Thanks for taking the time to read this. As far as tech saavy goes, I'm probably a 5/10. When it comes to networking, even less. I barely understand most of the posts in this forum, so please bear with me and any replies that you feel like leaving, just keep in mind, "normal speak" or high levels of translation would be as helpful as possible. Or...just tell me what I should do and I can knock it out.
Anyway, I have purchased a commercial router about a month ago that already has OpenWRT on it (IQRouter). We had considerable difficulty with it at first but most of the issues were mine, or my ISP, but the IQRouter folks have been very very helpful with just about everything. And...for the most part, things are waaaay more stable now, we are thru the hard part. But...still a couple issues to work thru.
The only thing that I am very much stuck on at the moment is the IQRouter tech specifically had alerted me to some system logs that she deemed as "very susupicious"...and I just can't figure out what's going on. I would like very much for someone to help me figure out how I can eliminate these things, or if I even should try to. The IQRouter tech said that the router and internet in the house would be more stable if I would have some of these issues potentially eliminated.
- Potential DNS rebinding attacks. How do I determine what machine is getting attacked or where this originated from? I see the attacks occurring very regularly in the logs, but I have no idea how to stop this or even to know what machine/IP this is coming from inside the house. I've taken several measures to clean high usage PCs from malware, adware, junkware, using lots of tools. Despite google searches, I can't even figure out what the number means after the dnsmasq text. Can somebody explain that to me? The below log message is repeating many times a day all throughout thy day. This is not a domain any in the house are familiar with - although I do have teenage kids, so that's kinda why I want to pinpoint the devices this is coming from. I have a general high level idea of the rebind attack and what it is (sort of). But I don't know what machine this is coming from or what browsers it is occurring in. And I have like 6 PCs in the house, so protecting them more is fine across the whole, but I still would like to know if I can pinpoint where this is coming from.
Sun May 17 12:57:58 2020 daemon.warn dnsmasq: possible DNS-rebind attack detected: pft.surveysedge.aresqa.pdx2.pftaresdev.rc.rcluster.io
- There are some other logs that aren't making any sense either and I'm trying to determine if these are bad/negative and how to fix. I know what these machines are but these machines are usually pretty dormant and I'm trying to figure out what activities are trying to occur here. Is there a way to go back to these clients and figure out what software/services triggered these requests? Is there a way to determine if these requests were malicious in any way?
Sun May 17 10:02:37 2020 daemon.warn miniupnpd: upnp_event_process_notify: connect(192.168.7.102:2869): Operation timed out
Sun May 17 10:51:25 2020 daemon.warn miniupnpd: upnp_event_process_notify: connect(192.168.7.103:2869): Operation timed out
- Several clients, throughout the day are kicking off the wifi and then reconnecting - whenever they want. This interruption causes for some slight headaches in video calls and gaming. Can anybody tell me why I would see constant connections and then reconnections throughout the day? The logs are littered with these things below all day long. I assume some of these connects and reconnects are normal in the logs, but should they be attributing to wifi interruptions on the clients?
Sun May 17 08:30:25 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 0a:b1:5a:18:f1:3b
Sun May 17 09:00:01 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 0a:b1:5a:30:45:25
Sun May 17 09:00:03 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 0a:b1:5a:18:f1:3b
Sun May 17 09:10:37 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:10:37 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:20:21 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED f0:a3:5a:77:ee:00
Sun May 17 09:20:21 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED f0:a3:5a:77:ee:00
Sun May 17 09:20:22 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:20:22 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:20:23 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 52:d4:f6:0b:b1:59
Sun May 17 09:20:24 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 52:d4:f6:0b:b1:59
Sun May 17 09:20:26 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 34:12:98:3b:0a:45
Sun May 17 09:20:26 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 34:12:98:3b:0a:45
Sun May 17 09:27:52 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED f0:a3:5a:77:ee:00