Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

No, I simply ran the install code from post #1 in SSH, and chose the default menu options. I've just checked the folder structure on the router, and Skynet is definitely in /jffs/scripts. This was also a fresh install, as I only got the router (86U) a couple of months back, and did a fresh install rather than try to copy anything from my 68U. The USB drive is the same one as used in the 68U, though - might that be relevant?

Sorry I misunderstood your first post, I thought you implied you installed your syslog to your usb.

Skynet will never delete the syslog file, it is possible though you pressed the "clear" button in the routers WebUI which deletes the file though (there may be other functions that also do this). In any case I've silenced the error in another hotfix, you will need to force update to apply the changes.

 

[vtol]

Yeah thats it, curl wasn't following redirects, I put out a hotfix so curl will always follow them in every function (you will need to force update as there was no version change).

fyi; Banmalware already has this list included as part of firehol_level3 if you use that feature

I c. New to Skynet and have to check it out more in detail.

Does Skynet remember those imported lists and rolls them over after a specific TTL or is it just a one time import and those ips imported through url remain indefinitely?

In another firewall app (deployed on a server) that also utilizes ipsets such list can be turned on/off by (un)commenting a within a blocklist file, e.g. the talos example reads there

# Talos’ Reputation Center provides access to expansive threat data and related information.
# https://www.talosintelligence.com/reputation
TALOS|14400|0|http://talosintel.com/feeds/ip-filter.blf

The explanation of the string

# NAME : List name with all uppercase alphabetic characters with no
# spaces and a maximum of 25 characters - this will be used as the
# iptables chain name
# INTERVAL: Refresh interval to download the list, must be a minimum of 3600
# seconds (an hour), but 86400 (a day) should be more than enough
# MAX : This is the maximum number of IP addresses to use from the list,
# a value of 0 means all IPs
# URL : The URL to download the list from

 

[Adamm]

Does Skynet remember those imported lists and rolls them over after a specific TTL or is it just a one time import and those ips imported through url remain indefinitely?

Its a one time deal and the entries are timestamped via their comments accordingly. For automation and refreshing on a daily/weekly basis I suggest looking into using a custom banmalware filter.

In another firewall app (deployed on a server) that also utilizes ipsets such list can be turned on/off by (un)commenting a within a blocklist file, e.g. the talos example reads there

This can also be done via a custom banmalware filter, you can specify as many or few lists in it as you desire and Skynet will process them on a regular basis.

 

[vtol]

This can also be done via a custom banmalware filter, you can specify as many or few lists in it as you desire and Skynet will process them on a regular basis.

Suppose I would have to edit the filter.list then? But where is it located? Could not trace it with "find / -name filter.list"

Or do I have to generate a custom filter file? And where to place it for Skynet to read it? And how does Skynet makes the distinction to white or black list those?

 

[Adamm]

Suppose I would have to edit the filter.list then? But where is it located? Could not trace it with "find / -name filter.list"

Or do I have to generate a custom filter file? And where to place it for Skynet to read it?

You can either use the menu to specify a new filter file to use from that point forward under the banmalware option, or use the following CLI command.

sh /jffs/scripts/firewall banmalware google.com/filter.list

Where ofcoarse "google.com/filter.list" would be the URL of the filter file you uploaded (I suggest a provider like pastebin and using the "raw" document)

And how does Skynet makes the distinction to white or black list those?

Everything listed in the filter file will be added to the blacklist.

 

[JacquesR]

Sorry I misunderstood your first post, I thought you implied you installed your syslog to your usb.

Skynet will never delete the syslog file, it is possible though you pressed the "clear" button in the routers WebUI which deletes the file though (there may be other functions that also do this). In any case I've silenced the error in another hotfix, you will need to force update to apply the changes.

I can see how I created the misunderstanding with that wording! I don't think I've ever used the "clear" function, but perhaps that's it. Thanks for the fix in any case.

 

[vtol]

You can either use the menu to specify a new filter file

That would be "[5] --> Import IP List", right? Which is now confusing me as from the previous post I was to understand that those are not automated/updated?

So probably will go CLI then, to be on the safe side.

Just as an afterthought it perhaps would be a little easier if Skynet could include custom url/ip lists (say a custom white list file "custom-wl.conf" and custom black list file "custom-bl.conf") in a folder like "/jffs/skynet.d". Sort of similar to the "/jffs/shared-Skynet2-whitelist"

 

[Adamm]

That would be "[5] --> Import IP List", right? Which is now confusing me as from the previous post I was to understand that those are not automated/updated?

