Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jamesreeves]

I agree.  the syslog feature in the Dlink 880-l is complete rubbish as well.

Code: [Select]

May 21 14:43:22 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:43:23 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:43:23 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.131][LAN-1]
May 21 14:43:24 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:43:29 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:43:34 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:43:39 192.168.0.1 ATT: 001[SYN-ACK][216.58.195.70][WAN-1]
May 21 14:43:50 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:43:55 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:44:01 192.168.0.1 ATT: 001[SYN-ACK][192.168.0.186][LAN-1]
May 21 14:44:25 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:25 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:25 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:25 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:29 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:33 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:41 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:44:57 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:45:08 192.168.0.1 ATT: 001[SYN-ACK][69.192.240.49][WAN-1]
May 21 14:45:29 192.168.0.1 ATT: 001[SYN-ACK][98.138.199.240][WAN-1]
May 21 14:45:40 192.168.0.1 ATT: 001[SYN-ACK][69.192.240.49][WAN-1]

It apparantly logs every time a tcp stream is opened but doesnt log anything else, making it very low quality overall.  Also, there is no documentation for this.  What is ATT:001???  is [98.138.199.240][WAN-1] simply there to reaffirm my belief that 98.138.199.240 originates on the WAN side?

Also, why does it leave port 7777 open on the public side? what is it for? Why did the dlink internal firewall ignore every rule to block this port?  Why did I end up having to use a hardware firewall before the router to filter this port?

probably leave it open for the NSA or someting.

[FurryNutz]

Link>Welcome!

• What Hardware version is your router? Look at sticker under the router case.
• Link>What Firmware version is currently loaded? Found on the routers web page under status.
• What region are you located?

Info on Port 7777:
https://www.speedguide.net/port.php?port=7777

What happens if you run GRCs Shields up scan? Any issues seen there?
http://forums.dlink.com/index.php?topic=66781.0

98.138.199.240 is this:
IP Location   United States United States Omaha Yahoo! Inc.
ASN   United States AS36646 YAHOO-NE1 - Yahoo, US (registered Mar 02, 2006)
Resolve Host   ne1onepush.vip.ne1.yahoo.com
Whois Server   whois.arin.net
IP Address   98.138.199.240
NetRange:       98.136.0.0 - 98.139.255.255
CIDR:           98.136.0.0/14
NetName:        A-YAHOO-US9
NetHandle:      NET-98-136-0-0-1
Parent:         NET98 (NET-98-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Yahoo! Inc. (YHOO)
RegDate:        2007-12-07
Updated:        2012-03-02
Ref:            https://whois.arin.net/rest/net/NET-98-136-0-0-1

OrgName:        Yahoo! Inc.
OrgId:          YHOO
Address:        701 First Ave
City:           Sunnyvale
StateProv:      CA
PostalCode:     94089
Country:        US
RegDate:        2000-10-22
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/YHOO

OrgTechHandle: NA258-ARIN
OrgTechName:   Netblock Admin
OrgTechPhone:  +1-408-349-3300
OrgTechEmail: 
OrgTechRef:    https://whois.arin.net/rest/poc/NA258-ARIN

OrgAbuseHandle: NETWO5978-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-408-349-3300
OrgAbuseEmail: 
OrgAbuseRef:    https://whois.arin.net/rest/poc/NETWO5978-ARIN

RAbuseHandle: NETWO857-ARIN
RAbuseName:   Network Abuse
RAbusePhone:  +1-408-349-3300
RAbuseEmail: 
RAbuseRef:    https://whois.arin.net/rest/poc/NETWO857-ARIN

RTechHandle: NA258-ARIN
RTechName:   Netblock Admin
RTechPhone:  +1-408-349-3300
RTechEmail: 
RTechRef:    https://whois.arin.net/rest/poc/NA258-ARIN

What is your ISP Mfr modem and model#?
Is this for a home or business?

[Hard Harry]

I agree the logging is bad. Not only does it not allow you to set what it logs, but it doesn't allow you to view logs from the web UI or even give you a option to delete logs.

As for what the logs caught, I wouldn't be too concerned. As long as your seeing warnings about blocked traffic, it's just the firewall doing it's job. However if you are SEEING open traffic on port 7777, especially to 98.138.199.240, you might have malware on your system. Port 7777 is commonly used as a backdoor by malware and that IP is in the range of those used by the malware. The IP is also used by legitimate traffic, and the port can also be used by some online games, but it's something you should look into. If if you see no traffic, then rest assure the router's firewall is protecting you.

https://community.rsa.com/community/products/netwitness/blog/2016/12/31/update-grizzly-steppe

[FurryNutz]

Logging can be configured via 3rd party logging capture apps. Thought not sure what the router is actually out putting. All or some or not enough. Syslog differs from what the old UI logging displayed while syslog was also available on older routers. I believe that logging is either limited on newer generation routers while syslog is still available however needs 3rd party software to collect it.