Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Chain PREROUTING (policy ACCEPT 103K packets, 26M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      233 12276 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist dst match-set Skynet dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
2      233 12276 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist dst match-set Skynet dst
3        0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist src match-set Skynet src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
4        0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist src match-set Skynet src

Chain OUTPUT (policy ACCEPT 61566 packets, 29M bytes)
num   pkts bytes target     prot opt in     out     source               destination

and

Router Model; RT-AC86U
Skynet Version; v5.7.6 (07/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_beta2 (Feb 8 2018) (4.1.27)
Install Dir; /tmp/mnt/ASUS/skynet (2.3G / 2.6G Space Available)
SWAP File; -a (1.5K
512
512
512
14.0K
512
23.5K
512
512
512
512
2.5K
95.0K
140.5K)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ASUS
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking Services-Stop Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking Autobanning Status...                          [Passed]
Checking Debug Mode Status...                           [Passed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking For Duplicate Rules In Filter...               [Passed]
Checking Skynet IPTable...                              [Passed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]
Checking For AB-Solution Plus Content...                [Passed]

Skynet: [Complete] 55080 IPs / 787 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 233 Outbound Connections Blocked! [1s]

Everything is working fine on your setup as you can tell by the 233 outbound blocks. Do note every time you run a Skynet command including reloading the menu the syslog will be purged into Skynets own log file to reduce spam (/tmp/mnt/ASUS/skynet/skynet.log), this also happens on an hourly cronjob. You can view stats on what has been blocked via the stat command.

Also another unrelated issue, can you post the contents of your post-mount file. It seems you have it formatted in a way Skynet doesn't recognise.

cat /jffs/scripts/post-mount

 

[Zentachi]

Everything is working fine on your setup as you can tell by the 233 outbound blocks. Do note every time you run a Skynet command including reloading the menu the syslog will be purged into Skynets own log file to reduce spam (/tmp/mnt/ASUS/skynet/skynet.log), this also happens on an hourly cronjob. You can view stats on what has been blocked via the stat command.

Also another unrelated issue, can you post the contents of your post-mount file. It seems you have it formatted in a way Skynet doesn't recognise.

cat /jffs/scripts/post-mount

Even in the skynet.log file I can only see blocked events and not dropped ones. I am aware of the hourly cronjob and it is very useful.
Do you think that might be something wrong with the firmware? As soon as I disable skynet the drop events are coming to syslog.

Here is my post-mount

#!/bin/sh

if [ "$1" = "/tmp/mnt/ASUS" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

# DO NOT EDIT this part of the file #
# generated by AB-Solution 3.11
if [ -d "/tmp/mnt/ASUS" ];then
    service restart_dnsmasq
    logger "AB-Solution added entries via $0"
    cp -f /jffs/.ash_history /root/.ash_history
    ln -s /tmp/mnt/ASUS/ab-solution.sh /root/ab-solution.sh
fi
swapon -a
# end of DO NOT EDIT #

I added the "swapon -a" as I read in a previous post that skynet in order to determine the swap file is looking for the swapon command.
I use a SWAP Partition which I automount in fstab.

EDIT: Maybe I should change the "-a" to the actual point. However, I am not sure what /dev/ sdX will it be mounted and I cannot use the UUID with swapon in here.

 

[Adamm]

Even in the skynet.log file I can only see blocked events and not dropped ones. I am aware of the hourly cronjob and it is very useful.
Do you think that might be something wrong with the firmware? As soon as I disable skynet the drop events are coming to syslog.

They are the same thing, Skynet hijacks this functionality and modifies it to its own needs (renaming the output in the process).

I added the "swapon -a" as I read in a previous post that skynet in order to determine SWAP file is looking for the swapon command.
I mount my SWAP Partition in fstab.

I personally recommend using swap files vs swap partitions, otherwise you are going to run into compatibility with Skynet and other scripts trying to detect it.

 

[Zentachi]

They are the same thing, Skynet hijacks this functionality and modifies it to its own needs (renaming the output in the process).

All right fair. Even though I would still like to see the drop'd even under the blocked name. It seems however that there is no entry at all at the skynet file for the specific ips.

I personally recommend using swap files vs swap partitions, otherwise you are going to run into compatibility with Skynet and other scripts trying to detect it.

So even if I point out at the partition mount point, I might come across problems?
If thats the case, then I guess I will convert the swap partition to an ext2 and create a swap file to use.

