Doing my duty - Malicious activity detection
For several years I have been using a Linksys WRT54G V1.1 wireless router with the official firmware attached to my cable modem. It has a built in firewall but lacked any proper network intrusion detection system it did have a rudimentary log which could be accessed via the web-page interface but that was pretty much useless when trying to look for malicious activity such as denial of service attacks, port scans and attempts to crack into the network via vulnerabilities.
It always worried me as to what attempts were being made to get past the firewall on to my network. Some of my network PCs have software firewalls as a backup and alerts have been almost non-existent but it still nagged away. Last year I toyed with taking an old PC and creating a Smoothwall firewall, because of the logging and ability to install Snort but I really could justify the space and expensive of having another PC on 24/7.
As I posted yesterday I finally got the nerve up to install one of the numerous third party replacement firmwares for the router. Plumping for the Tomato variety!
One of the first things I noticed was the improved logging, which can be sent to an external PC running a monitoring/analysis program. In the wikibooks page it mentioned the WallWatcher software for Windows so I downloaded and installed it, configured the router and lo and behold I was getting information about all those Chinese TCP/IP packets bombarding my router!
I have now signed up and have installed the necessary client software to upload the logs to the SANS Institute Internet Storm Centre DShield system and myNetWatchman systems. These organisations use volunteers who submit their data to help detect problems and analyse threats, creating technical information and alerts to the general public.
The system works by having a network of hundreds or thousands of people from all over the world submitting information from their firewalls and intrusion detection systems about unwanted traffic arriving from the Internet. This data feeds the appropriate database where analysis is made looking for abnormal trends and behaviour. In the case of DShield the resulting analysis is posted to the ISC's main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user.
I really feel like I am doing something good, and of course it is fairly geeky! These are the 'attacked' ports from today!
Labels: dshield, ISC, myNetWatchman, NIDS, port scan, sans institute, security, social networking, WallWatcher, WRT54G
posted by Andrew @ 23:03
3 Comments
Links to this post
3 Comments:
Sounds good, been meaning to have a look at tomato when I got the time - I've been using DDWRT for the last 18 months.
Nice idea, aren't you worried about your privacy though, submitting logs of everywhere you go on the internet? Not that I go anywhere embarrasing or anything myself of course.
The logs being submitted only indicate when the router has taken action to blocked a suspicious incoming packet. Outgoing and normal activity is not logged.
Post a Comment
Links to this post:
Create a Link
<< Home