Edit: This was posted in 2006. You know, before we all had smartphones which were trackable anywhere and one could be annoyed by the little things, like my DSL modem keeping an activity log with no way for me to shut it off.
I closed comments at some point because it became clear that there were people who, regardless of how and what I said, thought I was implying that this would somehow keep things private from your ISP. Which is lame, because I’d never say something like that. We simply did this because it annoyed us. It’s not very useful.
Also, I made the mistake of calling Busybox a Linux distro in the original post, which it is not – it’s a toolset which, with a Linux kernel added, for example, is useful on embedded devices. My bad. Correction noted, and thanks. However, leaving a comment on another page because the comments are closed here is itself a wee bit annoying. Please don’t do that. The comments were closed because the post is dead. Thanks.
So today Christian and I were setting up the extended network in our new house here in scenic Denver. I set up the DSL modem just for my computer yesterday, since Christian has no power in his suite of rooms, and noticed that the modem had a “web activity log” utility and thought, grumbling, that we’d have to get around to turning that off, because surely there’s an easy way to turn that off, right? I put it out of my mind and went out to dig holes in the garden.
Now today, we decided to get Christian set up temporarily until his study is ready to go, so we moved everything around, reconfigured the network, and threaded a lot of cords and cables into the room next to my study. When we were going through the modem configuration page to set things up, Christian saw the web activity log, and his head started spinning around. Now, we had no choice of modems when we ordered from Qwest, and I did not look around on the web enough to notice that Actiontec advertises this as a “feature” (you know, so that you can keep an eye on what your kids/husband/dog are doing on the internet). But clearly this is not something we want.
Sorry folks, but the last thing I particularly want is a modem that is keeping track of what I am doing. When I surf the net to satisfy my Bernd das Brot fetish, I don’t think it’s really anyone’s business. More to the point, in these days of creepy surveillance everywhere, I don’t particularly think it’s a good idea to have hardware sold to me by my ISP keeping track of what I do on the internet, even if Qwest was the only major phone company not to sell customer information to the NSA. It’s not like Qwest couldn’t keep track of what we were doing on their own, but this does seem like a suspiciously convenient solution to the problem of ISPs having to store huge amounts of customer data – why not have the customers store it on their own? And let’s tell them it’s a “feature”! They’ll be thrilled.
Neither Christian or I were happy about it, and while we found a few posts on the net complaining about this “service” being available (and not readily removable) to the customer without his or her consent, we found no solutions. Fortunately, the Actiontec GT-701 (and several of their other modems, it seems) is running BusyBox (a tiny little GNU toolkit intended for embedded systems), so you can actually telnet in and do stuff to it. With quite a bit of poking around, Christian found where the activity log hides, and we symlinked it to /dev/null to get rid of it. Worked like a charm! There are no guarantees that they won’t hide it elsewhere if folks start shutting off their logs, but in the meantime, here’s the dummies’ guide to how to get rid of that activity log (the only assumption I make is that you can read and you have access to some sort of a telnet client – there’s nothing hard about this):
First, you’ll need to telnet in to your modem with your administrative username and password. If you don’t remember it, it can be changed from your browser on the modem’s web page under Advanced Utilities > Admin Username & Password. In general, unless you’ve done something fancy, your modem (and its web interface) is at 192.168.0.1. If not, you probably know where it is. Anyway, telnet to wherever it is:
> telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. BusyBox on (none) login: youradminusername Password: BusyBox v0.61.pre (2006.02.18-05:21+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. #
Ok, so now you’re in. You’ll want to change to the directory where the log is hidden:
# cd /var/tmp
The file you’re looking for is log_web_activity. First, you’ll have to remove the file so that we can make it point to something harmless:
# rm log_web_activity
Now, and this is important, in order to prevent the log from being written to, you need to create a symbolic link from the old file name to /dev/null (if you know nothing about Linux/Unix/whatever, think of it as a lovely black hole to which you’ll be shipping your data). If none of that made any sense to you, fear not. Just type what I tell you to type. Afterwards, that pesky file should disappear for good!
# ln -s /dev/null log_web_activity
Now log out of the modem, and you’re home free:
# exit Connection closed by foreign host. >
Edit: Note that you’ll have to do this anytime the router reboots. Since, as Christian kindly notes in the comment below, /var is a partition in RAM (and thus it – and your symlink – get hosed on shutdown) and the startup scripts can’t be edited since they’re all in read-only memory, you can’t do anything about it permanently unless you’re industrious enough to build a new ROM image.
In short, anytime your modem loses power or reboots, you’ll have to go through the steps above again.
That should be it.
