Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

Do I set interface to something Adamm?

No worries I got it! Thank you sir! My ssh has obscure port and key protection with anti-hammer enabled no port forwarding. My https is pretty tough too.

 

[DonnyJohnny]

No worries I got it! Thank you sir! My ssh has obscure port and key protection with anti-hammer enabled no port forwarding. My https is pretty tough too.

Someone pls hack this guy...

 

[Scheggiaimpazzita]

Help for a newbie, i'm trying to find by iptables -vvL the rules added from Skynet but in all 4 tables, I find only src and dst as 0.0.0.0/0.0.0.0
Where am I wrong?
AC88U with Merlin 382.1_2 and latest Skynet with that output

Skynet: [Complete] 128607 IPs / 1873 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 8 Inbound / 0 Outbound Connections Blocked! [2s]

Thanks

 

[Adamm]

Help for a newbie, i'm trying to find by iptables -vvL the rules added from Skynet but in all 4 tables, I find only src and dst as 0.0.0.0/0.0.0.0
Where am I wrong?
AC88U with Merlin 382.1_2 and latest Skynet with that output

Skynet: [Complete] 128607 IPs / 1873 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 8 Inbound / 0 Outbound Connections Blocked! [2s]

Thanks

Skynet adds its main blocking rules to the RAW table, and some additional rules to the FILTER table in the logdrop chain.

iptables -t raw -vnL

The -vv flag also seems unnecessarily complex to read. Using just vL or L is sufficient

 

[Scheggiaimpazzita]

The -vv flag also seems unnecessarily complex to read. Using just vL or L is sufficient

Thanks Adamm, its another step to enhanche my knowledge. Now I understand that the output of the iptables in the last column (Destination) is very long and contains the "match" to the ipsets defined.

@RT-AC88U-22F8:/tmp/home/root# iptables -t raw -vnL
Chain PREROUTING (policy ACCEPT 181K packets, 47M bytes)
pkts bytes target prot opt in out source destination
168 8512 LOG all -- br0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist dst match-set Skynet dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
168 8512 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist dst match-set Skynet dst
61 5467 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist src match-set Skynet src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
61 5467 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist src match-set Skynet src

Chain OUTPUT (policy ACCEPT 111K packets, 37M bytes)
pkts bytes target prot opt in out source destination

The second line matches the Skynet set that is a superset which contains the blacklist set itself. I would like to be able to read even the -vv in which I find 7 groups of infos:

@RT-AC88U-22F8:/tmp/home/root# iptables -t raw -vvnL
Chain PREROUTING (policy ACCEPT 181K packets, 47M bytes)
pkts bytes target prot opt in out source destination
168 8512 LOG all -- br0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist dst match-set Skynet dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
168 8512 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist dst match-set Skynet dst
61 5467 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist src match-set Skynet src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
61 5467 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Whitelist src match-set Skynet src

Chain OUTPUT (policy ACCEPT 111K packets, 37M bytes)
pkts bytes target prot opt in out source destination
libiptc vlibxtables.so.7. 1456 bytes.
Table `raw'
Hooks: pre/in/fwd/out/post = 0/ffffffff/ffffffff/468/ffffffff
Underflows: pre/in/fwd/out/post = 3d0/ffffffff/ffffffff/468/ffffffff
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `br0'/XXXX............to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 168 packets, 8512 bytes
Cache: 00000000
Match name: `set'
Match name: `set'
Target name: `LOG' [64]

Entry 1 (256):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `br0'/XXXX............to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 168 packets, 8512 bytes
Cache: 00000000
Match name: `set'
Match name: `set'
Target name: `' [40]
verdict=NF_DROP

Entry 2 (488):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `eth0'/XXXXX...........to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 61 packets, 5467 bytes
Cache: 00000000
Match name: `set'
Match name: `set'
Target name: `LOG' [64]

Entry 3 (744):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `eth0'/XXXXX...........to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 61 packets, 5467 bytes
Cache: 00000000
Match name: `set'
Match name: `set'
Target name: `' [40]
verdict=NF_DROP

Entry 4 (976):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 181104 packets, 46980268 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 5 (1128):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 111131 packets, 37325729 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 6 (1280):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'

I would expect to find only 4, one for each line of the -vnL. I'm trying to find an howto/tutorial to master the various option if iptables but for example I was unsuccesful to find anything about the -vv and -j.
I've a lot to study&learn.
Just a quick question, if I have to insert some rules that drop anything coming from/to an internal host (logging dropped packets) and allowing a very strict set of addresses/ports (like dns,smtp to certain destinations), what is the best table/chain to add them? In the filter table in the INPUT chain?

