1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HyperWRT 1.3 vs WallWatcher HOWTO

Discussion in 'HyperWRT Firmware' started by sune, Aug 12, 2004.

  1. sune

    sune Network Guru Member

    The following should make your HyperWRT 1.3 log nicely to WallWatcher like the satori firmware.

    Enable the new "autorun" command window (under administration->diagnostics) and enter/paste the following startup commands

    Code:
    /sbin/klogd
    /sbin/syslogd -R 192.168.1.50
    sleep 10
    /usr/sbin/iptables -R INPUT 7 -j logdrop
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID
    
    * Change 192.168.1.50 to whatever ip you run ww or kiwi
    * Klogd is needed since iptables logs thru the kernel
    * sleep XX is needed, otherwise the subsequent iptables commands are not applied properly

    Now it also seems that you have to disable the "Filter Internet NAT Redirection" in the security/firewall router setup, otherwise syslogd refuses to start. You can test this running /sbin/syslogd -R 192.168.1.50 in the command shell and see if it errors.

    Well, the above setup works for me at least.

    EDIT: You obviously have to reboot your router for the above changes to take effect...
    EDIT2: Also remember to SAVE the command window before rebooting
    EDIT3: If want to enable ICMP (ping etc) logging, add the following also
    usr/sbin/iptables -R INPUT 5 -j logdrop -p icmp
    EDIT4: Messing around in the routers web config may overwrite the active input chain so you need to reboot to reapply the changes
    EDIT5: If iptables suddenly stops logging after some hours, kill klogd by its process-id and restart it again. Looking for a fix :(
    /Sune
     
  2. puffer

    puffer Network Guru Member

    Didn't work for me. I think maybe because I didn't reset to factory defaults after upgrading the firmware. I am connected remotely to my computer and if I reset the router then I will lose my remote desktop connection. If there a way I can have the linksys reset and restore a config file on reboot? what command should I type into the router? any help would be greatly appreciated. :idea:
     
  3. sune

    sune Network Guru Member

    I don't think a reset should be necessary here - did you remember
    to SAVE the command window before rebooting?

    EDIT:

    You should also check the following:

    1) Run "ps" from the command shell. The following two processes MUST appear somewhere in the output (the numbers 1128 etc may not match)
    Code:
    1128 0 S /sbin/syslogd -R 192.168.1.50
    1129 0 S /sbin/klogd 
    
    2) Run "usr/sbin/iptables -L INPUT" from the command shell
    The output should look like this
    Code:
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    logdrop all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere state NEW
    ACCEPT all -- anywhere anywhere state NEW
    DROP icmp -- anywhere anywhere
    ACCEPT igmp -- anywhere anywhere
    logdrop all -- anywhere anywhere 
    
    The important thing here is that the first and last rule is "logdrop" and not "DROP". If you DROP icmp you might consider replacing this with at logdrop rule also so incoming pings etc are logged also.

    /Sune
     
  4. Avenger20

    Avenger20 Network Guru Member

    Thx sune, very usefull information :) Will make a sticky from it :wink:
     
  5. puffer

    puffer Network Guru Member

    Yes i SAVED and yes its plugged into the wall :roll: . It is working though not sure why. I might have been to quick to judge it as not working. The issue I am having now is trying to get icmp stats to show up. Does this not show up by default? Ftp and telnet are recorded as incomming but not a ping (icmp) .
     
  6. sune

    sune Network Guru Member

    You're welcome :) And thank you for the best WRT54G firmware release so far!
     
  7. puffer

    puffer Network Guru Member

    Sune you rule! I think you posted just as I was so I didn't catch your last post till bout a second ago.. I will check this as this might explain the ICMP issue.. I really got to take a linux class!
     
  8. sune

    sune Network Guru Member

    No ICMP is not logged in this setup. You have to make add an extra entry to the command window:

    usr/sbin/iptables -R INPUT 5 -j logdrop -p icmp

    /Sune
     
  9. puffer

    puffer Network Guru Member

    I have the following

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    logdrop all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere state NEW
    ACCEPT all -- anywhere anywhere state NEW
    ACCEPT tcp -- anywhere 192.168.4.1 tcp dpt:www
    DROP icmp -- anywhere anywhere (problem)
    logdrop all -- anywhere anywhere
    DROP all -- anywhere anywhere

    does the last line mean that after logging it drops everything?
    and also how do I edit this file I don't have telnet access and can't run vi or something like this?
     
