amtm amtm step-by-step install guide - L&LD

[L&LD]

You're welcome.

If USB 3.0 mode works well for you, your devices, and your 2.4GHz Wi-Fi use, there is no reason to not use it. But, depending on the USB drive, the router, and the network usage, it may interfere with the 2.4GHz band.

Right now, there is no way to use a bigger than 2GB swap file, officially. Officially meaning amtm sanctioned! Thankfully, we don't seem to need it (yet).

RAM usage is normal. The numbers you're seeing are from the 4TB drive you have attached. A proper NAS is recommended instead.

I'll let others chime in, for your other question.

 

[Wowbagg3r]

RAM usage is normal. The numbers you're seeing are from the 4TB drive you have attached. A proper NAS is recommended instead.

Thanks. I have a NAS but rarely use it. It's noisy, power consuming and slow on startups. I've found attaching a USB3 HDD to a Merlin-powered Asus router has for several years worked very well for my needs on both sites that I run. The AX86U is an upgrade to an AC68U that started to feel a bit sluggish with the latest firmwares.

 

[L&LD]

You're not supposed to turn a NAS off.

Let the right equipment do the work they were meant to do.

 

[elorimer]

- Why should we use USB 2.0 mode? It seems to be working well in USB 3 mode

Two reasons that might not be relevant to you. The first, is that some router models (I think this was so in the 87U) experienced some interference between the 2.4g radio and the USB3 port when it was in USB3 mode. The second is that a lot of USB drives seem to fail early. I chalk this up to heat. I know the cruzer fit I had failed within weeks, and I think the combo of being dinky, and higher power and throughput, was less conducive. I think a metal USB2 in a larger form factor does better. At least, a couple of mine have gone for years.

- Is there any way to know what files or processes are using the swap file?

If you look on the tools menu at least you can see how much of it is being used. On my 86U only 33mb is in use and I've got the router running most everything.

- Booting up the router now only uses about 52% of (1024) MB RAM but a couple of hours later it's back to 98% again. Why is that?

Cache+ buffers. On the tools menu you can see the distribution. Memory is there to be used.

 

[elorimer]

It's noisy, power consuming and slow on startups. I've found attaching a USB3 HDD to a Merlin-powered Asus router has for several years worked very well for my needs on both sites that I run.

My truenas server with 6 disks idles at 33 watts and boots faster than my 86U. But with it I have several layers of redundancy and ransomware protection, plus a plex server and some other things that would bog down the router. To each his own.

 

[rodenti]

I'm planning to set up AMTM following these directions, but I like to know why I'm doing something before I do it.

Step 5 says:
Change SSH Port to '51111'. ... We want to use a different 'default' than Port '22'

Why are we changing the port for SSH?

 

[JaimeZX]

I assume L&LD is recommending that for security purposes. Port 22 is the default for SSH; by changing the port, you eliminate that threat vector for bad actors.

Edit: Not actually "eliminate," but "make it significantly more difficult."

 

[L&LD]

As @JaimeZX correctly stated, it is a straightforward way to make it significantly more difficult for random 'door knockers' to find a door to our networks.

TCP and UDP port numbers - complete list (howdoesinternetwork.com)

 

[rodenti]

As @JaimeZX correctly stated, it is a straightforward way to make it significantly more difficult for random 'door knockers' to find a door to our networks.

TCP and UDP port numbers - complete list (howdoesinternetwork.com)

Thanks. I figured it was for security, but since the reason wasn't explained anywhere in this thread I was concerned that there may have been a conflict with some of the scripts if I left it on the default port.

I'll keep mine on 22... it's open only to my internal network so what can possibly go wrong! (famous last words)

 

[L&LD]

Your internal network is only internal if your devices, accounts, or physical defenses haven't been compromised.

A superior hacker will resist the need to 'show' proof of his accomplishment in any way, shape, or form. Leaving you feeling safe, while you're not.

Change it up and at least make them work for it. They only have to be 'internal' once, after that, they can be anywhere there is a live IP available to them to peruse your network.

 

[XIII]

Won’t a “superior” hacker have heard of “nmap” and find your alternate SSH port in a few seconds anyway?

 

[L&LD]

Sure, he may find the port, would he know what it was for (if a 'user' port was used)?

Simply curious, I'm no hacker.