 

[Adamm]

All right fair. Even though I would still like to see the drop'd even under the blocked name. It seems however that there is no entry at all at the skynet file for the specific ips.

Not sure I exactly understand what your implying, mind rephrasing. Rest assured Skynet is working as expected and all your logs should be in the log file from blocked/dropped packets.

So even if I point out at the partition mount point, I might come across problems?
If thats the case, then I guess I will convert the swap partition to an ext2 and create a swap file to use.

At the moment while the scripts will utilise them like any process, they wont internally recognise them and will have issues with certain features like displaying details of said swap partition. While adding support for swap partitions is possible, I can't say its high on the priority list right now as swap files work perfectly fine and honestly are much more convenient.

 

[Zentachi]

Not sure I exactly understand what your implying, mind rephrasing. Rest assured Skynet is working as expected and all your logs should be in the log file from blocked/dropped packets.

Sorry for that.
When Skynet is disabled then I get

kernel: DROP IN=br0 OUT=eth0 MAC=b0:6e:bf:63:d0:60:28:ad:3e:03:3b:8b:08:00 SRC=192.168.2.50 DST=50.16.197.146

When Skynet is on, I checked into the skynet.log file and I was expecting to maybe see the above source ip (ie 192.168.2.50), at least as [BLOCKED - OUTBOUND]. But there isn't anything.
Thanks for your patience

At the moment while the scripts will utilise them like any process, they wont internally recognise them and will have issues with certain features like displaying details of said swap partition. While adding support for swap partitions is possible, I can't say its high on the priority list right now as swap files work perfectly fine and honestly are much more convenient.

No need to add support for Swap partition. Definitely there are better things to improve/enhance.

 

[Adamm]

Sorry for that.
When Skynet is disabled then I get

kernel: DROP IN=br0 OUT=eth0 MAC=b0:6e:bf:63:d0:60:28:ad:3e:03:3b:8b:08:00 SRC=192.168.2.50 DST=50.16.197.146

When Skynet is on, I checked into the skynet.log file and I was expecting to maybe see the above source ip (ie 192.168.2.50), at least as [BLOCKED - OUTBOUND]. But there isn't anything.
Thanks for your patience

That IP for example belongs to Amazon's IP Range which is whitelisted by Skynet by default as its a legitimate provider. Rest assured Skynet is blocking IP's listed on its blacklist and dropping invalid packets from the SPI firewall (some silently if they don't yet meet the autoban requirement), you can test this yourself by blocking a website via the GUI then watching the logs when you try visit it.

 

[DonnyJohnny]

A question,
If packet is invalid from ip abcd. I whitelist abcd.
What happen? Will abcd hit me?

 

[Adamm]

A question,
If packet is invalid from ip abcd. I whitelist abcd.
What happen? Will abcd hit me?

All whitelisted IP's are accepted and bypass Skynet iptables rules.

 

[Zentachi]

That IP for example belongs to Amazon's IP Range which is whitelisted by Skynet by default as its a legitimate provider. Rest assured Skynet is blocking IP's listed on its blacklist and dropping invalid packets from the SPI firewall (some silently if they don't yet meet the autoban requirement), you can test this yourself by blocking a website via the GUI then watching the logs when you try visit it.

I have no worries about skynet! I love it and already have blacklisted/whitelisted few domains.

I was just curious why I cannot see the ip's of my ipcams being blocked/dropped. As you said some are dropped silently and I suppose this is the case here.

Thanks for your great work Adamm on skynet. A very useful tool.

PS: I have converted my swap partition to a swap file as you advised. So far so good.

 

[Quoc Huynh]

Hi Adamm,

Thank you very much for your wonderful script. I have installed it on my RT-AC68U with Merlin firmware 384.3 beta 2 and it actually blocks a large numbers of IPs, which has never happened before with AiProtection. To be honest, I feel a lot safer when having Skynet on my side. However, may I have a question:

As I am using AiProtection with the three options enable, together with NordVPN setting up on my router, is it possible for me to have all three all of them? Do I need to do anything to avoid any possible duplicate blocking or compatible issues?

Thank you again, Adamm!

 

[skeal]

I have an unususal problem of dissappearing logs. Each day when I wake up and look at the last nights logs I am missing all kinds of skynet entries (the hourly ones) from the last night and hours before. For instance I have in my logs the last 5 entries by skynet and then before that the hourly logs have been removed somehow. They are conspicuous by there absence.

 

[Adamm]

I have no worries about skynet! I love it and already have blacklisted/whitelisted few domains.

