Skynet Skynet - Router Firewall & Security Enhancements

[Hello World]

I manually resolved all the IP's from the list provided and found one conflicting IP which has since been removed from the telemetry filter (134.170.179.87). Upon updating banmalware on your end this should be unbanned, let me know if you are still having further issues.

Thanks Adamm. So far so good. However, URL's can change IP's (as I'm sure Microsoft will do). I updated the banmalware on my end, but I see this entry "For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL ) Isn't An Option! Isn't An Option! Isn't An Option!" So does this mean we can NOT whitelist a URL, or am I reading that wrong? Thanks

 

[Adamm]

Thanks Adamm. So far so good. However, URL's can change IP's (as I'm sure Microsoft will do). I updated the banmalware on my end, but I see this entry "For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL ) Isn't An Option! Isn't An Option! Isn't An Option!" So does this mean we can NOT whitelist a URL, or am I reading that wrong? Thanks

Mind showing me the exact output or way to replicate it, the “isn’t an option” part sounds like a bug from invalid input.

To answer your question though, yes you can whitelist domains with the above command (ignoring the error following it)

 

[juched]

Is it best to leave debug mode always on, so we can figure out why something was blocked? or Autobanned? Or if we do vanilla install, is it still possible to determine why something was blocked (like autoban)?

 

[hervon]

Lately I get this grep error with the latest alpha 2 firmware on my 86U running latest skynet.

128641 IPs / 2495 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 28 Inbound / 40 Outbound Connections Blocked!
grep: /tmp/syslog.log: No such file or directory
[: bad number

Edit : created an empty syslog.log file and the message is gone.

 

[Adamm]

Is it best to leave debug mode always on, so we can figure out why something was blocked? or Autobanned? Or if we do vanilla install, is it still possible to determine why something was blocked (like autoban)?

There is no reason not to keep debug mode on unless you are trying to avoid the potentially spammy output, makes life a lot easier trying to figure out what exactly is banned.

Edit : created an empty syslog.log file and the message is gone.

I can silence this error quite easily but I can't imagine many situations where a syslog.log file wouldn't exist.

 

[Hello World]

Mind showing me the exact output or way to replicate it, the “isn’t an option” part sounds like a bug from invalid input.

To answer your question though, yes you can whitelist domains with the above command (ignoring the error following it)

I tried to replicate but it doesnt. Looks like it's all ok now (I probabaly dis something wrong).
Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

[1-14]: 3

Select Option:
[1] --> Update
[2] --> Change Filter List
[3] --> Reset Filter List

[1-3]: 1

Downloading filter.list [1s]
Refreshing Whitelists [3s]
Consolidating Blacklist [12s]
Saving Changes [6s]
Removing Previous Malware Bans [1s]
Filtering IPv4 Addresses [4s]
Filtering IPv4 Ranges [0s]
Applying Blacklists [9s]

For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL )

 

[Adamm]

I tried to replicate but it doesnt. Looks like it's all ok now

Yes the output provided is fine.

 

[vibroverbus]

Hey adamm - seems like all is working great, except I'm not getting any debug output. Not in my syslog, nor from /jffs/scripts/firewall debug watch even.

skynet.log shows one [BLOCKED - NEW BAN] entry from 2 days ago, and that's it.

I'm sure I must have something broken w/ my system settings or install... can you point me to any reference for 'debugging the debug' ?

It is a little problematic as I'm having trouble fixing false positives... of which there seem to be a middling amount...

 

[Adamm]

Hey adamm - seems like all is working great, except I'm not getting any debug output. Not in my syslog, nor from /jffs/scripts/firewall debug watch even.

Make sure debug mode is enabled via the installer, if so and still not working provide me with the following output;

sh /jffs/scripts/firewall debug info

 

[skeal]

I've started on this in v5.8.0, there is now a backup and restore command;

sh /jffs/scripts/firewall debug backup

sh /jffs/scripts/firewall debug restore

Backing up will add ipset.txt and skynet.log to a tar file /jffs/Skynet-Backup.tar. While restoring will attempt to locate this file and restore it accordingly.

Are these instructions part of the gui? Can you launch debug mode from the gui or is the install script the only way?

 

[Butterfly Bones]

Are these instructions part of the gui? Can you launch debug mode from the gui or is the install script the only way?

In debug menu - 11 then 6 and 7

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

[1-14]: 11

Select Debug Option:
[1] --> Temporarily Disable Debug Output
[2] --> Show Debug Entries As They Appear
[3] --> Print Debug Info
[4] --> Cleanup Syslog Entries
[5] --> SWAP File Management
[6] --> Backup Skynet Files
[7] --> Restore Skynet Files

 

[vibroverbus]

Make sure debug mode is enabled via the installer, if so and still not working provide me with the following output;

sh /jffs/scripts/firewall debug info

Did re-install and is all working fine. Must have somehow done something wrong in the last install. Thanks a ton.