Now, I’m not saying there might not be people who might have uses for that activity log, but I just don’t think there’s any good reason for my ISP or the manufacturer to put something like that on my modem by default without asking for permission, and plenty of evil reasons for them to do so. This is bad form by industry, and given that your average Joe is unlikely to take precautions to make the box less accessible from the outside, it seems to me to be a reasonably serious violation of privacy. Or maybe the FBI will start getting subpoenas for web activity logs for all Americans who’ve looked at German websites this week dedicated to grumpy bread-shaped puppets with arms that are way too short because some terrorist had bread for breakfast.
Either way, bad idea, Qwest and Actiontec. Bad idea.
Disclaimer: I’m not affiliated with Qwest or Actiontec. Sometimes I’m barely affiliated with me. I also take no responsibility for your modem breaking, exploding, or calling up the FBI to tell them about your bread-shaped puppet fetish. If you really don’t know what you’re doing, call someone (not me) and ask. Use this information at your own risk.
Edit: Thanks to bluezoo7 for catching my typo in the log path…
Professional computer geek and linguist living in Germany, doing infosec stuff and being the freakiest mother ever.
Brilliant! Privacy should not have to be a hack.
FYI: On a “generic” out-of-the box GT704-WG, the log_web_activity file is located in /var/tmp.
Of course, it just occurred to me that the ramificaiton of this hack is that port 23 is open on the inside port of this device with no settings to change it. It makes one wonder what other open ports are on this box…especially on the Internet-side. Time to run Nessus!
/var/log was a typo on my part – thanks for the catch!
Note that the web activity log hack only works until the next reboot — the /var system is a partition in memory and is gone completely after a reboot — including your symlink. Sadly, it is not possible to fix this by editing the startup scripts to automatically re-create the link: all of those are in read-only memory. The only way to fix this would be to re-build the entire ROM image (essentially do a firmware update).
Just thought you should know about this limitation to the hack.
Thanks, I was wondering how to get rid of that stupid thing. It makes sense to go into the actual OS it runs in to modify it. I don’t suppose you know who to set the thing up as just as a gateway? My modem is acting like a router by doing both NAT and DCHP and my modem is hooked up to my Router which is doing the same thing so I have to be creating some sort of lag by doing that. Thanks again.
This sounds great, but the Actiontec modem will still glitch on DNS queries because of the way it handles them.
Even after redirecting the web activity log, it continues to process each and every DNS packet passing through it.
This can bottleneck at the modem – especially if downstream clients use different look-up servers.
The only way to truly eliminate this problem is with an iptables hack…
iptables -D FORWARD ##
where ## is the number of the line in the FORWARD chain that sends port 53 (domain) packets to the QUEUE target.
An insert to forward all DNS look-ups (iptables -I FORWARD -p udp –dport 53 -j ACCEPT) and server replies (iptables -I FORWARD -p udp –sport 53 -j ACCEPT) is required, first.
This should bypass the difficulty entirely.
The QUEUE lines in the INPUT and OUTPUT chains can also be deleted – nobody I know runs a domain name server with an Actiontec!
Even if you do, the last thing you’ll want is your modem chewing through every single query and reply just so it can log them before resending.
Thought this might help.
More information on the iptables firewall can be found by typing ‘man iptables’ (if you have Linux) or by browsing http://www.netfilter.org/
Errata and addenda for the previous post:
After login, type the command
iptables -L
to list the chains in the active table.
The second and third default rules in the FORWARD chain are the ones you’ll want to delete.
They should look like this:
QUEUE udp — anywhere anywhere udp spt:domain
QUEUE udp — anywhere anywhere udp dpt:domain
Enter the following commands to delete them:
iptables -D FORWARD 2
iptables -D FORWARD 2
Yes, the same command is given twice (once you delete the original second line, the third rule then becomes the new second).
Enter the following lines to install the replacement rules in the place of the old ones:
iptables -I FORWARD 2 -p udp –dport 53 -j ACCEPT
iptables -I FORWARD 2 -p udp –sport 53 -j ACCEPT
Giving the command
iptables -L
again will confirm the alteration (hopefully everything was entered correctly).
The ACCEPT target causes the modem to pass packets on port 53 without performing additional look-ups or logging the results.
The modem will continue to behave this way, even writing the data to the null device (if the link is made), as long as the QUEUE target remains.
An excellent tutorial on iptables can be found at http://iptables-tutorial.frozentux.net/iptables-tutorial.html
GREAT, THANKS A LOT !!!!!
I didn’t even know how to use telnet, or what it was for…but thanks to many people like you who like to help others in need.
