Skynet Skynet installed and running, but there is a BUT

[grahamgo]

I have recently installed Skynet. After a few days of running Skynet, I could see a lot of unwanted hits originating from Bulgaria. So I decided to Country block Bulgaria (BG) and see what happens. Well, the number of hits from Bulgaria continues to increase, even though I thought that blocking that country would do just that and the hits would freeze at the. Question1:- Is this a normal?

See the screenshots. On my Asus (skynet2.jpg) I do not see any country information. Yet, I found another thread from another user that does show the country information (skynet.jpg).

Question2:- How can I get my Skynet instance to show country codes?

Question3:- Just curious, can the Stats be reset to zero?

 

[Tech9]

You mostly got visibility on what was blocked by the firewall, with or without Skynet on top. You are not under attack and careful with blocking EU countries - large Internet hubs and data centers there serving various Internet core services. You may hurt yourself as usually happens with IP-blockers. Skynet is a great tool, but only if you need it, know how to use it and have the ability to troubleshoot eventual issues with community blocklists it relies on.

 

[Adamm]

Question1:- Is this a normal?

Skynet will still count knocks at the door.

See the screenshots. On my Asus (skynet2.jpg) I do not see any country information. Yet, I found another thread from another user that does show the country information (skynet.jpg).

If we look at the readme....

• firewall settings lookupcountry enable|disable: Enable/disable country lookup for stat data.

Question3:- Just curious, can the Stats be reset to zero?

If we look further down on that same readme..

• firewall stats reset: Reset all collected logs.

 

[grahamgo]

Thank you very much for the details. I installed skynet using amtm so never saw the readme. But I have found the readme that you mentioned. here :- https://github.com/Adamm00/IPSet_ASUS

I used firewall settings lookupcountry enable, and it confirmed Country Lookups For Stat Data Enabled (however, so far I am not seeing any country in the Asus/SkyNet UI - maybe this takes a while to start working?)

I also tried firewall stats reset. - works.

Subsequently found that both commands are available using amtm skynet menu's 13-4 firewall stats reset and 11-13-1 country lookup for stats

I initially installed Diversion (which is working great) Later, I found Skynet, but honestly I am in two minds whether I need to use it, or not. I keep finding conflicting advice / reviews. But it seems to be working fine using the default installation settings.

Aah, Adamm. The SkyNet originator. I have just realized who replied. As a Newby. May I mention something? I struggled for 3-4 days and did multiple installations trying to get SkyNet working. I finally succeeded when I found a thread that said that the Asus log has to be set as notice+debug. A small thing that wasn't mentioned anywhere. As mentioned, I also was not aware of the Readme. Perhaps in the amtm menu option you could add a "Help" menu choice. With at least the two things that I mentioned. I hope that you don't mind me mentioning the above, I got Really frustrated at one point

Thanks again

 

[Tech9]

but honestly I am in two minds whether I need to use it

It's an IP-blocker useful when you have services open to Internet (not guaranteed to protect you with slow update community blocklists) or when you want to restrict your own access to specific known IPs (like an entire region, but IP lease is happening and also not guaranteed). Otherwise the built-in firewall blocks all unsolicited inbound connections by default (simply put something you didn't ask for). You can run it like many folks do, but you have to learn how to troubleshoot it yourself. The script itself is doing exactly what it says, but the community blocklists sometimes contain errors and your router may be blocking things you don't want blocked. It happened in the past few times with public DNS servers, Microsoft, Facebook, GitHub, etc.

 

[Adamm]

It's an IP-blocker useful when you have services open to Internet (not guaranteed to protect you with slow update community blocklists) or when you want to restrict your own access to specific known IPs (like an entire region, but IP lease is happening and also not guaranteed). Otherwise the built-in firewall blocks all unsolicited inbound connections by default (simply put something you didn't ask for). You can run it like many folks do, but you have to learn how to troubleshoot it yourself. The script itself is doing exactly what it says, but the community blocklists sometimes contain errors and your router may be blocking things you don't want blocked. It happened in the past few times with public DNS servers, Microsoft, Facebook, GitHub, etc.

I manage 4 locations with Skynet installed and don’t have to whitelist anything, most of the stock lists are well maintained.

