AC3200 - WAN Issues - Need help decoding syslog

[the_ancient]

Thanks for the help.

 

[L&LD]

You need to provide more information to get any help (the syslog may help too).

 

[the_ancient]

You need to provide more information to get any help (the syslog may help too).

I was trying to find a way to delete the post I made but was only able to edit it, so that is what I left in it. During the 100+ views with no response, I was able to find/read/learn much of what I was needing answers for. I still have one question if you could kindly answer.

After 13 years with a Buffalo Router with only WEP protection, I just bought the AC3200 and am trying to make sure the home network is safe. In one week, I have received 1000's of pings that were all DROPPED, but I had 4 that said "ACCEPT" like below. I know it is from some Island in the Indian Ocean, but I don't know how to read this Syslog line, whether it is a problem, or what I should change in the Router to prevent ACCEPTS. The 3 other ACCEPTS were from the Michigan College of Engineering and MIT. Those logs got over wrote, so I don't have those examples anymore that I can find. I have since created a Firewire-start script and put the four IP's (.0/24) to be DROPPED in IPtables.

Thanks for any help/reading material on how to interpret the Syslog line, what they were ACCEPT'ed to do, and what I might need to change in the Router to prevent unwanted ACCEPT's.

Sep 3 01:08:14 kernel: ACCEPT IN=ppp0 OUT=br0 SRC=89.248.172.103 DST=192.168.2.241 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=4474 PROTO=TCP SPT=34703 DPT=5900 SEQ=1849689239 ACK=1408050961 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405AC01010402)

 

[ColinTaylor]

Sep 3 01:08:14 kernel: ACCEPT IN=ppp0 OUT=br0 SRC=89.248.172.103 DST=192.168.2.241 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=4474 PROTO=TCP SPT=34703 DPT=5900 SEQ=1849689239 ACK=1408050961 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405AC01010402)

So someone in the Netherlands (89.248.172.103) is attempting to connect to you on port 5900, which appears to be forwarded to a host on your LAN (192.168.2.241).

Port 5900 in VNC. Are you running a VNC server on that host?

Edit: I just checked my own syslog and coincidentally I also just got scanned by someone using the same ISP (quasinetworks.com) albeit from a different IP address.

 

[the_ancient]

So someone in the Netherlands (89.248.172.103) is attempting to connect to you on port 5900, which appears to be forwarded to a host on your LAN (192.168.2.241).

Port 5900 in VNC. Are you running a VNC server on that host?

 

[the_ancient]

Thank for the decode. I installed TightVNC, but just to fix other people's computers in the same house. It did open some ports under
WAN/??? , but I have since removed all the open ports I saw on the router since they are not needed to connect locally.

I have not had any more ACCEPTS for several days, so maybe removing those ports stopped it.

Is there any documentation/reference books to read about how to decode the SYSLOG? I now know IN/OUT/SRC/DST/LEN/DPT, but curious to learn about all the other items listed

 

[ColinTaylor]

syslog just collects log entries from other services.

So if you see an entry from dnsmasq you need to look at the documentation for dnsmasq (http://www.thekelleys.org.uk/dnsmasq/doc.html). Likewise dropbear, pptpd, etc.

The ACCEPT/DROP messages come from iptables (netfilter), so you'll have to look there: http://www.netfilter.org/documentation/index.html