Our first question comes from Tom, who is security minded but not a full-on security geek:
“In my Dlink 4300 there is functionality to log fire wall rules to a outside logging server (I’ve seen this functionality in my old WRT54G’s as well). At the same time Linux has logging functionality that you can setup to receive outside log messages. How do I get my dlink/linksys/brand X router to talk to my Linux at server and log all of the messages?
Looking at firewall logs is a great way to get your feet wet with security. For the home user I’m not convinced it adds a lot of security, but it will be extremely educational. It won’t take long before you drop Wireshark onto your network and really start digging into traffic.
The D-Link outputs logs using syslog to any compatible syslog server. The exact configuration will vary depending on your internal network structure and which version of Linux you are using, but here’s a general overview to get it running. A number of home routers/wireless access points support this functionality.
- Set up your Linux server
- Start
syslogd, and make sure it’s configured to run on startup (“chkconfig --list syslog”?). - You will probably need to adjust your
syslogdconfiguration file before it will work properly- this varies based on which version you’re running, but a quick Google search should give you what you need; likely you need to add “-r” somewhere (/etc/sysconfig/syslogon Red Hat based systems). Wikipedia is a good place to start. - If you have a firewall on your Linux box, make sure UDP port 514 is open to your home network (
/etc/sysconfig/iptableson Red Hat based systems). - On your D-Link router, go into DHCP settings and assign a permanent address to your Linux server. Otherwise, its IP address will probably change when it reboots. You’ll probably need the MAC address of your Linux server, which you can get by running
ifconfigfrom a shell. Some D-Links make this really easy and you can lift the address right from the screen where you assign permanent addresses. If it’s not feasible, you might just want to configure your Linux server with a static address – if you do, make sure it’s not in the DHCP scope assigned by your router. - Now, on your router go start logging, and enter the IP address of your Linux box.
- Give it a little while, then see if you have any log entries (depending on how your configured things in syslog.conf).
And that should be it! I know this isn’t totally detailed, but it really can vary a lot depending on what you’re running, and I don’t have everything on my end to test it. The most common mistakes are leaving the syslog server on a dynamic IP address, filtering the traffic, and bad syslog configurations.
Pepper adds: You can do all this with a Mac too – I send Linksys WRT54G & AirPort Extreme logs to mine.
Reader interactions
One Reply to “Ask Securosis: Logging Home Router Firewall Activity”
Cool! You answered my question and I have a nifty little project!!
Thanks Rich!