Skynet Skynet - Router Firewall & Security Enhancements

[ScottW]

@Adamm -- I pulled the update.

Using the default banmalware list, "stats search malware 104.16.55.111" still comes up empty -- yet as far as I can tell, it *is* on a list that is included in the https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list file.

Then I switched to a custom list -- which is a copy of your default filter.list, just omitting the telemetry file. Using that list, I do get a hit for 104.16.55.111, but also get a couple errors as if it is still looking for the telemetry file:

Exact Matches;
https://iplists.firehol.org/files/coinbl_hosts.ipset - 104.16.55.111
grep: /tmp/skynet/telemetry.list: No such file or directory

Possible CIDR Matches;
grep: /tmp/skynet/telemetry.list: No such file or directory

 

[Adamm]

I'm more confused now. I think one of the lists you found it on ("coinbl_hosts.ipset") *is* in the default filter.list (last line).

I'll grab the update... But I'm still not clear why "stats search malware 104.16.55.111" didn't find that IP -- because if I understand right, the list in which it occurs *is* on the default filter.list.

@Adamm -- I pulled the update.

Using the default banmalware list, "stats search 104.16.55.111" still comes up empty -- yet as far as I can tell, it *is* on a list that is included in the https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list file.

Then I switched to a custom list -- which is a copy of your default filter.list, just omitting the telemetry file. Using that list, I do get a hit for 104.16.55.111, but also get a couple errors as if it is still looking for the telemetry file:

Exact Matches;
https://iplists.firehol.org/files/coinbl_hosts.ipset - 104.16.55.111
grep: /tmp/skynet/telemetry.list: No such file or directory

Possible CIDR Matches;
grep: /tmp/skynet/telemetry.list: No such file or directory

Thanks for the info, for some reason the last entry in the filter file isn't being downloaded/searched, so that would explain why certain results aren't showing up. I'm in the middle of rewriting the function to fix some other limitations (one of them being the telemetry list error), so I'll make sure to also address this and let you know when the update is ready.

 

[Adamm]

I'm more confused now. I think one of the lists you found it on ("coinbl_hosts.ipset") *is* in the default filter.list (last line).

I'll grab the update... But I'm still not clear why "stats search malware 104.16.55.111" didn't find that IP -- because if I understand right, the list in which it occurs *is* on the default filter.list.

@Adamm -- I pulled the update.

Using the default banmalware list, "stats search malware 104.16.55.111" still comes up empty -- yet as far as I can tell, it *is* on a list that is included in the https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list file.

Then I switched to a custom list -- which is a copy of your default filter.list, just omitting the telemetry file. Using that list, I do get a hit for 104.16.55.111, but also get a couple errors as if it is still looking for the telemetry file:

Exact Matches;
https://iplists.firehol.org/files/coinbl_hosts.ipset - 104.16.55.111
grep: /tmp/skynet/telemetry.list: No such file or directory

Possible CIDR Matches;
grep: /tmp/skynet/telemetry.list: No such file or directory

I've fixed this with v6.0.4

Due to a limitation with while/read binaries the last entry in the filter list wasn't being detected. I also made the "stats search malware" command much smarter (a long overdue entry on my todo list!) so that it can handle all custom filters with ease. Let me know if you experience any further issues after updating/running banmalware.

 

[ScottW]

I've fixed this with v6.0.4

Due to a limitation with while/read binaries the last entry in the filter list wasn't being detected. I also made the "stats search malware" command much smarter (a long overdue entry on my todo list!) so that it can handle all custom filters with ease. Let me know if you experience any further issues after updating/running banmalware.

Sounds great, I will grab the update and try it out. THANKS!!

 

[ScottW]

@Adamm -

With 6.0.4 and the default filter.list, the "stats search malware" result looks good now. When I switch to my custom list (which is just the default filter.list but omitting line 1, the telemetry file), I get a curl error when downloading the lists:

...
Custom List Detected: https://raw.githubusercontent.com/ScottWell1/AsusFirewall-Skynet/master/filter.list
Downloading filter.list [0s]
Refreshing Whitelists [3s]
Consolidating Blacklist curl: Remote file name has no length!
curl: try 'curl --help' for more information
[11s]
Saving Changes [4s]
Removing Previous Malware Bans [0s]
...

Also get that same error with "search stats malware xxx.xxx.xxx.xxx" when using that custom list:
...
Debug Data Detected in /tmp/mnt/ASUS/skynet/skynet.log - 3.6M
Monitoring From Mar 14 20:12:52 To Mar 22 08:38:27
14312 Block Events Detected
2486 Unique IPs
3 Autobans Issued
3 Manual Bans Issued

curl: Remote file name has no length!
curl: try 'curl --help' for more information
Exact Matches;
https://iplists.firehol.org/files/coinbl_hosts.ipset - 104.16.55.111


Possible CIDR Matches;

...

 

[Adamm]

@Adamm -

With 6.0.4 and the default filter.list, the "stats search malware" result looks good now. When I switch to my custom list (which is just the default filter.list but omitting line 1, the telemetry file), I get a curl error when downloading the lists:

...
Custom List Detected: https://raw.githubusercontent.com/ScottWell1/AsusFirewall-Skynet/master/filter.list
Downloading filter.list [0s]
Refreshing Whitelists [3s]
Consolidating Blacklist curl: Remote file name has no length!
curl: try 'curl --help' for more information
[11s]
Saving Changes [4s]
Removing Previous Malware Bans [0s]
...

