What's new

Aegis Aegis (simple yet effective protection)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

HELLO_wORLD

Very Senior Member
Due to new forum rules on threads older than six months, here is a fresh new one, good until April 2021.

Previous thread

Aegis
A firewall blocklist script for Netgear R7800 and R9000 Routers with Voxel firmware.
Should work with some other models as well.

What is it?
It is a script that allows to block a list of IP adresses or ranges for inbound and outbound traffic.
The main purpose is blocking dangerous adresses known for spam, hacking, malware, etc...
The blocklist is automatically generated from known sources (this is editable) and you can add your own IP adresses/ranges as well.

Instructions and installation
https://github.com/bolemo/aegis/blob/master/README.md


Aegis is totally free, and I am not asking for anything if you are using it.
If you wish to make a donation for my work, and are able to, here is a PayPal link:

https://paypal.me/bolemoDonation
If you wish to make a donation, please consider first @Voxel who is doing an incredible amount of work for our routers, and @kamoj who is making an amazing add-on.
 
Last edited:
v 1.2.9
Web Companion should now survive firmware updates like Aegis itself does for a while (if installed on external drive).
Web Companion logs are now showing local names for devices (parsed from hosts file and dhcp hostnames)
 
Just upgraded easily via the Web Companion.

Did notice a bug in the Web Companion logs:
Code:
2020-10-27 02:51:35 Blocked VPN incoming UDP packet from RICHARDSSIPHONE (192.168.1.10)51413 (remote) to 195.35.245.30 6881 (local)

not sure why 192.168.1.10 is recognized as RICHARDSSIPHONE, I'll look in that later.
(192.168.1.10 is reservation with a bogus mac-address, that I manually assigned as a 2nd IP-address for my NAS.)

But 192.168.1.10 is the local IP that is going via VPN to the remote IP 195.35.245.30
So for VPN the local and remote tags seem swapped.
And also, it should be listed as "Blocked VPN outgoing UDP packet" instead of incoming.


And a feature request: option have a filter to only show outgoing traffic that is being blocked.
(as these might point to malware on local devices)
 
Just upgraded easily via the Web Companion.

Did notice a bug in the Web Companion logs:
Code:
2020-10-27 02:51:35 Blocked VPN incoming UDP packet from RICHARDSSIPHONE (192.168.1.10)51413 (remote) to 195.35.245.30 6881 (local)

not sure why 192.168.1.10 is recognized as RICHARDSSIPHONE, I'll look in that later.
(192.168.1.10 is reservation with a bogus mac-address, that I manually assigned as a 2nd IP-address for my NAS.)

But 192.168.1.10 is the local IP that is going via VPN to the remote IP 195.35.245.30
So for VPN the local and remote tags seem swapped.
And also, it should be listed as "Blocked VPN outgoing UDP packet" instead of incoming.


And a feature request: option have a filter to only show outgoing traffic that is being blocked.
(as these might point to malware on local devices)
I will look into that, that is strange (that it is swapped). Is it only for this particular line or are all your vpn log swapped?
If so, the src and dst adresses are swapped in iptables log, and the fix is easy.
To be sure, could you send me a few lines of the output of cat /var/log/log-message | grep -F wg0 (or whatever your VPN tunnel interface name is)? If possible for incoming and outgoing events?
I don’t use vpn on the router, so I can’t test it.

For the filter, it is already there, just uncheck the INCOMING checkbox in the log section, and it will only show OUTGOING (unless you uncheck it too).
 
You are very fast! I took the time to sort in my devices now and name them. For now all reactions that I've had on aegis log been on the router itself it seems. Is it possible to test a blocked a ipfrom computer to see it if it reacts and tell me that it is the computer that are doing bad stuff:)

I also have allot of blocked traffic in the port https://www.speedguide.net/port.php?port=1900.

Seem to be UPnP and SSDP (dont know what that is). But I thought I did not use UPnP.
 
Last edited:
You are very fast! I took the time to sort in my devices now and name them. For now all reactions that I've had on aegis log been on the router itself it seems. Is it possible to test a blocked a ipfrom computer to see it if it reacts and tell me that it is the computer that are doing bad stuff:)

I also have allot of blocked traffic in the port https://www.speedguide.net/port.php?port=1900.