Thanks

 

[Adamm]

Now I understand that the output of the iptables in the last column (Destination) is very long and contains the "match" to the ipsets defined.

! match-set Whitelist dst match-set Skynet dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "

Yes the easiest way to explain the first rules destination for example is;

If IP doesn't match set whitelist, and does match set Skynet (aka blacklist), then log the packet.

And the following rule is identical but rather then logging the packet it drops it. This is then repeated for inbound traffic.

Just a quick question, if I have to insert some rules that drop anything coming from/to an internal host (logging dropped packets) and allowing a very strict set of addresses/ports (like dns,smtp to certain destinations), what is the best table/chain to add them? In the filter table in the INPUT chain?

Yes the input and forward chains in the filter table is usually where you want to add that kind of thing.

 

[Makaveli]

Will you eventually add IPv6 to skynet?

 

[Adamm]

Will you eventually add IPv6 to skynet?

While IPv6 support is definitely possible and I've considered it in the past, I'm not sure if it would be as effective as its IPv4 counterpart.

One of the huge factors being that IPv4 addresses are limited and currently almost exhausted, where as there are 340 undecillion possible IPv6 addresses. So you can imagine that any malicious addresses would be able to change IP quite easily if they became blacklisted somewhere effectively defeating the purpose. There's also the fact IPv6 still has a very low adoption rate with ISP's and websites, I personally wouldn't even be able to test it myself due to this reason.

 

[Scheggiaimpazzita]

I tried to setup this rules to drop any packet from a Cinese webcam I own, except ntp, smtp and dns.
I wrote those rules:

iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 123 -j LOG --log-prefix "Ball_CAM_NTP_Permit"
iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 123 -j ACCEPT

iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 53 -j LOG --log-prefix "Ball_CAM_DNS_Permit"
iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 53 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.2.97 --destination-port 587 -j LOG --log-prefix "Ball_CAM_SMTP_Permit"
iptables -A INPUT -p tcp -s 192.168.2.97 --destination-port 587 -j ACCEPT

iptables -A INPUT -s 192.168.2.97 -j LOG --log-prefix "Ball_CAM_Drop"
iptables -A INPUT -s 192.168.2.97 -j DROP

The rules are correctly listed by iptables -vnL, but I did some tests but I don't see anything coming into the /tmp/syslog.log


Where is(are) my error(s)?

Thanks

 

[Adamm]

I tried to setup this rules to drop any packet from a Cinese webcam I own, except ntp, smtp and dns.
I wrote those rules:

iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 123 -j LOG --log-prefix "Ball_CAM_NTP_Permit"
iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 123 -j ACCEPT

iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 53 -j LOG --log-prefix "Ball_CAM_DNS_Permit"
iptables -A INPUT -p udp -s 192.168.2.97 --destination-port 53 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.2.97 --destination-port 587 -j LOG --log-prefix "Ball_CAM_SMTP_Permit"
iptables -A INPUT -p tcp -s 192.168.2.97 --destination-port 587 -j ACCEPT

iptables -A INPUT -s 192.168.2.97 -j LOG --log-prefix "Ball_CAM_Drop"
iptables -A INPUT -s 192.168.2.97 -j DROP

The rules are correctly listed by iptables -vnL, but I did some tests but I don't see anything coming into the /tmp/syslog.log


Where is(are) my error(s)?

Thanks

You're probably better off making another thread as this is not directly Skynet related (I believe there are recent discussions on this topic with examples). You will probably need to block it in the forward chain.

If the destination address after NAT is not the router address it is processed in the FORWARD chain.

Otherwise it would be processed in the INPUT chain.