Also get that same error with "search stats malware xxx.xxx.xxx.xxx" when using that custom list:
...
Debug Data Detected in /tmp/mnt/ASUS/skynet/skynet.log - 3.6M
Monitoring From Mar 14 20:12:52 To Mar 22 08:38:27
14312 Block Events Detected
2486 Unique IPs
3 Autobans Issued
3 Manual Bans Issued

curl: Remote file name has no length!
curl: try 'curl --help' for more information
Exact Matches;
https://iplists.firehol.org/files/coinbl_hosts.ipset - 104.16.55.111


Possible CIDR Matches;

...

Thanks for pointing this out, this has been corrected (you will need to force update to apply the changes as there was no version change). Curl didn't handle blank lines as well as grep did so had to put an additional check in

 

[skeal]

Thanks for pointing this out, this has been corrected (you will need to force update to apply the changes as there was no version change). Curl didn't handle blank lines as well as grep did so had to put an additional check in

I see this line when I go into the gui:

Skynet Version; v6.0.3 (22/03/2018)

After forcing the update.

 

[ScottW]

Was about to ask the same thing -- last commit rolled version number back. Was that intentional?

 

[Adamm]

Was about to ask the same thing -- last commit rolled version number back. Was that intentional?

If I said yes would you believe me?

Fixed

 

[ScottW]

If I said yes would you believe me?

Absolutely, you have my complete trust!

Thanks for the fast response! Back to 6.0.4, and all errors are resolved. THANKS!

 

[JohnDoe007]

Hi Guys,

I am running ab-solution and Skynet on my ASUS RT88U router, looks like it is blocking a legit website that it shouldn't have, if I force edit ab-solution whitelist, I can open the website, where can I find which IP's are blocked and more importantly how can I know the reason a website or IP address is listed there, and how can I request to remove it? Unfortunately I can't share the website name in a public forum.

 

[Adamm]

Hi Guys,

I am running ab-solution and Skynet on my ASUS RT88U router, looks like it is blocking a legit website that it shouldn't have, if I force edit ab-solution whitelist, I can open the website, where can I find which IP's are blocked and more importantly how can I know the reason a website or IP address is listed there, and how can I request to remove it? Unfortunately I can't share the website name in a public forum.

You can use the guide here to find out how to whitelist an IP causing site/application issues.

You can also use the following commands to see the ban reason, then assuming the ban reason is banmalware which list it originates from.

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

 

[JohnDoe007]

Thanks, I issued these two commands, what does this mean? and how would I find the CIDR entry and the reason it was put there?

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx
kernel: [BLOCKED - OUTBOUND]

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx
Exact Matches;
Possible CIDR Matches;

You can use the guide here to find out how to whitelist an IP causing site/application issues.

You can also use the following commands to see the ban reason, then assuming the ban reason is banmalware which list it originates from.

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

 

[Adamm]

Thanks, I issued these two commands, what does this mean? and how would I find the CIDR entry and the reason it was put there?

Replace xxx.xxx.xxx.xxx with the results from IP you got from following the guide I linked

 

[JohnDoe007]

Replace xxx.xxx.xxx.xxx with the results from IP you got from following the guide I linked

Ok got it

 

[skeal]

@Adamm Just a quick question. In firewall settings on my ac3100 I have this.
Is this needed on a ipv4 network and or is this using resources or complicating things? Just curious!

 

[Adamm]

@Adamm Just a quick question. In firewall settings on my ac3100 I have this.View attachment 12420
Is this needed on a ipv4 network and or is this using resources or complicating things? Just curious!

If you have IPv6 enabled yes, otherwise the setting will have no effect anyway so it can just be left alone.

 

[skeal]

@Adamm I noticed by checking my security system functions that 8.8.8.8 was unresponsive. I pinged it from my router in webui and it was non-responsive. I white listed 8.8.8.8 and now it responds to ping and my security system tests complete. Strange that google dns would be blocked or have I some how done this myself?

 

[visortgw]

@Adamm I noticed by checking my security system functions that 8.8.8.8 was unresponsive. I pinged it from my router in webui and it was non-responsive. I white listed 8.8.8.8 and now it responds to ping and my security system tests complete. Strange that google dns would be blocked or have I some how done this myself?

I had the same happen a while ago with both Google and Quad9 DNS server addresses. Like you, I whitelisted both primary and alternate IPs for both services.

 

[Adamm]

@Adamm I noticed by checking my security system functions that 8.8.8.8 was unresponsive. I pinged it from my router in webui and it was non-responsive. I white listed 8.8.8.8 and now it responds to ping and my security system tests complete. Strange that google dns would be blocked or have I some how done this myself?

I had the same happen a while ago with both Google and Quad9 DNS server addresses. Like you, I whitelisted both primary and alternate IPs for both services.

It appears on the Coinbl list (anti-crypto mining), not sure why but in the event someone uses this as their DNS on the router Skynet would whitelist it automatically.

admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 8.8.8.8
#!/bin/sh
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 24/03/2018 -           Asus Firewall Addition By Adamm v6.0.4                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 2.4M
Monitoring From Mar 23 03:22:12 To Mar 25 04:15:32
10676 Block Events Detected
1169 Unique IPs
1 Autobans Issued
0 Manual Bans Issued

Exact Matches;
https://iplists.firehol.org/files/coinbl_hosts.ipset - 8.8.8.8


Possible CIDR Matches;


Skynet: [Complete] 112124 IPs / 1539 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2971 Inbound / 101 Outbound Connections Blocked! [stats] [8s]