How do I find which devices on my network are connecting to my ISP?
December 17, 2020 5:39 AM Subscribe
My ISP’s security systems keep automatically blocking my IP address because of failed logins. Tell me how to find the problem?
My ISP’s customer support people are telling me it’s because some device on my network is repeatedly trying to log in to their server using the wrong password. Looking down the list of connected devices that I can access via my broadband router, I can’t see anything that looks like it might be the culprit.
Is there a way that I can debug this, short of switching all the devices off and bringing them back on line one at a time (which could take weeks)? Like, could I somehow generate a list of all the devices that try to connect to mail.beverleywestwood.com, www.beverleywestwood.com, ftp.beverleywestwood.com etc over some extended period?
Or is there some other way of solving the issue?
My ISP’s customer support people are telling me it’s because some device on my network is repeatedly trying to log in to their server using the wrong password. Looking down the list of connected devices that I can access via my broadband router, I can’t see anything that looks like it might be the culprit.
Is there a way that I can debug this, short of switching all the devices off and bringing them back on line one at a time (which could take weeks)? Like, could I somehow generate a list of all the devices that try to connect to mail.beverleywestwood.com, www.beverleywestwood.com, ftp.beverleywestwood.com etc over some extended period?
Or is there some other way of solving the issue?
Can you make a list of devices, turn half of them off at a time, and sort through this?
For starters, turn all phones off the wifi, see if it is a naughty app.
posted by nickggully at 6:36 AM on December 17, 2020 [2 favorites]
For starters, turn all phones off the wifi, see if it is a naughty app.
posted by nickggully at 6:36 AM on December 17, 2020 [2 favorites]
Most routers let you login to their admin dashboard, and there's usually a "Connected devices" tab. Open one of the following in your web browser and see if any work:
http://192.168.0.1
http://192.168.1.1
http://192.168.2.1
http://192.168.0.254
http://192.168.2.1
http://10.0.0.0
http://10.0.0.1
posted by derbs at 8:28 AM on December 17, 2020
http://192.168.0.1
http://192.168.1.1
http://192.168.2.1
http://192.168.0.254
http://192.168.2.1
http://10.0.0.0
http://10.0.0.1
posted by derbs at 8:28 AM on December 17, 2020
The router's admin password is probably on a sticker on the side of the device.
posted by wenestvedt at 9:49 AM on December 17, 2020
posted by wenestvedt at 9:49 AM on December 17, 2020
Response by poster: Folks, thanks for the suggestions so far. Just to be clear, I already have admin access to the router and I already have a list of the connected devices. What I'm looking for is a way to deduce which of those devices is causing the problem.
@wenestvedt, I do have a Raspberry Pi in a drawer somewhere, so I could set Pi-hole up on that. Would Pi-hole be more useful to me than Wireshark? I'm not sure whether or not they do the same thing in terms of network analysis.
posted by Beverley Westwood at 10:46 AM on December 17, 2020
@wenestvedt, I do have a Raspberry Pi in a drawer somewhere, so I could set Pi-hole up on that. Would Pi-hole be more useful to me than Wireshark? I'm not sure whether or not they do the same thing in terms of network analysis.
posted by Beverley Westwood at 10:46 AM on December 17, 2020
Best answer: I'd start running wireshark on the likely pc/mac suspects. To save having to rewire the network.
Possibly some forgotten email program repeatedly trying an old password or something.
If it's not the pc/mac's, then I'd try and watch the traffic before it hits the router for the more difficult devices. Not sure if you can do that on a pihole, but that's where I'd start. I'm not sure the best advice for wifi devices, you want to watch the traffic between the wifi and the router. With newer tls/ssl type things, you'll probably have to watch the ips/iprange of the isp domains in addition to the names.
posted by TheAdamist at 10:53 AM on December 17, 2020
Possibly some forgotten email program repeatedly trying an old password or something.
If it's not the pc/mac's, then I'd try and watch the traffic before it hits the router for the more difficult devices. Not sure if you can do that on a pihole, but that's where I'd start. I'm not sure the best advice for wifi devices, you want to watch the traffic between the wifi and the router. With newer tls/ssl type things, you'll probably have to watch the ips/iprange of the isp domains in addition to the names.
posted by TheAdamist at 10:53 AM on December 17, 2020
Is your router doing DNS for your internal network ? If you know the server that's getting the bad logins and your router is flexible enough, you could set up a DNS entry to send that traffic to one of your machines, and see what you capture there.
posted by each day we work at 11:18 AM on December 17, 2020
posted by each day we work at 11:18 AM on December 17, 2020
Best answer: A quick solution is to log in to your router, and assign names to the various devices. That will help make sense of the traffic. (This is probably under the DHCP set up, or maybe local DNS settings.)
To set that up you'll have to dig through the phones and computers to find their IP address, but once it's in there then it should make your logs more intelligible. (And even if you know how to run Wireshark, you still need to associate those IP addresses with a physical device.)
