> >>> syslog, kern.log, messages, etc., especially looking
> >>> for a TCP window shrinkage issue that show up logged
> >>> as "Treason uncloaked" that is a kernel vulnerability
> >>> for which no real fix exists yet, mainly because some
> >>> are still arguing whether the existing kernel code
> >>> works "well enough" or not, even when confronted with
> >>> system crash reports.
> >>>
> >>>
> >>>
> >> i think i found it.
> >>
> >> faillog -u root
> >> |faillog -a|
> >> both turn up only 8 failed login attempts.
> >>
> >> grep "authentication failure" /var/log/messages|awk '{ print $13
> }' |
> >> cut -b7- | sort | uniq -c
> >> 6 192.168.0.102
> >> sysipus terry # faillog -u root
> >> Login Failures Maximum Latest On
> >> root 8 0 05/16/07 11:03:12 -0400
> >> sysipus terry # faillog -a
> >> Login Failures Maximum Latest On
> >> root 8 0 05/16/07 11:03:12 -0400
> >> sysipus terry # grep "Treason uncloaked" /var/log/messages|awk '{
> >> print
> >> $13 }' | cut -b7- | sort | uniq -c
> >>
> >>
> >>
> >>> You didn't state your ISP. I recently had problems
> >>> with a Bellsouth DSL 6 upgrade, they shipped a very
> >>> low quality "Westell WindRiver" DSL modem that lost
> >>> connectivity at the slightest rumble of thunder (18
> >>> times in one hour!), and the Cat 5 patch cable they
> >>> provided failed a continuity test. I've reverted to
> >>> the older Westell DSL 3 modem for now and in the
> >>> future, the new AT&T will not be providing me any more
> >>> "hardware", apparently you can buy your own DSL modem.
> >>>
> >>> Most DSL modems seem to require a complete power-down
> >>> reset at least every few months for reliable
> >>> operation.
> >>>
> >>>
> >>>
> >>>
> >> i'm leaning towards the thunderbolts now. the other day my tv went
> >> out
> >> for a few seconds and i am on an antennea! it was pretty cool. the
> >> power
> >> grid i am on is famous for brown outs and i have a power ups on
> the
> >> 'puters. BUT if they went down for 20 minutes while i am outside,
> >> they
> >> wouldn't have the uptimes they do. . . hmmm. might still be
> something
> >> to
> >> do with static<thunder> bringing down the link, i guess i should
> run
> >> the
> >> tele-line through the ups too. - 'bout time i did that.
> >>
> >>
> >>> You could also be having an issue with DHCP leases
> >>> expiring from your ISP and the Linux DHCP not agreeing
> >>> with a Windows-based ISP's idea on DHCP license
> >>> renewal. This would be expected to happen
> >>> consistently after a certain number of hours of
> >>> operation after acquiring a license.
> >>>
> >>>
> >> it has been pretty consistant for over a year now, i have a static
> ip
> >> so
> >> that one is prolly off the table.
> >>
> >>
> >>>
> >>>
> >>> You can probably find or write a tool to monitor the
> >>> connection, for example, ping google.com once every 5
> >>> minutes and log if ping was successful. In some
> >>> cases, this keeps connections alive that drop perhaps
> >>> because of some ISP inactivity policy.
> >>>
> >>>
> >>>
> >> i was thinking that was _the way_ to find out when or nearabouts
> when
> >> it
> >> comes off-line
> >>
> >>
> >>> To diagnose a connection, you determine:
> >>> 1) can you ping the default gateway at the ISP by ip
> >>> address?
> >>> 2) can you ping anything more distant by ip address?
> >>> 3) can you ping anything by name, to determine if
> >>> DNS/remote DNS servers are reachable.working.
> >>>
> >>> Many times I can ping by IP address but not name,
> >>> there is a tool called 'dig' to figure out where the
> >>> DNS failure is:
> >>>
> >>> dig @192.168.1.254 google.com # DSL modem
> >>> dig @4.2.2.1 google.com # verizon DNS
> >>>
> >>> Phil
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >> thanx for the tips on how to find if i am connected or not. i'll
> just
> >> have to wait for some action or in this case non-action
> >> in the mean time i found gentoo has denyhosts and swatch as well
> >> which
> >> may help with avoiding a brute force attack
> >>
> >>
> >> :-)^2
> >>
> >>
> >> _______________________________________________
> >> Linux mailing list
> >> Linux@flux.org
> >> http://www.flux.org/mailman/listinfo/linux
> >>
> >>
> >
> >
> >
> >
>
=== message truncated ===
____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7