Seem to be UPnP and SSDP (dont know what that is). But I thought I did not use UPnP.

To test outgoing interception, just use ping on a blocked IP from a device on the LAN, for example with the IP a Chinese server that tries a telnet connection to my router:
Code:
ping 61.131.223.33

As for UPnP, since it comes from the outside, it has nothing to do with your settings. It is likely attempts to connect to your router with UPnP protocol (hack...). Since you don’t have it, you are safe (and Aegis is blocking it anyway).
Even if UPnP is enabled on the router, it is supposed to only listen to the LAN side, but...
 
Thank you so much for the answer! So damn great this is now. Will be real easy to troubleshoot. And it works big time!

"Blocked VPN outgoing ICMP packet to 61.131.223.33 (remote) from (My computer) "
 
Thanks @KW. !
The swap is therefore fixed :)
 
1.3.0 is out
Minor bug improvements, and swapped src and dst for vpn logging. That should solve bug noticed by @R. Gerrits
Also aegis log (command) is now giving devices names as well.

Not 100% sure it is fixed:
Code:
2020-10-27 02:52:14 Blocked VPN incoming UDP packet from 195.35.245.306881 (remote) to RICHARDSSIPHONE (192.168.1.10)51413 (local)
2020-10-27 02:51:54 Blocked VPN incoming UDP packet from 195.35.245.306881 (remote) to RICHARDSSIPHONE (192.168.1.10)51413 (local)
2020-10-27 02:51:35 Blocked VPN incoming UDP packet from 195.35.245.306881 (remote) to RICHARDSSIPHONE (192.168.1.10)51413 (local)
2020-10-27 02:39:21 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)
2020-10-27 02:39:09 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)
2020-10-27 02:39:03 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)
2020-10-27 02:39:00 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)

They should be mentioned as:
Code:
Blocked VPN outgoing UDP packet from RICHARDSSIPHONE (192.168.1.10)51413 to 195.35.245.306881 (remote)

see these corresponding entries in /var/log/log-message

Code:
9189:[ 9188.185223] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64498 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0 
9192:[ 9191.192971] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64499 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0 
9198:[ 9197.209247] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64500 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0 
9210:[ 9209.224805] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64501 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0 
9944:[ 9943.015995] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=195.35.245.30 LEN=125 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51413 DPT=6881 LEN=105 MARK=0x32 
9963:[ 9962.812152] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=195.35.245.30 LEN=125 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51413 DPT=6881 LEN=105 MARK=0x32 
9983:[ 9982.878444] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=195.35.245.30 LEN=125 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51413 DPT=6881 LEN=105 MARK=0x32
 
also strange btw why aegis even blocked these...
If I now ping those two public IP-addresses, then they are not blocked by aegis.

hmmm I also now notice that these entries are from a few days back...
If I ping an IP-address that is in aegis-bl.netset, then it is blocked. But I don't see it in /var/log/log-message and thus also not in Web Companion logs..

Guess I'll do a firmware update to latest voxel and then re-run some checks. Because something is strange here.
 
Last edited:
Ghatb
Not 100% sure it is fixed:
Code:
2020-10-27 02:52:14 Blocked VPN incoming UDP packet from 195.35.245.306881 (remote) to RICHARDSSIPHONE (192.168.1.10)51413 (local)
2020-10-27 02:51:54 Blocked VPN incoming UDP packet from 195.35.245.306881 (remote) to RICHARDSSIPHONE (192.168.1.10)51413 (local)
2020-10-27 02:51:35 Blocked VPN incoming UDP packet from 195.35.245.306881 (remote) to RICHARDSSIPHONE (192.168.1.10)51413 (local)
2020-10-27 02:39:21 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)
2020-10-27 02:39:09 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)
2020-10-27 02:39:03 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)
2020-10-27 02:39:00 Blocked VPN incoming TCP packet from 172.98.92.6651413 (remote) to RICHARDSSIPHONE (192.168.1.10)45403 (local)

