Skynet Skynet - Router Firewall & Security Enhancements

[bluepoint]

Why does Skynet take 2 minutes and thirty seconds to start?

Could be the country ban? Mine's a lot quicker than that but no country ban blocked.

Jan 14 16:15:31 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/bluestar/skynet )
Jan 14 16:15:31 custom_script: Running /jffs/scripts/service-event (args: restart diskmon)
Jan 14 16:16:05 Skynet: [%] Mounting Skynet Web Page As user1.asp
Jan 14 16:16:06 Skynet: [#] 155783 IPs (+0) -- 1619 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [35s]

 

[Adamm]

Why does Skynet take 2 minutes and thirty seconds to start?

Startup time can depend on a variety of factors including, ntp sync time, shared-*-whitelist size and size of your stats file.


As for your ntp issues, I'm surprised you didnt notice it earlier with the following messages in your syslog;

logger -st Skynet "[*] Waiting For NTP To Sync"
logger -st Skynet "[*] NTP Failed To Start After 5 Minutes - Please Fix Immediately!"

With that being said, I'm not sure Skynet can be to blame. Skynet won't load any iptables rules until NTP has synced, meaning it can't possibly be the reason for NTP failing to initially sync time as it won't yet be blocking anything.

If Skynet were the issue, you would see a bunch of "OUTBOUND" hits in your syslog. I personally use time.cloudflare.com and haven't experienced this issue.

 

[Hammer73]

This list does not cause any problems:
ae af bg bh br cd cn cu ee eg et il iq ir it kp kw ky kz la lb lr ly md mx ng ni nl om pk ps qa ru rw sa sb sd so ss su sy tr tw ua ug ve vn ye zw

FWIW my list: ae af al am ao az ba bd bf bh bn bo br bw by cf cg ci cm cn co dj er ga gh gm hk iq ir kg kh kp kr kw kz la lb lr mo ng mz ni om ph pw qa ru rw sa sl so su tj tm tw ua ug uz ve vn ye zw

 

[Adamm]

I've pushed v7.0.8

Remove unless output from WriteStats_ToJS ()
Improve LAN_CIDR_Lookup () ( thanks @wbartels )
Remove whitespace
Uninstall WebUI on restart/disable
Improve debug info output
Add various new debug info tests to streamline support questions
Fixed multiple bugs in WebUI ( thanks @itsJarrett )
Remove temporary WebUI bug mitigation
Accommodate dnsmasq log-queries=extra ( thanks @dave14305 )
Fix IPTables BFP rule bugs
Support WebUI on Johns Fork
Support new addon API identifier

 

[grifo]

I've pushed v7.0.8

Thanks Adam, looking very good on my 87U running 384.13_3 alpha.

 

[Sonyrolfy]

Hi Adam.

Just had this great extra Logging with Webui enabled but my Syslog is flooding like grazy with [BLOCKED - INBOUND] IN=eth0 OUT....

Restart my router a couple of times but wont help.

Time is synced with time.cloudflare.com.

Any thoughts?

FW Version; 384.15_alpha1-gbbe574ca0d (Jan 14 2020) (4.1.27)

Spoiler: Debug info:

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------
Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 0 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]
Diversion Plus Content | [Passed]
----------- | ----------
| Setting | | | Status |
---------- | ----------
Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]
17/17 Tests Sucessful

 

[dave14305]

Hi Adam.

Just had this great extra Logging with Webui enabled but my Syslog is flooding like grazy with [BLOCKED - INBOUND] IN=eth0 OUT....

Restart my router a couple of times but wont help.

Time is synced with time.cloudflare.com.

Any thoughts?

FW Version; 384.15_alpha1-gbbe574ca0d (Jan 14 2020) (4.1.27)

That's normal when SkyNet logging is enabled. It's required for the stats generation for the UI, and Skynet will clean out old entries every hour on the hour. Proof that it's working!

 

[skeal]

Hi Adam.

Just had this great extra Logging with Webui enabled but my Syslog is flooding like grazy with [BLOCKED - INBOUND] IN=eth0 OUT....

Restart my router a couple of times but wont help.

Time is synced with time.cloudflare.com.

Any thoughts?

FW Version; 384.15_alpha1-gbbe574ca0d (Jan 14 2020) (4.1.27)

Spoiler: Debug info:

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------
Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 0 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]
Diversion Plus Content | [Passed]
----------- | ----------
| Setting | | | Status |
---------- | ----------
Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]
17/17 Tests Sucessful

This is a completely normal operational install of skynet, you are getting the best of it's features. That includes logging. You can turn it off but you lose your stats.

 

[Sonyrolfy]

Thanks Skeal/ Dave!

Any way to set the clean up to a lower time?

 

[cmkelley]

Hi Adam.

Just had this great extra Logging with Webui enabled but my Syslog is flooding like grazy with [BLOCKED - INBOUND] IN=eth0 OUT....

Restart my router a couple of times but wont help.

Time is synced with time.cloudflare.com.

Any thoughts?

FW Version; 384.15_alpha1-gbbe574ca0d (Jan 14 2020) (4.1.27)

As others have said, perfectly normal. Shameless plug here for scribe, which can filter Skynet and other messages out to separate logfiles. It also offers to install uiScribe, which greatly enhances scribe by modifying the system log page on the webUI to include sections for all of the detected logs.

 

[Sonyrolfy]

Thanks Cmkellly!

Tried that, but how to clear logs form ui-scribe?