  10. puffer

    puffer Network Guru Member

    DAM IT you keep posting at the same time as me.. stop it! 8O
     
  11. sune

    sune Network Guru Member

    I don't see the purpose of your rule 5 - Where does that come from? Anyway you have 8 rules in this setup so "7" must be replaced with "8" in my iptables commands for your case.

    ie

    /usr/sbin/iptables -R INPUT 8 -j logdrop

    Also ICMP is rule 6 here not 5 as i stated.

    /Sune
     
  12. puffer

    puffer Network Guru Member

    Hey sune I rebooted and changed what I think you wanted me to change take a look --

    Auto Run:

    /sbin/syslogd -R 192.168.4.3
    /sbin/klogd
    sleep 10
    /usr/sbin/iptables -R INPUT 8 -j logdrop
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID
    /usr/sbin/iptables -R INPUT 6 -j logdrop -p icmp

    Here is the rules after the above is run:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    logdrop all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere state NEW //isn't this a duplicate?
    ACCEPT all -- anywhere anywhere state NEW
    ACCEPT tcp -- anywhere 192.168.4.1 tcp dpt:www
    logdrop icmp -- anywhere anywhere
    DROP igmp -- anywhere anywhere //do you think this should be logged?
    logdrop all -- anywhere anywhere
     
  13. sune

    sune Network Guru Member

    Yes I think you got it right this time :)

    No, rule 3 and 4 are not identical (if you try verbose mode: iptables -L INPUT -v you'll see the interfaces are different)

    Yes, you could log dropped IGMP also, but you'll hardly encounter multicast traffic under normal circumstances so I wouldn't bother.

    /Sune
     
  14. puffer

    puffer Network Guru Member

    :) sweet! :D Thanks again. I tested this and icmp are getting recorded. Is there any good books you can recommend on linux and getting started with it? ..

    On another note if you save under the firewall section of the linksys router you will have to reboot the router again! :(
     
  15. Avenger20

    Avenger20 Network Guru Member

    Just use google ;), print out some faq's and how-to's and try it all out :)

    Would not just clicking the 'save' button in startup enable the rules back?
    I'll see if I can find a fix for this in a next version.
     
  16. puffer

    puffer Network Guru Member

    Your correct on the save button under Diagnostics. :D I didn't even think of trying that because according to the comment "The commands and scripts typed here will execute at bootup. " I didn't think they execute right away too 8O
     
  17. puffer

    puffer Network Guru Member

    How about outgoing? those don't seem to show up? :?:
     
  18. sune

    sune Network Guru Member

    No this setup only logs dropped packets. If you enable linksys own logging from http://192.168.1.1/Log.asp you'll get accepted connections as well.

    /Sune
     
  19. hassiman

    hassiman Network Guru Member

    Questions on IPtable logging with WRT and WW HELP!

    Dear Sune,

    I apologize... but I am quite new at all of this so my questions may seem a bit stupid....

    I was wondering what activity it is possible to have Wallwatcher log (using a WRT54GS and HyperWRT) using IPtables specifically events that alert one to security problems ( Hack or DOS attempts and attacks and unauthorized outgoing traffic )

    What command syntax would one use to best enable WW to log thses type events?

    Also, should one use the "Command shell" or "autorun" to set up the logging commands?
     
  20. dellsweig

    dellsweig Network Guru Member

    Has anyone noticed this..

    After a few hours of logging, firewall syslog messages just stop - syslogd is still functioning as I get the check messages. If I restart klogd, all is normal for a few hours...

    Is there something else I need to do??
     
  21. tidal

    tidal Network Guru Member

    1) Not getting /sbin/syslogd -R 192.168.1.50 but getting /sbin/klogd
    2) Getting exactly that

    Installed WW and it's tracking nothing. Tried this with and without the Linky's own logging turned on.

    Any help?
     
  22. tidal

    tidal Network Guru Member

    got it.... in WW under Options -> Special; I needed to select WRT54G for router type
     
  23. sune

    sune Network Guru Member

    Yes it seems klogd hangs after some time so you have to kill it by its process-id and restart it again. Will look into this, this is rather annoying :-(

    /Sune
     
  24. dellsweig

    dellsweig Network Guru Member

    Sune

    I was looking at the klogd man page. There is an option to force it into the foreground (-n). Also there is an option to force a currently runnign klogd to reload symbols

    Do you think either of these options would have an effect??
     
  25. sune

    sune Network Guru Member

    Yes I noticed that as well :) Is testing klogd -n now (has been running for 3-4 hrs now), will report results back later!

    Cheers

    Update: Nope, didn't work. Stopped logging 30 mins ago. Back to the drawing table :( Unfortunately the busybox version of klogd does not support much more than the -n parameter.
     