They should be mentioned as:
Code:
Blocked VPN outgoing UDP packet from RICHARDSSIPHONE (192.168.1.10)51413 to 195.35.245.306881 (remote)

see these corresponding entries in /var/log/log-message

Code:
9189:[ 9188.185223] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64498 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0
9192:[ 9191.192971] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64499 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0
9198:[ 9197.209247] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64500 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0
9210:[ 9209.224805] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=172.98.92.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64501 DF PROTO=TCP SPT=45403 DPT=51413 WINDOW=4380 RES=0x00 SYN URGP=0
9944:[ 9943.015995] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=195.35.245.30 LEN=125 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51413 DPT=6881 LEN=105 MARK=0x32
9963:[ 9962.812152] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=195.35.245.30 LEN=125 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51413 DPT=6881 LEN=105 MARK=0x32
9983:[ 9982.878444] [aegis] IN=br0 OUT=tun21 PHYSIN=ethlan MAC=cc:40:d0:49:88:05:00:1f:33:ea:d0:72:08:00 SRC=192.168.1.10 DST=195.35.245.30 LEN=125 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51413 DPT=6881 LEN=105 MARK=0x32
That is confusing indeed!
So what you have here with 1.3.0 is swapped for VPN, but is not for @KW. , and with 1.2.9., you had it also swapped o_O
I reversed the incoming/outgoing for vpn between 1.2.9 and 1.3.0 so one was correct, the other not.

@KW. : the output you posted was with 1.2.9 or 1.3.0?

@R. Gerrits : according to your log, the way I had it in 1.2.9 was the right one (similar than WAN interface, that seems logical).

So I will revert back to the same src/dst order for VPN than WAN, but before I do, I would like a confirmation from @KW. or someone else using VPN that 1.3.0 is swapping VPN entries.
 
@R. Gerrits : according to your log, the way I had it in 1.2.9 was the right one (similar than WAN interface, that seems logical).

don't fully agree.

Both 1.29 and 1.30 mention Blocked VPN incoming UDP -> it is going from br0 to tun21 so it definatelly is an outgoing UPD -> this bug exists in both versions.

1.29 called 192.168.1.10 remote IP, while it definatelly is a local IP.
This part has been fixed in 1.30.

but 1.30 has introduced a new bug that source and destination have been swapped.
 
@R. Gerrits : did you notice the swap before the devices were named?
I think I found the tricky problem.
 
1.3.1 is out

The swap bug should be definitely gone. I reverted to the order I had in 1.2.9 and I tested using @R. Gerrits log. I think the swap in 1.2.9 was from something else that I corrected on 1.3.0, but since I had inverted, it reswapped :rolleyes:
Anyway, it should be all ok now :)
 
I really appreciate your work and your commitment
only way to prove it
Hai inviato 10,00 EUR a Gabriel ROUSSEAU.
Thank you :)
 
I clicked the gui to do the upgrade from 1.2.8 and I got:
"Error loading command: code 504"

telnet into router:
root@R7800:/$ aegis -v status
aegis 1.3.1 - Verbose mode [level 1]
Status:
- 'aegis' is not active; Settings are clean.
Detailed status:
- Active WAN interface is 'brwan'.
- no VPN tunnel found.
- Actual router time: 2020-10-31 20:00:07
- Blocklist generation time: 2020-10-31 03:40:18

so I:
root@R7800:/$ aegis clean
root@R7800:/$ aegis upgrade
Upgrading:
- Version installed: 1.3.1
- This is already the last version.
root@R7800:/$
root@R7800:/$ aegis restart

which corrected everything and got me back to running again. The restart was probably all I needed.
Thanks again !!
 
I clicked the gui to do the upgrade from 1.2.8 and I got:
"Error loading command: code 504"

telnet into router:
root@R7800:/$ aegis -v status
aegis 1.3.1 - Verbose mode [level 1]
Status:
- 'aegis' is not active; Settings are clean.
Detailed status:
- Active WAN interface is 'brwan'.
- no VPN tunnel found.
- Actual router time: 2020-10-31 20:00:07
- Blocklist generation time: 2020-10-31 03:40:18

so I:
root@R7800:/$ aegis clean
root@R7800:/$ aegis upgrade
Upgrading:
- Version installed: 1.3.1
- This is already the last version.
root@R7800:/$
root@R7800:/$ aegis restart

which corrected everything and got me back to running again. The restart was probably all I needed.
Thanks again !!
uhttpd (NG web server) is very limited and hard to work with. I never encountered the timeout error yet (504).
The timeout occurred apparently before the cgi script reached the restart part, maybe the download took some time for some reason...
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top