I was just curious why I cannot see the ip's of my ipcams being blocked/dropped. As you said some are dropped silently and I suppose this is the case here.

Thanks for your great work Adamm on skynet. A very useful tool.

PS: I have converted my swap partition to a swap file as you advised. So far so good.

Skynet whitelistes local devices by default so using it to block in your example an ipcam is not possible with Skynet alone. You would need to use independent iptables rules to achieve this, a quick search on this forum should direct you to the answers you are looking for.

Hi Adamm,

Thank you very much for your wonderful script. I have installed it on my RT-AC68U with Merlin firmware 384.3 beta 2 and it actually blocks a large numbers of IPs, which has never happened before with AiProtection. To be honest, I feel a lot safer when having Skynet on my side. However, may I have a question:

As I am using AiProtection with the three options enable, together with NordVPN setting up on my router, is it possible for me to have all three all of them? Do I need to do anything to avoid any possible duplicate blocking or compatible issues?

Thank you again, Adamm!

View attachment 11963

All three features should work fine with each other.

 

[Adamm]

I have an unususal problem of dissappearing logs. Each day when I wake up and look at the last nights logs I am missing all kinds of skynet entries (the hourly ones) from the last night and hours before. For instance I have in my logs the last 5 entries by skynet and then before that the hourly logs have been removed somehow. They are conspicuous by there absence.

Skynet now purges it’s logs every time the entries hit 24 in total as on systems with high uptime this can get quite spammy and hog the syslog so to speak. I can see how this would be an issue if they get cleared at an obscure hour, I will look to increase this to 48 or so in a future update when my internet is running again. (There was an arson attack on my apartment building which damaged the fibre service, argh!)

 

[thelonelycoder]

(There was an arson attack on my apartment building which damaged the fibre service, argh!)

There's a script floating around here somewhere that acts as a firewall, you should look it up and install it. Might help next time

 

[skeal]

Skynet now purges it’s logs every time the entries hit 24 in total as on systems with high uptime this can get quite spammy and hog the syslog so to speak. I can see how this would be an issue if they get cleared at an obscure hour, I will look to increase this to 48 or so in a future update when my internet is running again. (There was an arson attack on my apartment building which damaged the fibre service, argh!)

Attacked really!! Take care my friend, keep your head up!!

 

[skeal]

Skynet now purges it’s logs every time the entries hit 24 in total as on systems with high uptime this can get quite spammy and hog the syslog so to speak. I can see how this would be an issue if they get cleared at an obscure hour, I will look to increase this to 48 or so in a future update when my internet is running again. (There was an arson attack on my apartment building which damaged the fibre service, argh!)

Thanks for the explanation bud. You rock!

 

[Butterfly Bones]

Skynet now purges it’s logs every time the entries hit 24 in total as on systems with high uptime this can get quite spammy and hog the syslog so to speak. I can see how this would be an issue if they get cleared at an obscure hour, I will look to increase this to 48 or so in a future update when my internet is running again. (There was an arson attack on my apartment building which damaged the fibre service, argh!)

Any chance to make the purge optional. i.e., turn it on or off? I understand why some want the "spam" reduction, however, I have the same issue as @skeal and miss being able to look back 24-48 hours to see Skynet actions.

search, Search, SEARCH first :banghead:
https://www.snbforums.com/threads/s...-manual-ip-blocking.16798/page-99#post-380674

/tmp/mnt/ASUS/skynet/skynet.log

 

[thelonelycoder]

Any chance to make the purge optional. i.e., turn it on or off? I understand why some want the "spam" reduction, however, I have the same issue as @skeal and miss being able to look back 24-48 hours to see Skynet actions.

Maybe they could also be logged to a separate logfile. I really prefer the cleaned up syslog now. Less spam...

 

[Adamm]

Any chance to make the purge optional. i.e., turn it on or off? I understand why some want the "spam" reduction, however, I have the same issue as @skeal and miss being able to look back 24-48 hours to see Skynet actions.

search, Search, SEARCH first :banghead:
https://www.snbforums.com/threads/s...-manual-ip-blocking.16798/page-99#post-380674

/tmp/mnt/ASUS/skynet/skynet.log

Maybe they could also be logged to a separate logfile. I really prefer the cleaned up syslog now. Less spam...

The next update will copy the “reports” to the Skynet log file before purging the syslog, and in doing so display them via a new command in the stats function so they can be looked up in future. Think that should keep everyone happy