I just disabled the web log on my actiontec gt-701…
Name withheld because I’m a Qwest employee (for a completely different part of the company, but still). I’m also a customer of their DSL service, have the ActionTec GT-701… and am a career network geek and Linux geek.
All of the advice above is generally good, though the iptables trick is possibly the most helpful of all — similar tricks will disable the input to the “web log” generator entirely, which saves on the (very limited) CPU of the device.
Since I run a local DNS server already, disabling the DNS redirect-to-local-process (the QUEUE on port 53) on the router caused an immediate stop in the *extremely* annoying ‘look up a name forever on random queries’ behaviour to stop occuring. Unfortunately, this *does not* appear to be configurable from the GUI, at least in the currently shipped firmware, and given the failure rate I observed even on an unloaded connection, is probably doing more harm than good, even on an average connection.
There are several sites on the net for those interested in making these modifications permanent; it isn’t particularly difficult to accomplish — just Google for “hacking the GT-701″. For those somewhat less inclined to adventure, but still wanting a better solution, check out the OpenWRT project. They have at least one replacement firmware for this model, though the last time I looked it was still in beta.
Unfortunately, the unit as it stands (even with the most recent firmware image) is built on a Linux 2.4 kernel, while the 2.6 kernel series drastically improves the network stack; anyone running the baseline image, even with config modifications, would be well advised not to try torrenting over it, or any other usage that creates a large number of connections at once, as it can and will cause the unit to freeze up within a short period of time.
Anyone interested in fixing these issues would, again, be well advised to check out the OpenWRT project. Just keep in mind that their main image is for the wireless variant of this unit (also sold by Qwest, I believe), but it is quite possible that it will work on the non-wireless variant with few or no modifications.
For those worried about the telnet port, this *is* configurable, through the ‘Advanced Setup’ portion of the GUI, and defaults to being completely inaccessible over the WAN interface (it’s a simple iptables rule, readily visible in the filter table if you need to confirm it).
I found that the ‘look up a name forever on random queries’ behavior is a result of the router replacing the IP of the first DNS server from the provider with itself, and sometimes it just sucks. So, I edited the udhcpd.conf file and configured the DNS servers correctly. The file is located at /etc/udhcpd.conf.
Could the original IPtables mod poster post a iptables -L? I think I have it correct, but not sure.
Copying and pasting the commands above resulted in:
‘bdport’ instead of -dport
I had to use –dport or –destination-port to get it to go through, although there is no indication of the rule being applied only to port 53. Here is what iptables -L gives me:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp — anywhere anywhere state INVALID,NEW,RELATED,UNTRACKED tcp dpt:telnet flags:!SYN/SYN reject-with tcp-reset
ACCEPT udp — anywhere anywhere udp spt:domain
ACCEPT udp — anywhere anywhere udp dpt:domain
sLog all — anywhere anywhere sLog max_num 50 timeout 300
Is ‘domain’ in ‘spt:domain’ an alias for the DNS traffic port?
In any case, websites were not logged after I performed these instructions.
In response to butane, try OpenDNS [http://www.opendns.com/] and their servers at:
208.67.222.222
208.67.220.220
Thanks for the great information!, this can be done automatically in Windows with a program called “telnet scripting tool” by creating a batch file and a text file.
1. Download the stand alone program called “telnet scripting tool” and unzip it. http://www.freewareweb.com/cgi-bin/archive.cgi?ID=645
2. Open Notepad copy&paste the following text and save it as all files with a name like “logweb.bat”.
@echo off
tst10.exe /r:script.txt
3. Open Notepad copy&paste the following text and save it as a text file with the name “script.txt”.
192.168.0.1 23
wait “login:”
send “admin\m”
wait “Password:”
send “admin\m”
wait “#”
send “cd /var/tmp/\m”
wait “#”
send “rm log_web_activity\m”
wait “#”
send “ln -s /dev/null log_web_activity\m”
wait “#”
send “exit\m”
4. Put both of the files in the same folder as the “telent scripting tool” and create a shortcut on your desktop to the “logweb.bat” file
This works great!! Can’t I just write a script in an autoexec.bat file that will work?
you probably don’t want to put it in autoexec.bat since that runs when the computer boots. a better place would be in windows’ startup folder. this way it runs when windows has been logged into – a great place since it will automatically run and at a time that you know for sure the computer has booted successfully.
also: i did the link workaround on my modem (which is actually an m1000). i noticed significantly increased lag times when loading pages. anyone else notice this?
Carl: Post 11
For future readers of this: Note Anonymous’ post including the line:
iptables -I FORWARD 2 -p udp –dport 53 -j ACCEPT
..and Carl’s question regarding the ‘dport’ syntax.
