Networks

Question

Modem Router & Syslog Server

By pj863 ·
Tags: Networking
Hi Experts, I am what a newbie in networking arena. Have basic understanding, as I have beeb in IT for a decade.

I am trying setup a centralized log server for my personal use. Here is my current setup. Question will be written at the bottom of the post, response / guidance will be much appreciated.

Modem : At&T Model 5268AC
Router : Netgear R7000, Flashed with Fresh Tomato.
Ubuntu 20.0.4x running machine with Rsyslog server.

Modem IP address is 192.168.1.254
Router IP address is 10.0.0.1

Both the modem & router have ability to send syslog data to remote machine.

Facts:
1. I am successfully able to send syslog data from my router to Rsyslog.
2. However no data gets transferred from my modem to Rsyslog.

Troubleshooting steps:
1. I have tried turning router syslog export off & use the same port (1515) on modem - just to troubleshoot if it was incoming port issue at Ubuntu side. But it's not as router can successfully send syslog data to Ubuntu but modem cannot. Nothing gets to Ubuntu server from modem.
2. On router I have tried opening Port Forwarding as follows:
Source port and destination port - same as 1515
Source IP address as my modem ( 192.168.1.254)
Destination IP address of my Ubuntu ( 10.0.0.41 )

- Can someone guide what I am doing wrong?
Thread display: Collapse - | Expand +

All Answers

Collapse -

The modem appears to be more than a modem.

by rproffitt Moderator In reply to Modem Router & Syslog Ser ...

It's also on another subnet which will cause issues.

Why not turn the modem into a real full up modem?

Collapse -

its at&t modem

by pj863 In reply to The modem appears to be m ...

AT&T provided modem & I have to use if I need service from At&T. But only thing connected to my modem is the router and whole network gets DHCP address from router.

Collapse -

This residential gateway is not that capable.

by rproffitt Moderator In reply to its at&t modem

So you'll need another Ethernet or WiFi connection from your Ubuntu box to the other LAN. Then it's easy peasy.

Collapse -

second n/w interface enabled

by pj863 In reply to This residential gateway ...

Thanks, this was a good suggestion. I opened up another network interface and connected my Ubuntu to AT&T modem directly in addition to existing ethernet connection to my personal router. Now I can see my Ubuntu has 2 IP addresses, one for each subnet.
192.168.1.67
10.0.0.41

Problem: I have a web server running on Ubuntu server port 80 & 443. This is for my website. As soon as I turn on the second interface card on my Ubuntu for my At&T Modem - my website becomes unreachable.

I checked port forwarding on my router is only to 10.0.041 ( which it was configured earlier and was working just fine )

Enabling second interface, is that interrupting my web server traffic?

Thanks

Collapse -

Shouldn't but

by rproffitt Moderator In reply to second n/w interface enab ...

I'm not your web server admin but would suggest the web admin to check what IP and again the ports the server is listening on.

And if that never works out I'd cheat and setup a small low power syslog server on a cheap Pi. Source: https://www.google.com/search?&q=syslog+server+raspberry+pi

Collapse -

Working

by pj863 In reply to Shouldn't but

Thanks for the suggestions again. I got the stop working by binding Apache to a specific address.
Probably not an apt question for this thread, but asking as that was the initial objective of doing this setup.

Question: what are key logs I should be looking for in my modem logs to detect if there is any intrusion attempts happening overtime? For example , below list of sources that are captured through modem logs, which ones can be useful to filter any intrusion attempt(s) ?

source Message count
mcpd: 224
led-manager[1839] : 184
kernel: 136
lmd[1841] : 106
fw [190 : 59
wifimgrd[1** : 25
dhcp6d[1793] : 24
bulkdatad[1782] : 13
dnsmasq[19824] : 8
optip-990 7
raspberrypi 3
dlnamgr[1801] : 2
ethblink[2669 : 2
ethblink[26762] : 2
ethblink[26801] : 2

Collapse -

I no longer look at syslogs.

by rproffitt Moderator In reply to Working

It would be hours lost to me. Besides any PC/device connected to the web will be attacked. The best defense is to have the device only respond to what it needs to and nothing else. Strip it bare and then keep current on the OS and apps that are left.

I've run such for years without trouble.

I am a security maven. I'd go find a Reddit on that.

Collapse -

agreed partially

by pj863 In reply to I no longer look at syslo ...

I am no security maven by any means.... but I could not agree more on hours lost comment :)

Just to give an idea where I am coming from:
1. My external modem has only & only 443/80 port open & I have made sure to check with Nmap vulnerability for my personal network. There are few ports open on my network but behind the firewall. So I 100% agree on strip to be more secure.

2. This setup I am trying to do will eventually send me a notification / alert as a text to my phone if my syslog parsing software meets a condition to send a notification. And I am at a point to jot down what key messages etc I should be asking my parsing software to look through in syslog.
Hope this helps in delivering my perspective.

Thanks..

Collapse -

For that

by rproffitt Moderator In reply to agreed partially

I'd get to a subreddit about syslog and security discussions. You'll find more folk there than here.

The one condition I can think of is a successful connection on other ports BUT the routers can't determine that in stock form. I can't guess what might be possible with PFSense, Tomato and such firmware. Another nod to subreddits on those firmwares.

Since any Internet connected device is going to be scanned, pinged and even DDOS'd I can't see why I need to be alerted to all that. It would be a waste of time to get such an alert as today, we can't stop these on our routers.

Collapse -

If I were to do this again.

by rproffitt Moderator In reply to For that

Since all I ever saw was to be expected over a few years I rarely look at this today.

But you did ask so I would be remiss to not note there are such beyond Reddit discussions. Try this search:
https://www.google.com/search?&q=Router+log+analyzer

Related Discussions

Related Forums