Skynet Help me understand Skynet's outbound blocked connection

[Yiannis]

Spoiler alert: another topic opened by a novice asking advise with Skynet.

I have recently installed Skynet in two different Asus Routers in different locations that both have a Synology NAS. Both Synology have more or less same packages & docker containers.
I 've been getting hundreds of inbound blocking notification but its the outbound blocking notifications I worry about. In both locations, the Synology seem to initiate a connection (which is being blocked) to the same IP address (212.178.135.62).

I was curious to see which ports (source / destination) were involved in these connection attempts. I could then maybe find out which application initiated the connection.
I checked other similar topics and tried the following command, however no ports are visible :

yiannis@RT-AX86U_Pro-4D00:/tmp/home/root# firewall stats search ip 212.178.135.62
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            28/05/2023 - v7.4.3                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/usb1/skynet/skynet.log - 5.4M
[i] Monitoring From May 26 19:38:23 To May 29 20:29:18
[i] 19233 Block Events Detected
[i] 4837 Unique IPs
[i] 0 Manual Bans Issued

212.178.135.62 is NOT in set Skynet-Whitelist.
Warning: 212.178.135.62 is in set Skynet-Blacklist.
212.178.135.62 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: firehol_level3.netset"


[i] IP Location - Netherlands (Vodafone Libertel B.V. / AS33915)

[i] 212.178.135.62 First Tracked On May 26 21:06:44
[i] 212.178.135.62 Last Tracked On May 27 02:19:45
[i] 14 Blocks Total

Event Log Entries From 212.178.135.62;

First Block Tracked From 212.178.135.62;
May 26 21:06:44 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0

10 Most Recent Blocks From 212.178.135.62;
May 26 21:10:27 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 26 22:05:47 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 26 22:06:53 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 26 22:17:14 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=86 TOS=0x04
May 26 23:50:16 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=86 TOS=0x04
May 27 00:01:48 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 27 00:26:27 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 27 01:45:28 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 27 01:46:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=86 TOS=0x04
May 27 02:19:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0


Top 10 Targeted Ports From 212.178.135.62 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

--*

Top 10 Sourced Ports From 212.178.135.62 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

*--


=============================================================================================================


[#] 36134 IPs (+0) -- 2222 Ranges Banned (+0) || 1658 Inbound -- 7 Outbound Connections Blocked! [stats] [10s]

Any suggestion on how to troubleshoot further ?

 

[SomeWhereOverTheRainBow]

Spoiler alert: another topic opened by a novice asking advise with Skynet.

I have recently installed Skynet in two different Asus Routers in different locations that both have a Synology NAS. Both Synology have more or less same packages & docker containers.
I 've been getting hundreds of inbound blocking notification but its the outbound blocking notifications I worry about. In both locations, the Synology seem to initiate a connection (which is being blocked) to the same IP address (212.178.135.62).

I was curious to see which ports (source / destination) were involved in these connection attempts. I could then maybe find out which application initiated the connection.
I checked other similar topics and tried the following command, however no ports are visible :

yiannis@RT-AX86U_Pro-4D00:/tmp/home/root# firewall stats search ip 212.178.135.62
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            28/05/2023 - v7.4.3                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/usb1/skynet/skynet.log - 5.4M
[i] Monitoring From May 26 19:38:23 To May 29 20:29:18
[i] 19233 Block Events Detected
[i] 4837 Unique IPs
[i] 0 Manual Bans Issued

212.178.135.62 is NOT in set Skynet-Whitelist.
Warning: 212.178.135.62 is in set Skynet-Blacklist.
212.178.135.62 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: firehol_level3.netset"


[i] IP Location - Netherlands (Vodafone Libertel B.V. / AS33915)

[i] 212.178.135.62 First Tracked On May 26 21:06:44
[i] 212.178.135.62 Last Tracked On May 27 02:19:45
[i] 14 Blocks Total

Event Log Entries From 212.178.135.62;

First Block Tracked From 212.178.135.62;
May 26 21:06:44 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0

10 Most Recent Blocks From 212.178.135.62;
May 26 21:10:27 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 26 22:05:47 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 26 22:06:53 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 26 22:17:14 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=86 TOS=0x04
May 26 23:50:16 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=86 TOS=0x04
May 27 00:01:48 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 27 00:26:27 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 27 01:45:28 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0
May 27 01:46:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=86 TOS=0x04
May 27 02:19:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:54:45:4d:00:90:09:d0:2f:44:d5:08:00 SRC=192.168.177.100 DST=212.178.135.62 LEN=138 TOS=0x0


Top 10 Targeted Ports From 212.178.135.62 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

--*

Top 10 Sourced Ports From 212.178.135.62 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

*--


=============================================================================================================


[#] 36134 IPs (+0) -- 2222 Ranges Banned (+0) || 1658 Inbound -- 7 Outbound Connections Blocked! [stats] [10s]

Any suggestion on how to troubleshoot further ?

One option is, you could travel to [i] IP Location - Netherlands (Vodafone Libertel B.V. / AS33915) and ask them what ports they were trying to find open? To be honest I have no clue, I am just as curious as your are. I await to see the experts @dave14305 and @EmeraldDeer share their vast knowledge from my vantage point on the other side of the rainbow.

 

[EmeraldDeer]

Hard to tell from internet search results for that IP address whether it is malware infection or simply torrents

 

[Yiannis]

Transmission is running , but download list was empty.

I was trying to understand Skynet’s output and was hoping to get port details when run the (firewall stats search ip 212.178.135.62) command. Clearly I must be doing something wrong, that's why I opened this thread.

 

[EmeraldDeer]

I do not have a recent enough example of an outbound block to test in Skynet. I log the outbound blocks to syslog which is also forwarded to a PC. The PC syslogs go back to 2019. Those outbound entries are not truncated and include a destination port.

Perhaps you can catch this happening live and investigate with netstat -ap

 

[ColinTaylor]

Transmission is running , but download list was empty.

I was trying to understand Skynet’s output and was hoping to get port details when run the (firewall stats search ip 212.178.135.62) command. Clearly I must be doing something wrong, that's why I opened this thread.

As per @EmeraldDeer's comment, your problem appears to be the configuration of your terminal session. It is truncating the right side of the output which contains the port information. So check the settings in your terminal emulator, or use a different emulator.

 

[Yiannis]

Thank you very much for your responses. Source port 51413, the one used by Transmission. Really strange since I have no active downloads.