Skynet Skynet - Router Firewall & Security Enhancements

[Quoc Huynh]

All three features should work fine with each other.

Thank you very much, Adamm! It is really great to know that they can work with each other.

P/S: Take care my friend, and best wishes to you.

 

[skeal]

Hey @Adamm is there a way to look through the outgoing blocked traffic? I had a look through your instructions in post #1 and can't seem to find anything relevant. Ideally I would like to watch the blocks as they happen. This sounds like a watch command in post #1 but I'm not sure. I want to watch a specific ip on my network at home and its outgoing blocks. Thanks again for your script and support it's fantastic!

 

[Adamm]

I finally have internet again (talk about a long 4 days )

I've pushed v5.7.8 which as stated in my previous post adds the ability to view purged reports via the new command;

sh /jffs/scripts/firewall stats search reports

Much like other search commands, you can add a number after this command to change the TopX output to a number you desire.

 

[Adamm]

Hey @Adamm is there a way to look through the outgoing blocked traffic? I had a look through your instructions in post #1 and can't seem to find anything relevant. Ideally I would like to watch the blocks as they happen. This sounds like a watch command in post #1 but I'm not sure. I want to watch a specific ip on my network at home and its outgoing blocks. Thanks again for your script and support it's fantastic!

The watch command would be the one you are looking for, anything in yellow are inbound connections, red are outbound. I'll look into customising this more in future updates.

 

[Blacklistedcard]

I just wanted to say thanks for Skynet. I have been using this for a couple of months and it has been great. Seeing continuous updates is also fantastic.

Adamm, your work is appreciated.

 

[yk101]

The watch command would be the one you are looking for, anything in yellow are inbound connections, red are outbound. I'll look into customising this more in future updates.

@Adamm, would it be possible to add a filter to the watch command? I mean a grep style search string. Many times I need to monitor a specific port, protocol or IP, and that would work perfectly by filtering the output to only entries of interest.

 

[skeal]

T

The watch command would be the one you are looking for, anything in yellow are inbound connections, red are outbound. I'll look into customising this more in future updates.

To enable "watch" do I need to enable debug mode first @Adamm ?

 

[Adamm]

T
To enable "watch" do I need to enable debug mode first @Adamm ?

Yes, the "watch" feature is just a filtered version of the syslog output.

 

[skeal]

Yes, the "watch" feature is just a filtered version of the syslog output.

This may be a dumb question but the debug and watch logs are sent to system logs or are they saved somewhere else?

 

[Adamm]

This may be a dumb question but the debug and watch logs are sent to system logs or are they saved somewhere else?

Its just a filtered version of the syslog output, the resulting logs are handled the same as others.

 

[Adamm]

@Adamm, would it be possible to add a filter to the watch command? I mean a grep style search string. Many times I need to monitor a specific port, protocol or IP, and that would work perfectly by filtering the output to only entries of interest.

I've made a start on this in v5.7.9, you can now filter logs from a specific IP or port. The functionality is quite basic for now, I will look to improve on it in future when I get some free time. Currently catching up on 4 days of no internet

sh /jffs/scripts/firewall debug watch ip xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall debug watch port xxxxx

 

[skeal]

I've made a start on this in v5.7.9, you can now filter logs from a specific IP or port. The functionality is quite basic for now, I will look to improve on it in future when I get some free time. Currently catching up on 4 days of no internet

sh /jffs/scripts/firewall debug watch ip xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall debug watch port xxxxx

Just tried this out @Adamm this is freaking awesome! Just what I need right now!!

 

[yk101]

I've made a start on this in v5.7.9, you can now filter logs from a specific IP or port. The functionality is quite basic for now, I will look to improve on it in future when I get some free time. Currently catching up on 4 days of no internet

sh /jffs/scripts/firewall debug watch ip xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall debug watch port xxxxx

Thanks @Adamm!