 

[snixel]

Hi Adamm,

I've been using Skynet for a week now and i must say thank you for all your hard work and effort. It's running great on my side!
I just wonder why there are so many blocked inbound connections? At first I was a bid scared seeing it increase so fast, but after seeing other users output and screenshots displaying the same results I guess this is normal? Are these bots scanning the internet on open ports or someting?

I have skynet installed vanilla and wanted to change it to debug mode to look for myself. Do I need to go through all steps again to reinstall it to change it? I was a bit confused since it asks where to install it again while skynet is already installed and I don't want to break anything.

 

[Adamm]

I just wonder why there are so many blocked inbound connections? At first I was a bid scared seeing it increase so fast, but after seeing other users output and screenshots displaying the same results I guess this is normal? Are these bots scanning the internet on open ports or someting?

Thats just the nature of the modern internet, bots constantly probing for other vulnerable devices to infect. 30k+ probes every week or two is definitely not out of the ordinary.

I have skynet installed vanilla and wanted to change it to debug mode to look for myself. Do I need to go through all steps again to reinstall it to change it? I was a bit confused since it asks where to install it again while skynet is already installed and I don't want to break anything.

Just run the install command again, it will save all your current data and just change the boot args.

 

[maddy_in65]

I tried to install script on AC66U but getting below mentioned error, router is having IPSet V4.
Please can you help me this issue. TIA!

Skynet: [ERROR] IPSet Version Not Supported

/tmp/home/root# ipset -V
ipset v4.5, protocol version 4.
Kernel module protocol version 4

 

[skeal]

I tried to install script on AC66U but getting below mentioned error, router is having IPSet V4.
Please can you help me this issue. TIA!

Skynet: [ERROR] IPSet Version Not Supported

/tmp/home/root# ipset -V
ipset v4.5, protocol version 4.
Kernel module protocol version 4

This is from page 1

Currently this script is only supported for Asus Routers with IPSet v6 (AC56U and later)

 

[Adamm]

I tried to install script on AC66U but getting below mentioned error, router is having IPSet V4.
Please can you help me this issue. TIA!

As skeal mentioned, unfortunately the kernel is too old on MIPS routers to support the version of IPSet required for this script. Sorry about that.

 

[snixel]

Thats just the nature of the modern internet, bots constantly probing for other vulnerable devices to infect. 30k+ probes every week or two is definitely not out of the ordinary.



Just run the install command again, it will save all your current data and just change the boot args.

Ok, thank you for pointing that out. Just for the info. What exactly does the autoban feature do? I use the ban malware lists but thats different from the autoban feature right?

 

[Adamm]

Ok, thank you for pointing that out. Just for the info. What exactly does the autoban feature do? I use the ban malware lists but thats different from the autoban feature right?

Autobanning basically modifies the routers SPI firewall functionality so rather then dropping "invalid" packets, they become dynamically blacklisted by Skynet. The banmalware feature blocks IP's based off a predetermined list.

 

[Makaveli]

While IPv6 support is definitely possible and I've considered it in the past, I'm not sure if it would be as effective as its IPv4 counterpart.

One of the huge factors being that IPv4 addresses are limited and currently almost exhausted, where as there are 340 undecillion possible IPv6 addresses. So you can imagine that any malicious addresses would be able to change IP quite easily if they became blacklisted somewhere effectively defeating the purpose. There's also the fact IPv6 still has a very low adoption rate with ISP's and websites, I personally wouldn't even be able to test it myself due to this reason.

Thank you for the detailed response good to know.

My ISP happens to be one that has been using IPv6 for about 2 years now.

Am I able to install Skynet while keeping IPv6 on?

 

[Adamm]

Thank you for the detailed response good to know.

My ISP happens to be one that has been using IPv6 for about 2 years now.

Am I able to install Skynet while keeping IPv6 on?

Yes Skynet won't interfere with any IPv6 traffic so you should be fine.

 

[sriamc]

Skynet is blocking the Google Play Store and I installed it with debug.

I had to whitelist 220.122.1.0/24 and it is working so far. Also, I am finding many other applications and websites not working well anymore. Does this autoban anything it doesn't recognize?