Think of Skynet as part of a swiss cheese approach to security. It may not block everything but it gives you very broad coverage for all your connected devices and puts you in a much better position security wise. Not only that but with recent benchmarking I’ve been able to personally confirm Skynet can run on a gigabit connection and have no measurable impact on performance.

Where’s the downside

 

[Tech9]

swiss cheese approach

The downside I see is blocklists visible and updated relative rarely for effective security enhancement. Most attacks originate from IPs used for this purpose alone and under 1h time they are gone. There was a study done recently on the subject. Swiss cheese approach is correct, but only with smaller holes and without navigation map on the wall.

My personal "issue" with IP-blockers is taking credit of actions done by the firewall anyway and creating an impression if doing something very important, but in fact may be doing nothing at all. Users without good understanding what is happening and what they actually see in logs get trapped in endless monitoring and blocking even more things circle.

 

[Tech9]

Where’s the downside

You don't give hammers to kids.

Seriously, your script is an excellent tool. I'm against the practice of running it just because someone else is running it.

 

[DJones]

You don't give hammers to kids.

Seriously, your script is an excellent tool. I'm against the practice of running it just because someone else is running it.

TL;DR:
I understand your stance. You assume the person you’re handing the pencil to is illiterate when circling multi choice questions. If phrased in another way; this means you’ll remove the cd-rom drive so the client doesn’t use it as a cup holder.




I understand that this approach keeps mistakes from happening, and technical support to a minimum (for you) and them. Especially considering how most people don’t touch their routers until the internet stops working and there is a problem to fix. In the original poster case he felt frustrated when he couldn’t find documentation or it didn’t work out of the box. A legitimate frustration.

Still I find the don’t break it way of thinking a little much if you umbrella everyone to the same level of technical knowledge. I’ll be quick to admit I don’t have remotely the knowledge or experience you or adamm have, but I’ll break a system a 100 times to correct it myself because it’s a learning experience, and not everyone needs their hands held. But yes when supporting another you need a different perspective.

I’ll agree with you, but still think it needs flexibility. Start simple determine how comfortable, and competent they are and go from there. I’ve works years of technical support, and can tell you I have the most trouble with this. That and particularly organizing my thoughts.

Anyways Adamms tool is pretty great. You’re likely correct in that even a daily update to the community blocklist may not be aggressive enough to find and clean the blocklist when the ip address is no longer malicious. But for me it does give me a tool to better manage and research what my devices maybe doing with the outbound connections (assuming you trust alien-vault’s results). Visually this is nicer then looking at raw firewall logs. Inbound the standard firewall will blanket deny any connections made to your router without a prior outbound knock to its destination.

Still I understand why preemptively blocking something that “might” be useful to the client could cause them problems with connecting to a server. So to avoid the hassle of the what if, and the what if they lack the knowledge to understand how to whitelist, and subsequently remove the whitelist if no longer blocked by a community list; it’s easier to not recommend it.

Btw if I’m wrong about this feel free to correct

Edit: fixed spelling, clarified, added more to essay.

 

[DJones]

@Adamm If Skynet could have a dynamic whitelist that is only active IF the ip address is found within a community blocklist that might be a useful feature instead of it being a static whitelist where if the community list no longer deemed it malicious then it gets stuck whitelisted. My understanding of whitelisting on skynet is the firewall doesn’t block incoming or outgoing period. That ultimately only means the incoming packets from the whitelisted server can only port knock your router because they would require port forwarding to hit anything within NAT on private addresses. Might not be a big deal now that I think about it.

I haven’t looked at the git to know how it works exactly.

 

[Tech9]

I understand that this approach keeps mistakes from happening

What is blocked depends on someone else's mistakes or even opinion. Example:

Skynet - Why does Skynet ban perfectly legit websites

2 examples are https://www.vidiemmixer.com/ https://incrediwear.com/ I have the newest version and these are just 2 examples, some other sites don't load

www.snbforums.com

 

[grahamgo]

I manage 4 locations with Skynet installed and don’t have to whitelist anything, most of the stock lists are well maintained.

Think of Skynet as part of a swiss cheese approach to security. It may not block everything but it gives you very broad coverage for all your connected devices and puts you in a much better position security wise. Not only that but with recent benchmarking I’ve been able to personally confirm Skynet can run on a gigabit connection and have no measurable impact on performance.