 

[bilboSNB]

Is it normal for skynet.log not to have been modified for over 24 hours and only have one autoban?
Feb 14 05:09:39 kernel: [BLOCKED - NEW BAN] IN=ppp0 OUT= MAC= SRC=61.164.174.77 DST=46.31.204.25 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=6348 DF PROTO=TCP SPT=40001 DPT=9817 SEQ=1291565674 ACK=757058585 WINDOW=0 RES=0x00 ACK SYN URGP=0 MARK=0x8000000


Router Model; RT-AC86U
Skynet Version; v5.7.7 (09/02/2018)
iptables v1.4.15 - (ppp0 @ 192.168.0.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_beta2 (Feb 8 2018) (4.1.27)
Install Dir; /tmp/mnt/SSD/skynet (51.7G / 55.0G Space Available)
SWAP File; /tmp/mnt/SSD/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start banmalware usb=/tmp/mnt/SSD

117653 IPs / 1969 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1786 Inbound / 1873 Outbound Connections Blocked!

 

[Adamm]

Is it normal for skynet.log not to have been modified for over 24 hours and only have one autoban?

Without debug mode that's pretty normal (minus the new changes as of a few hours ago where reports get purged)

 

[Blacklistedcard]

I just got a ASUS 86U router today. I installed the latest alpha firmware 384.4_alpha1-gc4fc92d and got an error while installing Skynet.

r] --> Reload Menu
[e] --> Exit Menu

[1-14]: 3

Select Option:
[1] --> Update
[2] --> Change Filter List
[3] --> Reset Filter List

[1-3]: 1

Downloading filter.list [0s]
Refreshing Whitelists [1s]
Consolidating Blacklist /usr/sbin/curl: error while loading shared libraries: libc.so.6: failed to map segment from shared object
[9s]
Saving Changes [0s]
Removing Previous Malware Bans [0s]
Filtering IPv4 Addresses [1s]
Filtering IPv4 Ranges [0s]
Applying Blacklists [2s]

For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL )


I also had to manually force a Banmalware update for it to load anything..... Before and after...

Router Model; RT-AC86U
Skynet Version; v5.7.9 (16/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_alpha1-gc4fc92d (Feb 15 2018) (4.1.27)
Install Dir; /tmp/mnt/ASUS86U/skynet (14.6G / 14.6G Space Available)
du: /tmp/mnt/ASUS86U/myswap.swp: No such file or directory
SWAP File; /tmp/mnt/ASUS86U/myswap.swp ()
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ASUS86U

0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

[1-14]: 3


After the force reload.......

Router Model; RT-AC86U
Skynet Version; v5.7.9 (16/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_alpha1-gc4fc92d (Feb 15 2018) (4.1.27)
Install Dir; /tmp/mnt/ASUS86U/skynet (14.6G / 14.6G Space Available)
du: /tmp/mnt/ASUS86U/myswap.swp: No such file or directory
SWAP File; /tmp/mnt/ASUS86U/myswap.swp ()
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ASUS86U

115202 IPs / 1980 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 11 Inbound / 21 Outbound Connections Blocked!

 

[Adamm]

/usr/sbin/curl: error while loading shared libraries: libc.so.6: failed to map segment from shared object

Can't say I've ever seen the error before, seems more like a firmware thing. Was this just a one time occurrence or can it be reproduced? @RMerlin

 

[RMerlin]

No idea. But considering this is a very, very early alpha build, it's not something that is worth wasting time on at this point in development. Those firmware image got about 5 minutes of test time top - I only made sure they booted, and that there were no critical error in the log.

 

[Blacklistedcard]

Can't say I've ever seen the error before, seems more like a firmware thing. Was this just a one time occurrence or can it be reproduced? @RMerlin

I can't duplicate the curl error message. I have tried about 10 installations to duplicate the error. Which is weird because the shared library error should be reproducible. I still have to force the Banmalware update to get any IP address and then blocking.

It's the test firmware that Merlin posted. I thought to mention the error for the install of Skynet here.

 

[Ubimo]

Hello, Skynet is somehow blocking steam.
What do I have to whitelist to use steam?