  26. dadaniel

    dadaniel Network Guru Member

    What commands do you recommend to use now - only for enable logging to wallwatcher?

    MUST I use this? Or does it work with the two first lines also?
    Code:
    /usr/sbin/iptables -R INPUT 7 -j logdrop 
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID 
    
     
  27. sune

    sune Network Guru Member

    You should still follow the original post, however klogd seems to hang after some hours of logging. Currently I don't know any fix for this except for restarting klogd when it happens.

    /Sune
     
  28. dadaniel

    dadaniel Network Guru Member

    but.......this seems to be on the way making the firmware unstable - like sveasoft do.

    Why does it not work correctly?
     
  29. dellsweig

    dellsweig Network Guru Member

    klogd is a Linux kernel logger. It has nothing to do with the 'firmware' or the 'stability' of the firmware.
     
  30. dadaniel

    dadaniel Network Guru Member

    But klogd is a part of the firmware, isn't it?

    And for me it seems to be unstable, if I have to restart this "part of firmware" or the router every hour. :?
     
  31. sune

    sune Network Guru Member

    klogd runs as a separate process and is only used for logging, so your router does not become "unstable" just because klogd does not work properly (winxp does not become "unstable" just because notepad.exe decided "not to respond" for some reason).

    yes klogd is in the firmware, but as a free gift you could say (so we really cannot complain if it doesn't work) - klogd is *not* used or started by the router in any way, you have to do it yourself from the command shell.

    /Sune
     
  32. firebowl

    firebowl Network Guru Member

    Going mad :(

    Hi there,

    just tried to enable logging via Wallwatcher, but no chance.
    The main thing I wanted to be logged are the normal incoming and outgoing logs like the ones you can see on the routers webinterface.
    I have to main problem, the first one ist: what should I write into the Autorun field? At the moment there stands:

    /sbin/syslogd -R 192.168.1.128
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID
    /usr/sbin/iptables -R INPUT 6 -j logdrop

    My second problem ist howto configure Wallwatcher? Which Router Modell should I select? I have the WRT54G.
    Thanks
    Fire
     
  33. sune

    sune Network Guru Member

    Re: Going mad :(

    you also need /sbin/klogd in your autorun. (there is an issue with klogd as it seems, nevertheless we still need it for logging)

    Furthermore in wallwatcher your should choose the WRT54G sveasoft setup.

    /Sune
     
  34. firebowl

    firebowl Network Guru Member

    This one seems to work half the way ;)

    /sbin/syslogd -R 192.168.1.128
    /sbin/klogd
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID
    /usr/sbin/iptables -R INPUT 6 -j logdrop

    Wallwatcher now loggs outgoing traffic. What is wrong that it did not log incoming traffic?

    PS: Thanks for the fast answer
     
  35. sune

    sune Network Guru Member

    If you follow the original post, then you actually need

    /usr/sbin/iptables -R INPUT 7 -j logdrop

    and not

    /usr/sbin/iptables -R INPUT 6 -j logdrop

    However it should still work since the wrong rule you replace (6) is probably the IGMP multicast rule.

    Otherwise try posting the output of "/usr/sbin/iptables -L INPUT" here or send me a PM with the results of this.

    /Sune
     
  36. firebowl

    firebowl Network Guru Member

    Changed 6 to 7 but nothing changed.
    Here the output:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere state NEW
    ACCEPT all -- anywhere anywhere state NEW
    DROP icmp -- anywhere anywhere
    ACCEPT igmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Now after a few minutes to hours the router drops the Internet Conncection an you have to unplug and plug the power adapter.
    Think I should do a hard reset. Didn't reset my router for months and about a dozen firmwares ;)
     
  37. sune

    sune Network Guru Member

    Well something is wrong here. If you apply the two iptables replacements, the first (1) and last rule (7) should be changed to "logdrop" and not "DROP".

    /Sune
     
  38. firebowl

    firebowl Network Guru Member

    As you can see in my posting above, I've written the following into the autostart field (and saved it):

    /sbin/syslogd -R 192.168.1.128
    /sbin/klogd
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID
    /usr/sbin/iptables -R INPUT 7 -j logdrop


    Didn't understand while there stands 'drop' instead of 'logdrop' ind the output.
     
  39. sune

    sune Network Guru Member

    You could try executing the iptables replacements in the command shell instead, so you can see if they trigger some error, and if not, try "iptables -L INPUT" again to check if the changes were done.
     
  40. dellsweig

    dellsweig Network Guru Member

    Has anyone figured out how to keep klogd up and running more than 24 hours??
     