Where’s the downside

Thanks to all for the info. I do not have the technical ability or indeed desire to deviate from the Skynet defaults. Right now, the home system works great and using Skynet and Diversion plus the Asus's own Aiprotection, firewall etc makes me feel secure.

One side note is that despite Skynet [13] --> Stats Country Lookup | [Enabled] I am still not seeing any country information in the Asus UI last 10 connections blocked. Even after 24 hours of running. It's not really an issue. But wonder why it's not working.

 

[DJones]

What is blocked depends on someone else's mistakes or even opinion. Example:

Skynet - Why does Skynet ban perfectly legit websites

2 examples are https://www.vidiemmixer.com/ https://incrediwear.com/ I have the newest version and these are just 2 examples, some other sites don't load

www.snbforums.com

I will agree to that. False flags are a thing.

 

[grahamgo]

I will agree to that. False flags are a thing.

amtm 4.8 FW by thelonelycoder
ASUS RT-AX88U HW: aarch64 Kernel: 4.1.51
FW: 3004.388.7 IP address: 192.168.1.1
Operation Mode: Wireless router
Tue Jun 18 20:31:22 DST 2024

amtm - the Asuswrt-Merlin Terminal Menu

/mnt/16GB-amtm Size 14.8G Used 2.2G (16%)

1 open Diversion 5.1.3
2 open Skynet 7.5.9

Also running the latest (I think), default settings. Both of those sites mentioned do open fine for me.

 

[DJones]

Thanks to all for the info. I do not have the technical ability or indeed desire to deviate from the Skynet defaults. Right now, the home system works great and using Skynet and Diversion plus the Asus's own Aiprotection, firewall etc makes me feel secure.

One side note is that despite Skynet [13] --> Stats Country Lookup | [Enabled] I am still not seeing any country information in the Asus UI last 10 connections blocked. Even after 24 hours of running. It's not really an issue. But wonder why it's not working.

Are there any errors with the ip tables loading located under ssh -> amtm -> 2 for skynet. It should show ip tables ready or failed or it’s waiting.

[yes I block a lot; it’s just me I have no issues]

 

[grahamgo]

Are there any errors with the ip tables loading located under ssh -> amtm -> 2 for skynet. It should show ip tables ready or failed or it’s waiting.

View attachment 59560
View attachment 59561
View attachment 59562
[yes I block a lot; it’s just me I have no issues]

Hi, well I just added three countries

 

[grahamgo]

Hi, I never see those three lines Cron Jobs, IPSets, IPTables, the Skynet main screen always looks similar to your attachment 59562.

I added three countries ru cn in and it appeared to perform that task.

Removing Previous Country Bans (cn)
Banning Known IP Ranges For (ru cn in)
Downloading Lists

However, I then tried 3 (Malware Blacklist), 1 (Update) and I do get an error

Downloading filter.list | [15s]
Refreshing Whitelists | [166s]
Consolidating Blacklist | curl: (2) no URL specified
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware

I have not tried to find out what this means. I was just stressing Skynet. I have now removed the Banned countries

 

[DJones]

Hi, I never see those three lines Cron Jobs, IPSets, IPTables, the Skynet main screen always looks similar to your attachment 59562.

I added three countries ru cn in and it appeared to perform that task.

Removing Previous Country Bans (cn)
Banning Known IP Ranges For (ru cn in)
Downloading Lists

However, I then tried 3 (Malware Blacklist), 1 (Update) and I do get an error

Downloading filter.list | [15s]
Refreshing Whitelists | [166s]
Consolidating Blacklist | curl: (2) no URL specified
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware

I have not tried to find out what this means. I was just stressing Skynet. I have now removed the Banned countries

Maybe try a custom malware block list. https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list This one is maintained by @Viktor Jaep a member on this forum.

Disclaimer this is a block list not a whitelist if you have issue with this block list which contains many community block lists then you might need to manually whitelist a domain if you have trouble connecting to any particular server. If your already using a custom malware block list in skynet it's possible that one of the lists contains a error and would need to be removed for it to work. Note your putting someone else in control of your block list when you use a community block list so keep that in mind, false flags could happen.