There are TWO — (hyphens) preceeding ‘dport’. That’s why Carl had the problem. Check the single – before ‘p’ in the same command line. It works exactly as Anonymous posted with the double hypen.
I tried Bob’s script and it keeps getting hung up. It seems to talk to the modem but the telnet scripting tool stops at the prompt “BusyBox on dslmodem login:”. I changed the script to reflect this message (as opposed to just “login:”) and it still does not work. Some unusual things are: a cmd.exe window opens as well as the scripting tool when I run the batch file. Also when I just enter in the info into the scripting tool I type “”admin” and it appears like “aaddmmiinn” which seems odd. Any thoughts? Thanks, I am new to all this stuff!!
Initially, I was unable to get “Telnet Scripting Tool” (TST10) to work. I was having the same issue as Pat. You will need to make sure that you are using a DOS font in notepad (I use “Terminal”). TST10 has issues with the stylized quotation marks found in most modern fonts. You will have to replace all of the stylized marks with normal marks after changing the font. I fought with this off and on for a year before finally discovering the issue. Hope this helps!
First, thank you all for posting these helpful hints!
Forgive me if this is off topic, however, this appeared to be the most resource heavy in the matter of privacy regarding the Actiontec DSL modem.
In configuring and securing the modem I recently received (GT704-WG) I was annoyed to find very limited firewall options, however, I was able to block all of the basic ports I needed. This setup is not for my personal computer as I run customized versions of OpenWRT on several routers.
I did, however, find in doing a port scan that port 4567 was open. After doing some reading, I found this to be a verizon backdoor. There is much speculation and certainly a great deal of grumbling about this, so I inspected this myself and have found that this does, indeed, point to the web admin page. Meaning it is accessible remotely, regardless of your remote access option being set to off.
I have worked on the coding of similar closed-source linux based firmware projects for large commercial corps and can say that there is likely IP restriction coded into the httpd or something of the sort. However, if you’re like me, I don’t trust it or want it. Even if I did know how it was configured and secured, I wouldn’t want it open.
I’ve read of people simple “going to their firewall options” to block this on the WAN. However, as previously stated, the router I received has a painful selection for ip filtration rules. This router allows you to filter a pre-defined (and rather small) set of ports. Most shockingly, the verzion backdoor port is not on this list.
So enough babble, here’s the fix for my fellow paranoid (this can also be added to the router script mentioned above):
You can scan your router for this port at: http://www.auditmypc.com/firewall-test.asp
Telnet login to your router. The default pass for mine is: admin / password
I find the offending line by typing:
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp — anywhere anywhere tcp dpt:4567 to:192
.168.1.1:80
DROP tcp — anywhere anywhere tcp dpt:www
— The first line is our backdoor. Here’s how you remove it, assuming the line with 4567 is line 1:
# iptables -t nat -D PREROUTING 1
— Now we try again and it should look like this
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP tcp — anywhere anywhere tcp dpt:www
In running a new port scan, no ports are open (yay!)
I now modify my script to add the following (before the exit):
wait “#”
send “iptables -t nat -D PREROUTING 1\m”
wait “#”
send “exit\m”
—- Cheers and happy hacking
Thank you for this post.
I made a mistake though and delete the wrong line: the one that says DROP tcp – anywhere tcp dpt:www
Could you please let me know how to reinstate it?
Well, a reboot did the trick.
I don’t mind the various logs on my router, but my issue is that on my GT-704-WG modem, it seems that according to my system log it’s querying my ISP’s DNS server every 20 seconds or so. Any idea what’s causing that or how to stop the router from querying the ISP DNS server every few seconds when nothing should be querying anything?
My system log is full of DNS request time out messages even when no computers are querying anything on the internet. I’m also getting messages like the following:
56:37:06 Elapsed Time syslog: failed dns request len=71,srcip=192.168.1.1, url=64.1.168.192.in-addr.arpa
This seems to indicate that my router’s trying to look up DNS for even LAN connected computers. So in summary, I still want the logs, but I don’t want my router querying my ISP DNS server every 20 seconds, so what commands should I enter to make that happen? Thanks for anyone that may be able to help here.
I am having exactly the same issue. but all of the srcip are from the outside world. I get enough of them that the modem locks up completely in less than 30 mins.
I have all of my machines behind a linksys which is preforming NAT. I have a script that reboots the modem every 30 mins. but there is a pulse of traffic that jams it every day ~ 09:15. I am looking for any help. Thanks
I know this may be a dumb question, but how can I edit anything on the device?
I can’t find vi, vim, or anythings to let me edit the files on the router?
