Not Registered? Sign Up Now!
myNetWatchman Privacy Statement

Log in for advanced features

E-mail:

Password:

 
  Remember Me

mNW Reports  FAQ: mNW Reports





(Registered Users Only)


Look Up Incidents by IP Address
 

 

Zyxel/Netgear-based Router Configuration

Congratulations, if you are reading this I hope it is because you are not satisfied with running a router but having no idea what kind of security events are occuring. I compliment you now, because you are about to embark on a ridiculously complex process to enable full logging and ultimately interface your Netgear/Zyxel logs with myNetWatchman...be patient, it it IS worth the trouble.

The following details the procedure to enable full logging on following routers:

  • Netgear RT311/314
  • Zyxel Prestige P641/642
  • If applicable to other makes/models please e-mail support so this page can be updated

These routers allow remote logging of security events using a Unix-style facility known as syslogd (syslogger daemon).

The basic steps are as follows:

  • Download and Install Syslogd Server from Kiwi
  • Configure syslogging on your Router to send events to your new syslogd server
  • Modify Router configuration so that security event logging is enabled

Step 1: Kiwi Installation/Configuration


Step 2: myNetWatchman Configuration

  • Click on myNetWatchman Configuration screen
  • Click LogFile Button, navigate to your Kiwi syslog file
    Default: C:\Program Files\Syslogd\syslogcatchall.txt
  • Log file format: Select 'Netgear via Kiwi'

Step 3a: Router Syslogd Configuration

  • From Windows Click Start/Run...type 'telnet' and click OK
  • Select Connect/Remote System...enter 192.168.0.1 (or the router IP you configured) as Host, click OK
  • When prompted for password:, enter "1234" (default)
  • Main Menu should appear
  • Type: 24, ENTER (System Maint)
  • Type: 3, ENTER (Log and Trace)
  • Type: 2, ENTER (Unix Syslog)
  • Set type following options:
  • Active=Yes
  • Syslog IP = 192.168.0.2 (or the IP where Kiwi is running)
  • Log Facility= Local 1
  • Types:
  • CDR=No
  • Packet Triggered=No
  • Filter Log=YES
  • PPP Log=No
  • Press ENTER several times until you return to prev. menu
  • Press ESCAPE several times until you return to main maneu

Step 3b: Router Remote Node Setup

  • Start from Router Main Menu
  • Type: 11, ENTER (Remote Node Setup)
  • Press ENTER until you reach "Edit Filter Sets"
  • Type space to change to YES, press ENTER
  • Ensure the following is configured:
  • Input Filter Sets:
  • protocol filters=1
  • Press ENTER until you return to the previous menu
  • CRITICAL: press ENTER several more times until you see "Saving to ROM flash"
  • Press ESCAPE until you return to the main menu

Step 3c: Edit Filter Rules

  • Start from Router Main Menu
  • Type: 21, ENTER (Filter Sets)
  • Press ENTER until you reach "Filter Rules Summary"

The default Protocol Filter #1 looks like this: 



                        Menu 21.1 - Filter Rules Summary

 # A Type                       Filter Rules                              M m n
 - - ---- --------------------------------------------------------------- - - -
 1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137                            N D N
 2 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138                            N D N
 3 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139                            N D N
 4 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137                           N D N
 5 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138                           N D N
 6 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139                           N D F

A = Active (Y/N)
Pr = Protocol (6=TCP, 17=UDP)
SA = Source IP (0.0.0.0 means ANY)
DA = Destination IP
DP = Destination Port
M = ignore this
m = Action on Match (D=Drop, F=Forward)
n = Action on No Match (N=Check next Rule, F=Forward)

Therefore, what this mess does is simply block all Netbios traffic that is received on your WAN port. More specifically, we're blocking tcp/137, tcp/138, tcp/139, udp/137, udp/138, udp/139

Unless you're running some kind of web server, you should be able to safely block inbound access to all priviledged ports (<=1024). This way we'll get full logging on the most popular attack patterns (e.g. DNS (tcp/53), RPC (tcp/111), etc..) I'm working on a more compreshensive filter that will provide logging on all ports, including UDP, but that's going to take some analysis.

  • To keep this simple, we're going to modify the first rule to block tcp/1-1024 instead of just tcp/137
  • Type 1, ENTER
  • Navigate down to Destination Port#=, change to 1024
  • Change Port # Comp= Less (for less-than)
  • Press ENTER until get down to "Log=", press space to change to Action Matched
  • Press ENTER until you get back to the previous menu
  • Press ESCAPE until you return to the main menu
  • Your Done..

Congratulations, you have just successfully navigated what has to be one of the most cryptic and arcane user interfaces anywhere!