Skynet Skynet - Router Firewall & Security Enhancements

[thelonelycoder]

I just so happened to do a clean install for other reason and noticed, install process went smooth and all working as expected. Now we can both relax

I plan to do the same on my main router 86U. It's been through a lot since I got it and I want to use a faster USB stick on it.
So yeah, lean back and enjoy.

 

[M@rco]

I plan to do the same on my main router 86U. It's been through a lot since I got it and I want to use a faster USB stick on it.
So yeah, lean back and enjoy.

If you're planning on buying an faster USB drive, I just ordered and received a Sandisk Extreme Go 64GB USB 3.1 for EUR 26,50 (CHF 30,30). Not sure whether they're lowering its price globally, but I haven't seen it this low anywhere. I believe it's still considered the fastest USB drive out there currently.

 

[XIII]

If you're planning on buying an faster USB drive, I just ordered and received a Sandisk Extreme Pro 64GB USB 3.1 for EUR 26,50

Where did you get that?

 

[M@rco]

Where did you get that?

I ordered it here.

 

[JaimeZX]

So the only piece of software that i have installed on this was esfileexplorer which is listed under the domain estrongs.com. A whois of estrongs.com shows that it was registered by dns registrar in Xiamen, China. Can't be sure, but if/why esfileexplorer decided to phone home would be worrisome. This device isn't rooted, but esfileexplorer is commonly used as a root file explorer.

esfileexplorer is pretty well known to do some sketchy stuff in the background (like call China.) I quit using it a while back because of that.

 

[agilani]

esfileexplorer is pretty well known to do some sketchy stuff in the background (like call China.) I quit using it a while back because of that.

Thanks, I read up on it. i hadn't really used it in awhile and had it on the firestick to transfer files to it. I uninstalled it from all of my devices. I'm surprised that more people don't realize this.

 

[bitmonster]

Wow.... Uninstalled too. What a horrible app.

On another note what is Ban AIProtect for in the options? I have it set to Enable.

Sent from my SM-G965F using Tapatalk

 

[skeal]

Wow.... Uninstalled too. What a horrible app.

On another note what is Ban AIProtect for in the options? I have it set to Enable.

Sent from my SM-G965F using Tapatalk

Basically it bans what Trend Micro deems bad.

 

[bitmonster]

Which the Aiprotection doesn't do already?
I'll leave it on then.

Sent from my SM-G965F using Tapatalk

 

[skeal]

Which the Aiprotection doesn't do already?
I'll leave it on then.

Sent from my SM-G965F using Tapatalk

They look at traffic different ways kind of. Think of it as an added layer of security.

 

[bitmonster]

Not quite related but is it possible to see the IDS logs in a terminal.

I also want to filter the firewall logs, where does the log output go? I could just use grep in a terminal to say filter for specific clients or events.

Sent from my SM-G965F using Tapatalk

 

[agilani]

Not quite related but is it possible to see the IDS logs in a terminal.

I also want to filter the firewall logs, where does the log output go? I could just use grep in a terminal to say filter for specific clients or events.

Sent from my SM-G965F using Tapatalk

That would be your syslog server that you are forwarding your logs to I'm using my nas as i am too lazy to setup elk again for my home just for this.

the log are kept in the router syslog for an hour or so and skynet then wipes the log every hour or enable debug to terminal and capture it

by default traffic logs (non skynet) are not enabled in merlin - you need to go into settings and enable it for all traffic if you want to see full traffic logs.

 

[bitmonster]

I certainly don't want to see all traffic logs although some aggregate statistics or even graphing would be handy. I have Skynet debug enabled now, I will disable it as it does generate a lot of information and for limited value I assume.
If logs rotate and are flushed or whatever, it is feasible to simply create some script or something that use tail and grep to filter output to other files which would also be very resource light and not need a SSH terminal permanently logged in to run. E.g. if I wanted logs for certain internal IP's (clients) or MAC addresses.

I have Syslog also now set to send to a local file. But thankfully it is not clogging up with firewall logs when I look at it through a terminal.

-- Edit --

I have decided to keep debugging enabled as it seems logging and reporting does not work without this, and it is very useful.

I.e. I noticed from the report that my phone has a lot of blocked outbound connections to pasta.n.shifen.com - which is in China - and so I wonder if that's the ES File Explorer app people said is spyware (now uninstalled). I have also now blocked China outright (and Russia). I will progressively go through blocking the most corrupt countries on the planet - although I imagine they route traffic anyway so it won't capture all of it but it still helps.

I am impressed the report could identity that device. And that AIProtect does not seem to block that outbound connection so now I have multiple layers of protection - AIProtect, Diversion, and Skynet.. pretty solid eh?