TIA
This is running busybox. An editor is not usually necessary for embedded devices. To make edits you would have to tftp over a file edited elsewhere.
I just wanted to add that linux supports the input of multiple commands on the same line. I’ve put together a string of commands which accomplishes the original post as well as the iptables alterations suggested by another poster. It’s a one string copy & paste job that is a very useful time saver if you have to reset your router or the power goes out.
Just copy & paste this into a text editor, disable word wrap and make sure it’s all one line, then save it and whenever you need it it’ll be handy.
NOTE: You still have to telnet into your router and login manually. After you’re logged into the router, then you can input the following:
iptables -D FORWARD 2; iptables -D FORWARD 2; iptables -I FORWARD 2 -p udp –dport 53 -j ACCEPT; iptables -I FORWARD 2 -p udp –sport 53 -j ACCEPT; cd /var/tmp; rm log_web_activity; ln -s /dev/null log_web_activity
Just wanted to add something. When I originally copied & pasted these commands they did not work right for me. For some reason the font on this website converts two small dashes together as one long dash, then when you copy that into the command line the router doesn’t understand. So I just wanted to point out that there are TWO SMALL DASHES before dport and sport, not one long dash. So make sure that’s right or the command will fail.
Wonderful! Thanks for the help.
Couldn’t get it to work on the q1000. It wouldn’t list directory contents either. However, it would let you type help and the type “syslog dump”
Nice writeup but the ISPs are storing this information on their servers. You are just removing local references….
Absolutely true. Keep in mind that (as far as I recall – this was four years ago) this was written around a time when ISPs were complaining about the possibility of being legally obligated to store so much information about customers, and I simply didn’t like the idea that I would be keeping that information available on a distributed basis.
If you really give a crap about what your ISP sees, you need to be looking at Tor or GNUnet or … – I never make claims of establishing anonymity of any type here
Hi guys,
I dont know if this posting is still viable but I have setup a script to delete the web log and found out that there is a system log located at 192.168.0.1/support/utilities and was wondering if there was anyway to delete the system log or is it needed for some reason.
thanks for all your help!
I am unable to find the web log, anyone know how to find it?
Hi guys,
The system log can be found by typing 192.168.0.1/support/utilities into your http: box it will ask you for your username and password after typing it in it will bring up Qwest m1000 website and look at the utilities options box and it is there.
If anyone knows if it can be deleted or if it is necessary I would like to know.
thanks
lls
on the Actiontec Q1000 the steps are similar:
telnet 192.168.0.1
*username/password* (these must be set in advanced>remote Telnet in the GUI, you can leave the “remote telnet” option disabled though.)
sh (typing “sh” takes you out of the telnet shell and into the full busybox shell)
cd /var
rm webActivityLog
ln -s /dev/null webActivityLog (if you don’t do this immediately after the previous command, it will say “file exists” just make sure nobody is using the network while you are doing this to help avoid that problem)
exit
exit (you have to type “exit” twice to get out of the busybox shell, then telnet)
A lot of you folks are either overly paranoid, or just plain retarded. The ISP’s already keep a more detailed log of your activity. That log is on the modem for your reference, as some people use that information about their own networks for security purposes.
As I said upfront (and really, this post is what… four years old? Is it really worth being nasty over?):
Of course your ISP has all of the information collected here and more, and anyone who really gives a crap about anonymity needs to consider other solutions (Tor, GNUnet, etc). But maybe, hypothetically, I don’t want my roommate, who shares my DSL connection, having access to what porn (or knitting, or music, or whatever) sites I’m checking out, and maybe (like the stupid iPhone location log everyone’s freaked out about) I just don’t want an extra (perhaps insecurely stored) log of my activity hanging around on on my devices that I can’t shut off.
Which, in fact, I didn’t. Whole point of this (ancient) post.
The issue isn’t the logging, because frankly, you either accept that your traffic goes through intermediaries between you and the destination and that you have no control over who keeps track of what, or you do something to obscure the nature of that traffic as it goes from you to the destination and hope that that is enough.
You can’t expect your mobile phone provider not to know (or keep track of) your location, but it isn’t unreasonable to want your phone OS 1) not to keep a separate local log of your locations, and 2) if they do, store it securely; similarly, you can’t expect your ISP not to know (or keep track of) your traffic, but it isn’t unreasonable to want your (ISP-mandated) DSL modem not to keep a separate local log of your traffic, either.
Whether that’s overly paranoid or not is subject to debate, but philosophically, I object to being forced to store logging information on my own hardware that I would rather not have stored locally.
In other words: customers should have the choice to shut local logging off.