 

[vibroverbus]

FYI, had a crash when trying to debug a blocked site today, was in the menu-mode using 'display-search' and crashed on the restart... Ran it again and it ran fine...

./firewall: exec: line 2721: ./firewall: not found
xxxxx@xxxxxxx:/jffs/scripts#

Ran same choice again with absolute path and ran fine, had a quick look and looks like you use $0 to restart the menu... guess I'll keep it to absolute paths in future...

FWIW would be nice if there was a 'read -n1 -r -s -p "Press whatever blah blah"' (or something like that...) after running a 'display' procedure before the menu restarts, to obviate scrolling back up past the restart data dump...

I just picked up on just using CLI for 'stats search ip' and 'stats search malware' , so I'll be using that in future, but still, might be nice for menu-users...

Might add, this was an odd IP debug situation. The IP I searched didn't show up on any malware lists, autoban was turned off at the time, yet it was very definitely being blocked and reported in the log.
I did an "unban" for it first (prior to actually whitelisting), and voila it all worked, so it must have been in the blacklists before... Is the list-source-tracking ever unreliable? Or could it have been on the list say yesterday, then removed, but not purged yet?

Still getting my hands around operation here, but mostly working great.

 

[ml70]

Sorry just can't read all 104 pages... So, can it do a timeout ban for x hours?
The functionality i'm looking for is, get hit on sensitive ports (21-23, 80, 135, 137, 139, 389, 443, 445, 1900, 3268, 3269, 5355, etc) -> ban ip for x hours. And automatically unban after x hours elapsed.

The reason for this is that because of CGNAT, VPN and proxies, there's potentially thousands of people behind any single one ipv4 address. Banning an entire ip, or a whole country, would be pretty harsh, and mostly unproductive.

 

[XIII]

I have 3 routers X, Y, and Z that I’m admin for. X is at home; Y and Z are at the homes of family members.

After a few failed attempts to log in from X to Y using Mosh instead of SSH, SkyNet on Y decided to block X/me... Luckily I could connect from X to Z using OpenVPN and ssh from Z to Y to unblock X...

I have now added X to the whitelist of Y and Z, but the IP of X might change and if I’m on the road I’ll have a random IP.

What (else) can I do to make sure I don’t block myself again?

 

[Adamm]

Ran same choice again with absolute path and ran fine, had a quick look and looks like you use $0 to restart the menu... guess I'll keep it to absolute paths in future...

Mind giving me the exact steps to reproduce this.

FWIW would be nice if there was a 'read -n1 -r -s -p "Press whatever blah blah"' (or something like that...) after running a 'display' procedure before the menu restarts, to obviate scrolling back up past the restart data dump...

I try to keep the script POSIX compliant, in POSIX sh, -n1 -r -s are all undefined flags. If you can explain a-little further what functionality you are looking for I can possibly find another way to implement. What display procedure exactly are you referring to?

Might add, this was an odd IP debug situation. The IP I searched didn't show up on any malware lists, autoban was turned off at the time, yet it was very definitely being blocked and reported in the log.
I did an "unban" for it first (prior to actually whitelisting), and voila it all worked, so it must have been in the blacklists before... Is the list-source-tracking ever unreliable? Or could it have been on the list say yesterday, then removed, but not purged yet?

The "stats search malware" downloads a current copy of the lists and check them for any exact matches or potential CIDR matches. The "stats search ip" command will show you the exact ban reason (if the reason blank that usually indicates it was an autoban as there is no way to pass a comment on from IPTables)

 

[Adamm]

Sorry just can't read all 104 pages... So, can it do a timeout ban for x hours?
The functionality i'm looking for is, get hit on sensitive ports (21-23, 80, 135, 137, 139, 389, 443, 445, 1900, 3268, 3269, 5355, etc) -> ban ip for x hours. And automatically unban after x hours elapsed.

Unfortunately not at this point. You could potentially automate this yourself via a cronjob (run "sh /jffs/scripts/firewall unban autobans" at a specified time every day/week)

 

[Adamm]

I have 3 routers X, Y, and Z that I’m admin for. X is at home; Y and Z are at the homes of family members.

After a few failed attempts to log in from X to Y using Mosh instead of SSH, SkyNet on Y decided to block X/me... Luckily I could connect from X to Z using OpenVPN and ssh from Z to Y to unblock X...

I have now added X to the whitelist of Y and Z, but the IP of X might change and if I’m on the road I’ll have a random IP.

What (else) can I do to make sure I don’t block myself again?