The PiHole gets set as the DNS server, which your router then instructs every device to use for all DNS look-ups. The Pi Hole's logs will show which device is trying to reach your ISP's servers. Of course, using the Pi Hole -- like everything else -- requires associating the IP address with the actual devices. *sad trombone* On the other hand, once the Pi Hole is online, you can enable the default Allow Lists and Block Lists, after which no one will see ads in their browser and many malware sites will be blocked -- which will both protect your systems and speed up the subjective web experience. Ta-daa!
posted by wenestvedt at 12:42 PM on December 17, 2020
To set that up you'll have to dig through the phones and computers to find their IP address, but once it's in there then it should make your logs more intelligible. (And even if you know how to run Wireshark, you still need to associate those IP addresses with a physical device.)
The PiHole gets set as the DNS server, which your router then instructs every device to use for all DNS look-ups. The Pi Hole's logs will show which device is trying to reach your ISP's servers. Of course, using the Pi Hole -- like everything else -- requires associating the IP address with the actual devices. *sad trombone* On the other hand, once the Pi Hole is online, you can enable the default Allow Lists and Block Lists, after which no one will see ads in their browser and many malware sites will be blocked -- which will both protect your systems and speed up the subjective web experience. Ta-daa!
posted by wenestvedt at 12:42 PM on December 17, 2020
I concur in Wireshark the packets of the devices you don't recognize. You may be able to deduce what they are by diving into the packets, and maybe what they are trying to access. Even knowing the URL they tried would let you narrow down the candidates.
posted by kschang at 5:30 PM on December 17, 2020
posted by kschang at 5:30 PM on December 17, 2020
If your router can firewall off these servers, you could start there and only allow access on a case by case basis. The bonus is that this will prevent another shut off even if you never find the device.
posted by advicepig at 6:30 PM on December 17, 2020
posted by advicepig at 6:30 PM on December 17, 2020
Response by poster: Thanks again to everyone for their help.
I let Wireshark run for a while, then searched through its logs for any references to www.beverleywestwood.com, ftp.beverleywestwood.com or mail.beverleywestwood.com (not the actual domain). There are about 30 devices connected, but the only two that came up in the Wireshark search were my iPhone and the MacBook that I'm typing this on. These were the devices that I already knew were accessing my domains - for email - but I'd already checked the passwords and I was confident that they were correct. In any case, when the devices weren't IP-blocked, they successfully downloaded my emails, so I reasoned that that proved the passwords stored on those devices were correct.
In the meantime, I'd begged my ISP for any more information they could give me, thinking that if they could at least give me the time of the failed logins then it might give me a bit more data to work with. Crucially, they sent me some rows from their logs, which included the local IP address on my network of the guilty device. I didn't realise that they got this data; I expected it would all be hidden behind my router.
So AHA! The local IP address was that of my MacBook.
The Wireshark method was correct and Wireshark was telling me the right thing. I'd just discounted the evidence.
Now I have a different problem, which is to figure out why my MacBook is sometimes trying to log on with the wrong password. But the original question is resolved. Thanks!
posted by Beverley Westwood at 6:24 AM on December 21, 2020 [1 favorite]
I let Wireshark run for a while, then searched through its logs for any references to www.beverleywestwood.com, ftp.beverleywestwood.com or mail.beverleywestwood.com (not the actual domain). There are about 30 devices connected, but the only two that came up in the Wireshark search were my iPhone and the MacBook that I'm typing this on. These were the devices that I already knew were accessing my domains - for email - but I'd already checked the passwords and I was confident that they were correct. In any case, when the devices weren't IP-blocked, they successfully downloaded my emails, so I reasoned that that proved the passwords stored on those devices were correct.
In the meantime, I'd begged my ISP for any more information they could give me, thinking that if they could at least give me the time of the failed logins then it might give me a bit more data to work with. Crucially, they sent me some rows from their logs, which included the local IP address on my network of the guilty device. I didn't realise that they got this data; I expected it would all be hidden behind my router.
So AHA! The local IP address was that of my MacBook.
The Wireshark method was correct and Wireshark was telling me the right thing. I'd just discounted the evidence.
Now I have a different problem, which is to figure out why my MacBook is sometimes trying to log on with the wrong password. But the original question is resolved. Thanks!
posted by Beverley Westwood at 6:24 AM on December 21, 2020 [1 favorite]
This thread is closed to new comments.
There may be a computer on your network, or tablet or phone, that you've forgotten about. Did you hand something down to a child? Alternately, if you have multiple Apple devices, they will store preferences in iCloud; could you have an Apple device that's not enrolled, and so using an old password that fell out of sync with your other devices?
To be honest, I work in IT and when we see this, it's almost always your phone -- especially when it's set to check frequently, and so hits the "five failed login attempts" threshold shortly after you get your password reset for the millionth time . :7)
posted by wenestvedt at 6:06 AM on December 17, 2020 [2 favorites]