My Android phone VPN now auto-connects when I disconnect from my home WiFi too so I get the home protection on the go (I hope).

Love how I can do this!!!

 

[agilani]

I certainly don't want to see all traffic logs although some aggregate statistics or even graphing would be handy. I have Skynet debug enabled now, I will disable it as it does generate a lot of information and for limited value I assume.
If logs rotate and are flushed or whatever, it is feasible to simply create some script or something that use tail and grep to filter output to other files which would also be very resource light and not need a SSH terminal permanently logged in to run. E.g. if I wanted logs for certain internal IP's (clients) or MAC addresses.

I have Syslog also now set to send to a local file. But thankfully it is not clogging up with firewall logs when I look at it through a terminal.

Take a look at the built in skynet reports then.

firewall stats display
firewall stats search

Its not a replacement for searching through logs though.

With debug turned on skynet does a decent job of cleaning up syslog on the router itself. Only the last hour is in syslog so if you need it to troubleshoot its there.

 

[Adamm]

On another note what is Ban AIProtect for in the options? I have it set to Enable.

AiProtect only blocks exploits but allows all other traffic from a potentially malicious IP. Skynet taps into AiProtect's logs and takes this a step further, so any time an IP is flagged for trying to exploit your router Skynet will block ALL further traffic.

Not quite related but is it possible to see the IDS logs in a terminal.

AiProtect doesn't use a log file but instead a SQLite database.

I also want to filter the firewall logs, where does the log output go? I could just use grep in a terminal to say filter for specific clients or events.

Skynet purges its own logs from syslog to "/tmp/mnt/USBNAME/skynet/skynet.log"

My Android phone VPN now auto-connects when I disconnect from my home WiFi too so I get the home protection on the go (I hope).

I have a similar setup with my iPhone, very convenient.

 

[agilani]

Anyone else blocking Brazil? I added Brazil to y block list, but there are a whole host of microsoft servers in brazil that are getting blocked. It doesn't seem to impact any functionality that i've been able to pin down so far though so I've left it blocked for now.

The brazil microsoft ip's being blocked all on port 443
191.232.99.18
191.232.101.210
191.232.102.2
191.232.107.114
191.232.102.18
191.232.102.2

I think it may be office 365 business services. It's happening on my wifes iphone which is only running outlook and onedrive. Or maybe azure hosted services for some adtech.

 

[Adamm]

I've pushed v6.5.1

This fixes an issue with uppercase country abbreviations
Some minor aesthetic improvements
Support for Johns LTS fork w/ securemode (thanks @jsbeddow for the help finding correct values)

 

[Butterfly Bones]

This is likely coincidence with the v6.5.1 upgrade. The 02:26 cron running banmalware command cleared most blocks out! Yikes!

From my syslog this morning (I manually ran banmalware at 07:23 to get blocking back, all blocks shown were Invalid).

Oct 15 01:25:00 Skynet: [%] New Version Detected - Updating To v6.5.1
Oct 15 01:25:03 Skynet: [%] Restarting Firewall Service
Oct 15 01:25:04 rc_service: service 7960:notify_rc restart_firewall
Oct 15 01:25:04 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Oct 15 01:25:04 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Oct 15 01:25:04 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Oct 15 01:25:26 Skynet: [#] 148615 IPs (+0) -- 1706 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [22s]
Oct 15 02:00:03 Skynet: [#] 148615 IPs (+0) -- 1706 Ranges Banned (+0) || 55 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Oct 15 02:26:34 Skynet: [#] 66 IPs (-148549) -- 0 Ranges Banned (-1706) || 91 Inbound -- 0 Outbound Connections Blocked! [banmalware] [94s]
Oct 15 03:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 04:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 05:00:01 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 05:20:02 Diversion: rotated dnsmasq log files, from /opt/share/diversion/file/rotate-logs.div
Oct 15 06:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 07:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 07:23:54 Skynet: [#] 147313 IPs (+147247) -- 1713 Ranges Banned (+1713) || 91 Inbound -- 0 Outbound Connections Blocked! [banmalware] [84s]

 

[Adamm]

This is likely coincidence with the v6.5.1 upgrade. The 02:26 cron running banmalware command cleared most blocks out! Yikes!

Looks like some sort of connectivity issues on one end prevented the update to go smoothly, very much a coincidence.

For reference, is your banmalware run-time always ~90 seconds? On an AC86U this should be much closer to 20.

 

[Zonkd]

@Adamm Is this EmergingThreats blocklist compatible with Skynet? It crashed my router when I added it. I would like to use this as an addition to all the default Skynet Blacklists I use.
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
Does anyone else use it with Skynet?