 

[JaimeZX]

If your stuff is suitably locked-down, the answer is "maybe not."
Scanned my in-laws' RT-AC86U. Without -Pn, nmap doesn't even see a host at that IP.

[jimc@CentOS ~]$ nmap -p0 -v -A -T4 -Pn 76.16.xxx.xxx
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-21 17:06 KST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:06
Completed Parallel DNS resolution of 1 host. at 17:06, 0.01s elapsed
Initiating Connect Scan at 17:06
Scanning c-76-16-xxx-xxx.hsd1.il.comcast.net (76.16.xxx.xxx) [1 port]
Completed Connect Scan at 17:06, 1.00s elapsed (1 total ports)
Initiating Service scan at 17:06
NSE: Script scanning 76.16.xxx.xxx.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Nmap scan report for c-76-16-xxx-xxx.hsd1.il.comcast.net (76.16.xxx.xxx)
Host is up.

PORT STATE SERVICE VERSION
53/tcp open domain


NSE: Script Post-scanning.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

 

[XIII]

nmap -p0

Doesn't that mean that you only scan a single port?

Results seem to suggest that:

Completed Connect Scan at 17:06, 1.00s elapsed (1 total ports)

Can you please try "-p-" instead? (To scan all ports in the 1-65535 range)

For me it quickly finds all open ports on a device (including the SSH port).

You then just have to telnet to each of these ports to find out which port is used for the SSH service...

For example for a Raspberry Pi telnet reported this when attempting to connect to the correct port:

SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2

See this article for details: https://lonesysadmin.net/2012/10/19/on-using-alternate-ports-for-ssh/

 

[JaimeZX]

Doesn't that mean that you only scan a single port?

Doh - you are right.

Can you please try "-p-" instead? (To scan all ports in the 1-65535 range)

For me it quickly finds all open ports on a device (including the SSH port).

[jim@CentOS ~]$ nmap -T4 -n -p 1-65000 76.16.xxx.xxxx (forgot the -Pn)
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-21 18:08 KST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.02 seconds

[jim@CentOS ~]$ nmap -Pn -T4 -n -p 1-65000 76.16.xxx.xxx
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-21 18:08 KST
Nmap scan report for 76.16.xxx.xxx
Host is up (0.00056s latency).
Not shown: 64999 filtered ports
PORT STATE SERVICE
53/tcp open domain

Nmap done: 1 IP address (1 host up) scanned in 88.03 seconds

The "filtered" ports mean the far-side firewall is set to DROP.

If you want me to PM me your public IP I'm happy to scan you and send you what I get back.

 

[XIII]

Oops, I now realise that I ran nmap from within my network...

However, a second run with the VPN of my employer active gives similar results; the SSH port is still found (though it takes way more time to find it).

Does anybody know a way to run nmap on an iOS device? (so I can try it on cellular; to be 100% sure I'm not on my local network)

 

[XIII]

Network Radar is an iOS App that can scan all ports of an IP or domain.

It's quite slow if you want to scan all 65535 ports, but when I let it scan a small range above 1024 where I have the SSH ports mapped to, it easily detected those ports (while being on cellular, so not on my local network).

It did not list them as SSH, but since there only a few ports open, it's simple to use telnet to figure out which ones are the SSH port(s).

 

[L&LD]

When there are billions of IP's available to scan, slow(er) is as good as impossible.

Thanks for proving my point above @XIII.

And I know when computers have increased capabilities by orders of magnitude in the near future, people will see my comments and lol...

 

[JaimeZX]

Something to try as a temporary work-around to increase swap file size (which worked for me):

1. Temporarily disable Skynet and Diversion.
2. Delete swap file via amtm.
3. Create new 1 GB swap file via amtm.
4. Restart Skynet and Diversion.

Well. Tried this technique so I could update one of my routers from 1GB to 2GB, but it just auto-recreates a 1GB file immediately after selecting "delete." So. Not sure what to do about this.
(Edit: My 3200 was already 2GB, but my 86Us both have 1GB /swap)

 

[elorimer]

Well. Tried this technique so I could update one of my routers from 1GB to 2GB, but it just auto-recreates a 1GB file immediately after selecting "delete." So. Not sure what to do about this.
(Edit: My 3200 was already 2GB, but my 86Us both have 1GB /swap)

This is not responsive, but my 86U is after 3 days up using .15% of its 2gb swap space.