  41. Avenger20

    Avenger20 Network Guru Member

    Could it be a problem with firewall rules getting reloaded? Then it will probably get fixed in HyperWRT v1.4 because I'm making a seperate box for firewall rules.
     
  42. Netzer

    Netzer Network Guru Member

    Logging with Wall Watcher

    New To Running A Modified Firmware So Please Forgive My First Post Here
    Running HyperWRT V1.3
    I Like It A lot Installed Easy And Ran Like A Top

    Having A Problem Getting the Router To Log Incomming And Outgoing Traffic

    Ok I Have the lines posted earlier in the forum for logging provided by sune into the autorun field On The Router (Thank You Sune For All The Good Information)
    I Made Sure To Save I Then Rebooted The Router
    I Have Wall Watcher Configured On The PC
    I Can See Kernel Activity in Wall Watcher But No User Activity

    When I Try The Commands Manually In the Router
    I get an error on any of the lines that end with logdrop
    The Error Says Cannot Load Target logdrop File Not Found

    Do I Need to Do Somehting Else First?

    I Am Running HyperWRT V1.3 On A Linksys WRT54G

    I Use My Router As Basically An Access Point I Have One Cable Plugged Into One Swith Port And Then Into My Network
    I Use A Seperate Linksys Router As The Default Router

    Does The Logging on the Linksys not work unless it is traffic to and from the WAN Port?


    Thank You

    Bill
     
  43. Avenger20

    Avenger20 Network Guru Member

    We probably will have to update busybox to fix klogd.
    I'll see if I can update it from 0.60.0 to 0.60.5.
     
  44. DaDD

    DaDD Network Guru Member

    Has this been fix in 1.4? BTW, great job on the firmware!
     
  45. Netzer

    Netzer Network Guru Member

    Wall Watcher

    I Have Added The Lines To The Startup
    And When I Check The Rules I Get This For The Result

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    It Looks Like The Router Did Not Accept The Other Commands other than

    /sbin/klogd
    /sbin/syslogd -R 10.209.10.253

    I Can See Router Activity In Wall Watcher But Nothing Else
    Should The Logging Rules Be In The Firewall Side??

    Sorry For The Question New To This

    Thank You
     
  46. hassiman

    hassiman Network Guru Member

    I hate to look stupid but what commands should I use?

    Hi,

    After reading through this thread I am actually a bit more confused...

    To activate logging using my WRT54GS and Hyper WRT V1.4 and Wall Watcher so that the router will log icoming/outgoing traffic and ICMP (pings) what command strings should I use , where do I enter them and how do I activate the logging?

    When reading this thread I saw this string :

    /sbin/klogd
    /sbin/syslogd -R 192.168.1.50
    sleep 10
    /usr/sbin/iptables -R INPUT 7 -j logdrop
    /usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID

    But after reading the replies I was not 100% sure if this was correct.
    I also saw this string:

    usr/sbin/iptables -R INPUT 5 -j logdrop -p icmp

    for ICMP but I am not sure in what order it belongs in relation to the other command lines.

    Is there anyone out there that is running the similar setup that would post the entire string and how to initiate it in V 1.4?

    Also, what in the logfiles is a telltale that one is being attacked or that a trojan is remotely connecting? Is there anything one can toggle on a router that will alert you in some way in case of attack?

    Thanks,

    Rich
     
  47. Judex

    Judex Network Guru Member

    Has somebody found a workaround with HyperWRT 1.4 for dying of klogd yet?

    Regards, Judex
     
  48. DaDD

    DaDD Network Guru Member

  49. Judex

    Judex Network Guru Member

    I found a dirty but yet working workaround for klogd dying. Could not test stability for a long time but it is running for now:

    Put "cat /proc/kmsg | /var/bin/logger &" at the end of firewall rules with another "sleep 10" before and do not start klogd. This works for me.

    Regards, Judex
     
  50. loost74

    loost74 Network Guru Member

    I´m exactly as confused as hassiman.
    I read the whole thread but actually I don´t know where to put what. So could anybody please post instructions for a newbie?

    Where do I have to enter which code.
    Which program do I have to install.

    Thanks a lot.
     
  51. kurdtdan

    kurdtdan Guest

    New Wall Watcher

    Wall Watcher has released a new update. They say that it fixes a bug where logging stopped after a few hours. I have been running the watcher for a 14 hours now, and it hasn't stopped yet. I used to be able to get about 2-3 hours out of it before it stopped logging. Perhaps it isn't klogd that has been causing this problem, but rather WW.
     

Share This Page