 

[cmkelley]

Thanks Cmkellly!

Tried that, but how to clear logs form ui-scribe?

Unfortunately, it doesn't go back in time and clear the log file, it only filters incoming log entries from when it is started. The messages log file (and most* of the others) will eventually be rotated by logrotate when they reach the appropriate size or the appropriate age, depending on how the logrotate file for that log is set up. (*I say "most" because the skynet-0 log file is automatically scraped by skynet every hour, so logrotate doesn't touch it.)

If you want to remove all the old BLOCKED and DROP IN entries from the messages log you can use (with scribe installed and syslog-ng running):

sed -i '/BLOCKED/d' /opt/var/log/messages
sed -i '/DROP IN=/d' /opt/var/log/messages

 

[elorimer]

Thanks Cmkellly!

Tried that, but how to clear logs form ui-scribe?

I would suggest you just let it run for a while and see how it plays out. The skynet/scribe/uiScribe combo actually all works really well.

 

[adie]

Noob here...

I had been Skynet since AC66U then AC88U and now just upgraded to AC86U. all had been fine. Only lately, I discovered with skynet temporarily disable, using spdMerlin, both auto select/preferred server I can get above 500-800Mbps download. However, if skynet is enable, it will drop below 500Mbps and hardly reached 600Mbps.

Have anyone encountered this before? Any 2 cents of advise are appreciated, thank you.
I am on latest scripts and clean installed since early this year with default setting.

Edit: Funny thou, enable or disable, both my upload on auto select/preferred server is between 900-1000Mbs. It been rock solid so far.

 

[Adamm]

Noob here...

I had been Skynet since AC66U then AC88U and now just upgraded to AC86U. all had been fine. Only lately, I discovered with skynet temporarily disable, using spdMerlin, both auto select/preferred server I can get above 500-800Mbps download. However, if skynet is enable, it will drop below 500Mbps and hardly reached 600Mbps.

Have anyone encountered this before? Any 2 cents of advise are appreciated, thank you.
I am on latest scripts and clean installed since early this year with default setting.

Edit: Funny thou, enable or disable, both my upload on auto select/preferred server is between 900-1000Mbs. It been rock solid so far.

Does your web browser replicate the same results? The speedtest binary is quite inconsistent at high speeds due to the routers being relatively low powered devices.

 

[adie]

Does your web browser replicate the same results? The speedtest binary is quite inconsistent at high speeds due to the routers being relatively low powered devices.

Thanks for the prompt reply, Adamm.

Nope. I been monitoring the webui under speedtest tab and manually do the speed test as and when I'm available when home. Will plug in direct lan and do a web browser speedtest and see if there is any different.

Appreciated so much, thank you. I'll update the thread again once I had done it.

 

[Sonyrolfy]

Thanks all.

First time use of the webui for Skynet is great to see. Never expected to see so much scattered logging from my vpn / Wi-Fi clients, connect and disconnect / dci logging time to time and the additional logging from dropped inbound and outbound. But by reading in earlier posts from @RMerlin he doenst have control and it doesn’t harm the performance. When the router get’s the best of both worlds thanks to you guys, Adam, RMerlin, CmKelly, I can’t complain. Thanks for inventing scribe to have a better overview of what is going on. I will install scribe with the webui, and let it run and try some code from cmkelly to clean up some Skynet drops, when needed.

Keep up the great work!

 

[Galaxysurfer]

Is Skynet supported while using Nordvpn? I just setup a new Openvpn client & am getting error messages in Skynet. I am hoping this is just a case of me misconfiguring something. What do I need to do to fix this, if it is possible?

 

[DonnyJohnny]

Startup time can depend on a variety of factors including, ntp sync time, shared-*-whitelist size and size of your stats file.


As for your ntp issues, I'm surprised you didnt notice it earlier with the following messages in your syslog;

logger -st Skynet "[*] Waiting For NTP To Sync"
logger -st Skynet "[*] NTP Failed To Start After 5 Minutes - Please Fix Immediately!"

With that being said, I'm not sure Skynet can be to blame. Skynet won't load any iptables rules until NTP has synced, meaning it can't possibly be the reason for NTP failing to initially sync time as it won't yet be blocking anything.

If Skynet were the issue, you would see a bunch of "OUTBOUND" hits in your syslog. I personally use time.cloudflare.com and haven't experienced this issue.

notice that skynet used “Google.com” to check (ping) for internet connection.

Could you change it to more specific domain like “time.cloudflare.com” as I created a “server=/time.cloudflare.com/8.8.8.8” in dnsmasq.conf.add so that router don’t have to wait for stubby or dnscrypt-proxy to load up before attempt to resolve domain (which is normally the culprit of causing skynet to delay in loading up).

 

[Adamm]

Is Skynet supported while using Nordvpn? I just setup a new Openvpn client & am getting error messages in Skynet. I am hoping this is just a case of me misconfiguring something. What do I need to do to fix this, if it is possible?

Skynet supports all VPN services, please post the exact errors.

notice that skynet used “Google.com” to check (ping) for internet connection.

Could you change it to more specific domain like “time.cloudflare.com” as I created a “server=/time.cloudflare.com/8.8.8.8” in dnsmasq.conf.add so that router don’t have to wait for stubby or dnscrypt-proxy to load up before attempt to resolve domain (which is normally the culprit of causing skynet to delay in loading up).

Skynet relies on name resolving for multiple parts of the startup procedure, so if this were the case it would cause other issues down the line.