Skynet Skynet - Router Firewall & Security Enhancements

[hervon]

Might be a github thing, try a force update and it should download the most recent version.

Does not work. I'll try tomorrow

 

[joe scian]

Might be a github thing, try a force update and it should download the most recent version.

didnt work for me either wont upgrade to 6.2.2

 

[Adamm]

@Adamm, did you bump the version number back to 6.2.1 on purpose with your last change or was that a typo?

Does not work. I'll try tomorrow

didnt work for me either wont upgrade to 6.2.2

Was a typo on my end, you're on the latest version I just numbered it incorrectly. Should be corrected now.

 

[joe scian]

yep rerun the update and now it says 6.2.2 thanks

 

[.TT.]

Looks like Skynet isn't running. Try use the restart command or run through the installer again to fix any issues.

Removed and reinstalled skynet. All good.
Thanks

 

[Netbug]

@Adamm

I understand the 'Toggle Ban AiProtect' option but not sure what the two options below do and there purpose?

[8]  --> Toggle PrivateIP Filtering
[9]  --> Toggle Invalid Packet Logging

Could you explain? i've enabled them at the moment but would like to understand what there purpose is and what they do.

The Ban AiProtect is a great feature i think, every now and then i used to go to 'AiProtection Two-Way IPS' tab and manually add the IPs to skynet, it's great as saves me doing it manually and saves some time.

Thank you.

 

[TheUntouchable]

@Adamm

[8]  --> Toggle PrivateIP Filtering
[9]  --> Toggle Invalid Packet Logging

It would be also very cool to see if this toggles are activated or deactivated at the moment

 

[Adamm]

@Adamm

I understand the 'Toggle Ban AiProtect' option but not sure what the two options below do and there purpose?

[8]  --> Toggle PrivateIP Filtering
[9]  --> Toggle Invalid Packet Logging

Could you explain? i've enabled them at the moment but would like to understand what there purpose is and what they do.

The Ban AiProtect is a great feature i think, every now and then i used to go to 'AiProtection Two-Way IPS' tab and manually add the IPs to skynet, it's great as saves me doing it manually and saves some time.

Thank you.

( sh /jffs/scripts/firewall debug unbanprivate enable|disable ) Enable/Disable Unban_PrivateIP Function
( sh /jffs/scripts/firewall debug loginvalid enable|disable ) Enable/Disable Invalid Packet Logging

 

[Adamm]

I've pushed v6.2.3

This adds a feature I call "secure mode". This feature will prevent both SSH and the WebUI being exposed to WAN. This feature was directly inspired by the recent wave of routers being compromised. Hopefully this prevents (or at least slows down) routers being taken over by immediately disabling these settings if they are toggled.

If anyone else has other IOC's (indicators of compromise) that are relevant to this exploit, let me know and I can add further checks. I know it also changes the language to Chinese, enables PPTP VPN server and DDNS but I need more information to detect this accurately (maybe they use a common PPTP/DDNS username).

To enable this feature;

sh /jffs/scripts/firewall debug securemode enable

 

[Adamm]

I've pushed v6.2.4

This will check PPTP for suspicious settings as there is a common string used on compromised routers. Still looking into common DDNS IOC's.

 

[Mutzli]

Adamm, is there a flag that can be checked when any of these new security features is enabled or disabled?

 

[Adamm]

Adamm, is there a flag that can be checked when any of these new security features is enabled or disabled?

You will get a notification in the syslog of either the 3 following things;

[WARNING] Insecure Setting Detected - Disabling WAN SSH Access


[WARNING] Insecure Setting Detected - Disabling WAN GUI Access


[WARNING] PPTP VPN Server Shows Signs Of Compromise - Investigate Immediately!

 

[Mutzli]

One more question, once enabled, do they stay enabled after a router reboot?

 

[Adamm]

One more question, once enabled, do they stay enabled after a router reboot?

Secure mode is a persistent setting in Skynet. Once enabled it will check the router upon startup and once per hour for these potentially malicious indicators.

 

[Ubimo]

Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?

 

[visortgw]

Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?

T

Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?

Two different purposes: adware (AB-Solution) vs malware (Skynet)...

 

[Adamm]

Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?

T

Two different purposes: adware (AB-Solution) vs malware (Skynet)...

Apples and oranges. AB-Solution is a DNS blocking solution, Skynet is IP based. With shared hosting for instance, one IP can be potentially linked to thousands of domains. Not only this but some of the IP CIDR ranges alone cover thousands of IPs in an optimised format.

 

[XIII]

This feature will prevent both SSH and the WebUI being exposed to WAN.

Is it possible to allow specific exceptions?

I would like to allow SSH on WAN via keys only, but prevent password based access (SSH, WebUI).

 

[Martin_D]

Thank you Adamm for the new secure mode feature

 

[Mojolacerator]

Secure mode is a persistent setting in Skynet. Once enabled it will check the router upon startup and once per hour for these potentially malicious indicators.

We don't have to re-enable after upgrading either, correct?
(just making sure)