I hijack the built in BFD protection Merlin implemented via IPTables, 4 incorrect login attempts within 60seconds will get you Blacklisted. With a dynamic IP I can't think of many great ideas to keep the other devices updated with your current IP beyond taking a small breather between incorrect login attempts . I suggest using SSH keys though and disabling password authentication all together, its much more secure especially if you expose SSH to WAN.

I'll report back if I think of any ways to keep your current IP updated.

 

[vibroverbus]

Thanks as always for the quick replies Adamm.

Mind giving me the exact steps to reproduce this.

No worries - I see I was 'loose' with my reference of what I was doing... :

#cd /jffs/scripts
#./firewall

Menu choices
12 - Stats
2 - Search
3 - Search Malware lists
IP - (anything but 198.185.159.145 is one I tried...)
1 - 10 results

Error: ./firewall: exec: line 2721: ./firewall: not found

Line 2721 is: if [ -n "$reloadmenu" ]; then echo; echo; exec "$0" noclear; fi

obv the exec environment doesn't get the current directory so it fails...

If you can explain a-little further what functionality you are looking for I can possibly find another way to implement. What display procedure exactly are you referring to?

Sure... as above (which works great if you start it with an absolute path aka /jffs/scripts/firewall...)

Then do any one of the Stats functions.

You'll get a big screen load of results. Which is great. But immediately then it will regen the menu without a pause, which is a long page of text. A more 'standard behaviour' would be if it paused before the menu respawn.

Here is Stats | Display | 10 | All (with the details deleted to keep it shorter...) with a note indicating...

Debug Data Detected in /tmp/mnt/XXXXX/skynet/skynet.log - 640.0K
Monitoring From Feb 23 11:24:14 To Feb 24 18:13:56
2257 Block Events Detected
383 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

Top 10 Targeted Ports (Inbound); (Torrent Clients May Cause Excess Hits In Debug Mode)
LINES 1-10

Top 10 Source Ports (Inbound);
LINES 1-10

Last 10 Unique Connections Blocked (Inbound);
LINES 1-10

Last 10 Unique Connections Blocked (Outbound);
LINES 1-10

Last 10 Autobans;
LINES 1-10

Last 10 Manual Bans;
LINES 1-10

Last 10 Unique HTTP(s) Blocks (Outbound);
LINES 1-10

Top 10 HTTP(s) Blocks (Outbound);
LINES 1-10

Top 10 Blocks (Inbound);
LINES 1-10

Top 10 Blocks (Outbound);
LINES 1-10

Top 10 Blocked Devices (Outbound);
LINES 1-10

WOULD BE NICE IF IT WOULD PAUSE HERE FOR A MOMENT TO SEE THE OUTPUT....

#!/bin/sh
#############################################################################################################
# _____ _ _ _____ #
# / ____| | | | | ____| #
# | (___ | | ___ _ _ __ ___| |_ __ _| |__ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \ #
# ____) | <| |_| | | | | __/ |_ \ V / ___) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ |____/ #
# __/ | #
# |___/ #
# #
## - 21/02/2018 - Asus Firewall Addition By Adamm v5.8.2 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################


Router Model; RT-AC3200
Skynet Version; v5.8.2 (21/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.5.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_0 (Feb 13 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/XXXX/skynet (104.0G / 110.0G Space Available)
SWAP File; /tmp/mnt/XXXX/myswap.swp (256.0M)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/XXXXX

129412 IPs / 2440 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 723 Inbound / 844 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

[1-14]:
#

 

[vibroverbus]

The "stats search malware" downloads a current copy of the lists and check them for any exact matches or potential CIDR matches. The "stats search ip" command will show you the exact ban reason (if the reason blank that usually indicates it was an autoban as there is no way to pass a comment on from IPTables)

Yeah... I've been using those 2 all the time now...

Got a few of these where it says "banmalware" is the reason, but then they aren't on any list...

For example... same IP, here's stats search ip - says its banmalware:

Debug Data Detected in /tmp/mnt/XXXXX/skynet/skynet.log - 652.0K
Monitoring From Feb 23 11:24:14 To Feb 24 18:25:00
2298 Block Events Detected
383 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

198.49.23.145 is NOT in set Whitelist.
198.49.23.145 is in set Blacklist.
198.49.23.145 is NOT in set BlockedRanges.

Blacklist Reason;
"BanMalware"

Do the stats search malware to find out what list it is on...

Debug Data Detected in /tmp/mnt/XXXXXX/skynet/skynet.log - 656.0K
Monitoring From Feb 23 11:24:14 To Feb 24 18:29:44
2304 Block Events Detected
385 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

Exact Matches;


Possible CIDR Matches;

Not showing up on a list... Is that a case of the IP getting 'cleared' from the external list but not updated in the local blacklist yet?