What gets logged?

Discussion in 'Tomato Firmware' started by LLigetfa, Oct 19, 2007.

  1. LLigetfa

    LLigetfa LI Guru Member

    I have a bunch of Buffalo APs (in BRI mode) on my hotspot and until now have just stuck with the stock firmware which logs all wireless client associations. I use a central syslog server with php-syslog-ng. (See link to DSLR below)

    It was suggested I give Tomato a try ( http://www.dslreports.com/forum/r19258941-Stop-the-bad-guy ) for its ability to blacklist by MAC, wireless clients. My non-profit hotspot is open (no WEP) so that users can read my TOU/AUP. If they request access and agree to the terms, I allow them through my m0n0wall captive portal.

    There are always a few users that will try to hack through or that associate but never request access. Those I want to blacklist. The blacklist feature works as advertised but for the life of me, I cannot see where I can turn on logigng of client associations. Is the feature there but hidden, or this this something I need to put in as an enhancement request?


  2. lwf-

    lwf- Network Guru Member

    I don't know about you question, but I do know that MAC addresses can very easily be changed, so if you block someone that tries to gain illegal access then he will be back after about a minute.
  3. LLigetfa

    LLigetfa LI Guru Member

    Thanks, but I'm quite aware of what *some* people will do. All the more reason for Tomato to have better logging! So far, many of these idiot hackers are dumb enough to put in their real ID and password, so you give them too much credit. My outdoor APs have MAC blacklisting and nobody has to my knowledge changed their MAC to try to get back in. On my indoor APs I've just been turning off the radio the attacker is associated to when I detect an attack.

    I was hoping to stay on the topic of logging and not derail it about MAC spoofing and what not. Frankly, I am surprised that Tomato does not appear to log stuff that I would have thought everyone would expect as a bare minimum. I was hoping that maybe I just missed a setting but I'm starting to wonder. All I can find to log are cron, ntp, and ingress/egress firewall rule actions.
  4. GeeTek

    GeeTek Guest

    I thought syslog would have wireless client data. Even if/when you are able to identify the abusing MAC, it would be nice to have a single control method to program all of the radios at once with the deny MAC information.
  5. LLigetfa

    LLigetfa LI Guru Member

    As did I. :)
    Ja, that was going to be my next question, how to script populating the blacklist with telnet perhaps.
  6. Monoman

    Monoman Network Guru Member

    I am a happyTomato user but I believe it has fewer features than some other mods to keep it light and stable.

    No matter what mod you choose to use I think you should consider NOT blocking these pests you call hackers. There are more fun things you can do like

    * Use QOS to slow their connection to below dial-up speeds
    * Page manipualtions to drive them bonkers: http://digg.com/tech_news/Turning_Network_Free_Riders_Lives_Upside_Down

    If you block them they will keep trying to get around your blocks. If you make it seem like they have PC problems they will go bonkers.

    Good luck in whatever method you choose.
  7. LLigetfa

    LLigetfa LI Guru Member

    I already do that in m0n0wall.

    I have the routers dumbed way down as just APs so I don't need a whole lot of features. The only feature I was looking for over the stock firmware right now is blacklisting so that they cannot associate. If they can't associate, it is harder for them to hack.

    As I said, my current countermeasure is to turn off the AP the scum is on but that also punishes the good. So, I'm guessing the logging is just not there and not a case of my overlooking it. The logging is more important to me than the blacklisting so either I go back to stock firmware or I try some other 3rd party firmware.

    I was thinking about turning some of my hotspot APs into kismet drones. Not sure though if the Buffalo has enough RAM for that with Tomato. I was also thinking about setting up VLANs and separate SSIDs/security per VLAN so I can use WPA/AES on the management VLAN.

    I might try Tomato on my home router next month after I switch ISP.
  8. Monoman

    Monoman Network Guru Member

    The only logs entries I see with MAC addresses are the DHCP entries. I'm not sure if that will give you the information you need.
  9. LLigetfa

    LLigetfa LI Guru Member

    No DHCP when set as an AP.
  10. LLigetfa

    LLigetfa LI Guru Member

    I'm not quite ready to throw in the towel yet. The way I figure, logging is just not exposed in the WebGUI but one might be able to tweak it in BusyBox. I just don't know my way around it yet.

    I see there is no syslog.conf in /etc so I'm guessing it is set in NVRAM. Looking around in NVRAM I see some logging references but I don't know what is what. I also see the MAC addy blacklist so exporting/importing them should not be too hard.
  11. mstombs

    mstombs Network Guru Member

    The options in
    wl msglevel ?
    look interesting, but can't get anything in log here...
  12. LLigetfa

    LLigetfa LI Guru Member

    Actually, I was thinking maybe log_events. Also wonder what console_loglevel is about.
    macnames=0018DEBDDB2D<FF0865L (test)
    I found the blacklisted MAC I entered in three places. Not sure waddup widdat.
  13. LLigetfa

    LLigetfa LI Guru Member

    Damn... why does this have to be so hard?

    Since I see no light at the end of the tunnel, I thought I'd give DD-WRT a try but it isn't logging wireless associations either. What gives? Does nobody care to log that?

    Heading over to the DD-WRT forum Link on the off-chance there may be an answer there. Wish me luck. :(
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice