Skynet Skynet - Router Firewall & Security Enhancements

[teknowiz]

The following command will tell you if an IP is banned (even if its part of a CIDR range not just the specific IP)

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

This is what I see:

Debug Data Detected in /tmp/mnt/Lexar/skynet
/skynet.log - 3.7M
Monitoring From Dec 20 02:00:12 To Dec 21 11
:56:06
13542 Block Events Detected
845 Unique IPs
7 Autobans Issued
0 Manual Bans Issued

172.217.1.4 is NOT in set Whitelist.
172.217.1.4 is in set Blacklist.
172.217.1.4 is NOT in set BlockedRanges.

Blacklist Reason;


172.217.1.4 First Tracked On Dec 20 03:19:02
172.217.1.4 Last Tracked On Dec 21 08:31:25
187 Events Total

First Event Tracked From 172.217.1.4;
Dec 20 03:19:02 kernel: [BLOCKED - OUTBOUND]
 IN=br0 OUT= MAC=2c:56:dc:55:d0:b0:94:65:2d:
c7:a5:ac:08:00 SRC=192.168.1.241 DST=172.217
.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=494
98 DF PROTO=TCP SPT=49487 DPT=443 SEQ=276658
4867 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
OPT (020405B40402080A009B7D79000000000103030
8)

 

[Adamm]

This is what I see:

Due to it having no ban reason I would assume it was an autoban, but the first event tracked for this IP isn't it initially being banned which is odd. I'll look into it. For now just whitelist the IP in question.

sh /jffs/scripts/firewall whitelist ip xxx.xxx.xxx.xxx

I think this is one of the most useful commands of Skynet about troubleshooting so maybe it would be better to add this line into the "Usage" part of the #1 entry of this topic. Somewhere that everyone can see it easily

Definitely on my to-do list to write up some common troubleshooting tips/errors in the github wiki section or something.

 

[teknowiz]

Thanks for looking into it. I think my issue is same as Butterfly Bones report from couple of pages ago. His issue was with Google Music with similar IP range and mine is With Gmail. I deleted all the autobans using firewall unban autobans command and then checked the IP again and it was still being blocked so it may not be autoban related.

 

[DonnyJohnny]

Hi, i would like to know how do it add my own custom malware list (from FireHol) on top of the existing filter list. When i select custom in the filter list, it prompt me for URL. How to define the URL if it is stored in my USB.
If i use Import URL, will it auto update the list in cru?

I am using RT-AC68U on Merlin 380.69.

Thank you and a Merry Christmas.

 

[Adamm]

Hi, i would like to know how do it add my own custom malware list (from FireHol) on top of the existing filter list. When i select custom in the filter list, it prompt me for URL. How to define the URL if it is stored in my USB.
If i use Import URL, will it auto update the list in cru?

I am using RT-AC68U on Merlin 380.69.

Yes so basically the "custom" feature uses the filter you specify rather then the default one. I suggest using a service like pastebin to host it (remember to use the raw link). The cronjob and any future banmalware updates will use the specified filter until you tell it not to.

 

[DonnyJohnny]

Good idea.. thanks.. cheers!

 

[DonnyJohnny]

It is fascinating to see those ip being blocked and wonder how crazy the Internet world is.

I have a question for my own knowledge. I see that Skynet process the ip block at raw table. Does this mean that this is the first in line before the router process those packet?

I see a lots of list in firehol where they are focus on specific port or service like ssh, FTP, http etc... if I don’t use this service and the port is already closed, I don’t really need to add the firehol list for Skynet to process as the packet would have automatically drop?

Or it is better to put it in and block at raw table...

Reason I asking is about efficiency and how it affect the performance of the router/cpu.

 

[Adamm]

It is fascinating to see those ip being blocked and wonder how crazy the Internet world is.

I have a question for my own knowledge. I see that Skynet process the ip block at raw table. Does this mean that this is the first in line before the router process those packet?

I see a lots of list in firehol where they are focus on specific port or service like ssh, FTP, http etc... if I don’t use this service and the port is already closed, I don’t really need to add the firehol list for Skynet to process as the packet would have automatically drop?

Or it is better to put it in and block at raw table...

Reason I asking is about efficiency and how it affect the performance of the router/cpu.

The IPs are blocked in the RAW table which is processed first yes before conntracking etc for performance reasons.

Also ipset is very efficient with large sets, there is no noticeable performance drop. The default filter list is a pretty good mix of honeypot lists + known malware, with no real world performance drop I personally believe there's no point removing any lists if that is your main concern.

 

[DonnyJohnny]

Ok.. noted.. I think I know why my cpu is hovering around 0.05-0.08. It is due to the debug logging.. lol...
after I off it, the cpu is as quiet as a mouse. 0.00-0.03

Just that I can’t see the work of Skynet blocking those IPs.. but I know I am safe...

Thanks Adamm

 

[martinr]

Here is what I do if something is blocked by Skynet or AB-Solution

......
- if an IP address is blocked by Skynet, first check dnsmasq logs under "\adblocking\logs" and search for this IP address on "dnsmasq.log" .......

I have debug mode enabled and I searched using WinSCP for dnsmasq.log as well as \adblocking\logs and found neither. Could you possibly point me in the right direction please?

I did find the offending IP address by first clearing syslog (for clarity) and then trying to access the website; I then added the IP address from syslog to the whitelist successfully. Nevertheless, I'd also like to follow your method and find dnsmasq.log and \adblocking\logs just as a learning exercise.

 

[Adamm]

I have debug mode enabled and I searched using WinSCP for dnsmasq.log as well as \adblocking\logs and found neither. Could you possibly point me in the right direction please?

I did find the offending IP address by first clearing syslog (for clarity) and then trying to access the website; I then added the IP address from syslog to the whitelist successfully. Nevertheless, I'd also like to follow your method and find dnsmasq.log and \adblocking\logs just as a learning exercise.

I can't find the original post you are quoting, but the parts you quoted are only relevant for finding things AB-Solution has blocked. Skynet stores its logs elsewhere, but the suggested method of finding a blocked IP is posted here and/or using the following command;

sh /jffs/scripts/firewall stats search xxx.xxx.xxx.xxx

 

[martinr]

I can't find the original post you are quoting, but the parts you quoted are only relevant for finding things AB-Solution has blocked. Skynet stores its logs elsewhere, but the suggested method of finding a blocked IP is posted here and/or using the following command;

sh /jffs/scripts/firewall stats search xxx.xxx.xxx.xxx

Thank you, Adamm. That was my mistake: I only have Skynet installed so far. But I've just run through your guide for future reference. Many thanks, indeed.

 

[martinr]

I can't find the original post you are quoting, but the parts you quoted are only relevant for finding things AB-Solution has blocked. Skynet stores its logs elsewhere, but the suggested method of finding a blocked IP is posted here and/or using the following command;

sh /jffs/scripts/firewall stats search xxx.xxx.xxx.xxx

By the way, @Adamm, the post to which I was refering is at #1585 - just for the sake of completeness
https://www.snbforums.com/threads/s...-manual-ip-blocking.16798/page-80#post-364767

 

[nomore4u]

How do I fix Duplicate Rules In Filter = Failed?

Checking Install Directory Write Permissions... [Passed]
Checking Firewall-Start Entry... [Passed]
Checking Services-Stop Entry... [Passed]
Checking CronJobs... [Passed]
Checking IPSet Comment Support... [Passed]
Checking Log Level 5 Settings... [Passed]
Checking Autobanning Status... [Passed]
Checking Debug Mode Status... [Passed]
Checking For Duplicate Rules In RAW... [Passed]
Checking For Duplicate Rules In Filter... [Failed]
Checking Skynet IPTable... [Passed]
Checking Whitelist IPSet... [Passed]
Checking BlockedRanges IPSet... [Passed]
Checking Blacklist IPSet... [Passed]
Checking Skynet IPSet... [Passed]
Checking For AB-Solution Plus Content... [Passed]

 

[Adamm]

How do I fix Duplicate Rules In Filter = Failed?

Checking Install Directory Write Permissions... [Passed]
Checking Firewall-Start Entry... [Passed]
Checking Services-Stop Entry... [Passed]
Checking CronJobs... [Passed]
Checking IPSet Comment Support... [Passed]
Checking Log Level 5 Settings... [Passed]
Checking Autobanning Status... [Passed]
Checking Debug Mode Status... [Passed]
Checking For Duplicate Rules In RAW... [Passed]
Checking For Duplicate Rules In Filter... [Failed]
Checking Skynet IPTable... [Passed]
Checking Whitelist IPSet... [Passed]
Checking BlockedRanges IPSet... [Passed]
Checking Blacklist IPSet... [Passed]
Checking Skynet IPSet... [Passed]
Checking For AB-Solution Plus Content... [Passed]

Post the output of the following command so we can see what the duplicate rule is (and if its related to Skynet)

iptables -L

 

[nomore4u]

Post the output of the following command so we can see what the duplicate rule is (and if its related to Skynet)

iptables -L

This is my output:

Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_ICMP icmp -- anywhere anywhere
logdrop all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ipttolan all -- anywhere anywhere
iptfromlan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
NSFW all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere DESKTOP-A tcp dpt:32400
ACCEPT udp -- anywhere DESKTOP-D udp dpt:64510
ACCEPT tcp -- anywhere OLD-PC tcp dpt:32400
ACCEPT udp -- anywhere DESKTOP-A udp dpt:56346
ACCEPT tcp -- anywhere Hopper3-br tcp dpt:5105
ACCEPT udp -- anywhere DESKTOP-C udp dpt:64967
ACCEPT tcp -- anywhere OLD-PC tcp dpt:32400
ACCEPT tcp -- anywhere DESKTOP-A tcp dpt:32400
ACCEPT udp -- anywhere DESKTOP-K udp dpt:49574

Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere

Chain NSFW (1 references)
target prot opt source destination

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PTCSRVLAN (1 references)
target prot opt source destination

Chain PTCSRVWAN (1 references)
target prot opt source destination

Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere

Chain iptfromlan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere

Chain logdrop (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere match-set Whitelist src
DROP tcp -- anywhere anywhere multiport sports www,https,imap2,imaps,pop3,pop3s,smtp,ssm
tp state INVALID
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
ACCEPT tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
ACCEPT tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST
ACCEPT tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST,ACK
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - NEW BAN] "
SET all -- anywhere anywhere state INVALID add-set Skynet src
DROP all -- anywhere anywhere

 

[Adamm]

This is my output:

Nothing to worry about based on output, I'll make that check more specific in future as I should only be checking for Skynet rules.

 

[paulbates]

Hi
Several year Merlin user and new Skynet User. I installed skynet and immediately its log shows where its actively inbound and outbound blocked!

I have some questions. They may have been answered, but be kind as there are 82 pages of info and I did not go through it all:

1. I have an SSD drive installed on the USB 3 port that I use for SMB sharing, but no other USB. My option was to install skynet on jffs... Will I be ok on skynet for reboots, and if I back up jfffs before and restore after new FW flashes?
   
   
2. Is the size of jffs a concern, again given that I do not use it for anything else?
   
   
3. Are countries banned when using the default installation? I don't want to open a can of worms, but is there a generally accepted list of countries to block, or countries better to block?
   
   
4. Regular maintenance. I accepted the default install options for updating. Does that cover everything including things like Banmalware, or are there things I should manually address on a regular basis

Thanks for a great package! I will give it a week and watch, and certainly donate if I stay on as a user

Paul

 

[martinr]

.......

....:and certainly donate if I stay on as a user

Paul

Donation? I found the donation point for AB-Solution, but I can’t find Adamm’s for Skynet. Is there one?

(Great set of questions, by the way.)

 

[Adamm]

I have an SSD drive installed on the USB 3 port that I use for SMB sharing, but no other USB. My option was to install skynet on jffs... Will I be ok on skynet for reboots, and if I back up jfffs before and restore after new FW flashes?

Skynet supports installation on the following partition types to be consistent with Entware and other scripts, although I haven't found any reason I could also add things like NTFS or why Entware doesn't support them in the first place. Let me know what partition you use and I'll definitely do some testing and consider it.

ext2|ext3|ext4|tfat|exfat

To further answer your question, installation to JFFS should function exactly like USB, and this data will not be lost during FW flashes. The only time it will be wiped is when you manually "reset to factory default" or uninstall via the Skynet menu.

Is the size of jffs a concern, again given that I do not use it for anything else?

The JFFS partition on my AC68U is 62.75MB (I'm unsure if this has been increased in newer models), Skynet has built in checks so that its logfile will reach a maximum of 7MB before purging itsself to prevent space hogging. This should give you something like your last 30,000-40,000 blocking events (around 2 weeks or so of logs in my personal usage).

Are countries banned when using the default installation? I don't want to open a can of worms, but is there a generally accepted list of countries to block, or countries better to block?

Nothing is blocked by default, this is an optional feature. Some people like to ban various Middle Eastern/Asian and even European countries that historically source a large amount of attacks but this is personal preference. If this is something you wanted to look into you could probably google some more updated statistics from reputation information.

Regular maintenance. I accepted the default install options for updating. Does that cover everything including things like Banmalware, or are there things I should manually address on a regular basis

In the install menu Skynet gives the option to update banmalware and the script its-self on a regular basis (if you choose to use these features). In which case you can let Skynet handle the regular maintenance of keeping things updated. Its always a good idea to check the stats every so often to get a scope of whats being blocked (and lets be honest, who doesn't get a good feeling seeing all the attempted probes by bots being blocked ).

Occasionally you may need to whitelist a website that's hosted on a cheap provider due to the nature of shared hosting, but I've tried to make this process as painless as possible (and added a guide in post #2 of this thread for quick reference).

hanks for a great package! I will give it a week and watch, and certainly donate if I stay on as a user

Thanks for the kind words, always nice to know people putting all this to good use. Skynet started out as a personal project for easy mass IP blocking and eventually evolved into what it is today, who knows what 2018 will bring.