Option [3] (Banmalware) ---> Option [2] (Change Filter List) ---> Enter URL

Just as an afterthought it perhaps would be a little easier if Skynet could include custom url/ip lists (say a custom white list file "custom-wl.conf" and custom black list file "custom-bl.conf") in a folder like "/jffs/skynet.d". Sort of similar to the "/jffs/shared-Skynet2-whitelist"

The whitelisting functionality is already somewhat present for domains atleast. Upon refreshing its whitelist, Skynet (and AB-Solution) will open any file fitting the following naming scheme, resolve the domains to IP addresses and add them to the whitelist.

/jffs/shared-*-whitelist

With the * being a name of your chosing to describe the file.


As for blacklisting, I personally feel the banmalware and import commands cover any possible scenarios and would just be repetitive functionality.

 

[vtol]

As for blacklisting, I personally feel the banmalware and import commands cover any possible scenarios and would just be repetitive functionality.

How can the filter lists (urls providing black/sinkhole lists) that are actually in operation to be shown?

How to install Skynet with the feature of periodic update of black/sinkhole lists but without installing the ban list (default filter url) shipping with Skynet? I could not find such option during the installation. As far as I understand the default filter list is installed and enabled by default?
I do like Skynet but rather prefer to set my own tuning lists than default filter url provided by Skynet.

How to entirely remove the default black/sinkhole list shipping with Skynet without loosing the periodic list update feature for custom urls? "banmalware reset" is not a suitable command apparently.

To my understanding the Malware List Updating is Enabled & Scheduled For 2.25am Every Day. Is there a way to increase the frequency to 4/6/8/12 hours instead globally/list specific?

Autoban is not clear as an installation option. What does it achieve if enabled and what happens if disabled?

 

[vtol]

When uninstalling Skynet the routine loops and does not exit after the removal is done

[14] --> Uninstall

[1-14]: 14
Are You Sure You Want To Uninstall?

[1] --> Yes
[2] --> No

Please Select Option
[1-2]: 1

Uninstalling Skynet And Restarting Firewall

Done.
Are You Sure You Want To Uninstall?

[1] --> Yes
[2] --> No

Please Select Option
[1-2]:

 

[vtol]

Option [3] (Banmalware) ---> Option [2] (Change Filter List) ---> Enter URL

This provides only for adding a custom url but not for removing? Tried with a negative (-) prefix but that does seem to work, e.g.

Select Menu Option:
[3] --> Banmalware

[1-14]: 3

Select Option:
[1] --> Update
[2] --> Change Filter List
[3] --> Reset Filter List

[1-3]: 2

Input Custom Filter List URL:
: - https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

How to remove any url? And how to remove the default filter.list?

 

[XIII]

How to remove any url? And how to remove the default filter.list?

I believe a custom filter list is usually a list of URL's (stored remotely).

This option provides the URL to that list (the location of the list; for example on http://pastebin.com), not any of the URL's in the list.

So if you want to remove a URL, you have to edit that (remote) list.

 

[vtol]

I believe a custom filter list is usually a list of URL's (stored remotely).

This option provides the URL to that list (the location of the list; for example on http://pastebin.com), not any of the URL's in the list.

So if you want to remove a URL, you have to edit that (remote) list.

There a 2 ways, either a set of urls like the filter.list provided as default by Skynet, which cannot be edited and which I would like to remove - but how?

And then there are sole ips lists, only containing a list of ips, which can be added (as per above post (#2144). But how can it be removed?

 

[vtol]

When uninstalling Skynet on a RT-AC5300 armv7l with Merlin 384.4 the Firewall loglevel (Logged packets type) is reset to [None]. Run this a few times and happens every time. But it should not happen.

 

[vtol]

Yeah thats it, curl wasn't following redirects, I put out a hotfix so curl will always follow them in every function (you will need to force update as there was no version change).

Select Option:
[1] --> Update
[2] --> Change Filter List
[3] --> Reset Filter List

[1-3]: 2

Input Custom Filter List URL:
: http://talosintel.com/feeds/ip-filter.blf

Custom List Detected: http://talosintel.com/feeds/ip-filter.blf
Downloading filter.list [1s]
Refreshing Whitelists [9s]
Consolidating Blacklist /jffs/scripts/firewall: line 2749: can't fork
mmap of a spare page failed!
/usr/sbin/curl:594: can't map /usr/lib/libssl.so.1.0.0'
mmap of a spare page failed!
/usr/sbin/curl: can't load library 'libssl.so.1.0.0'
mmap of a spare page failed!
/usr/sbin/curl:594: can't map '/lib/libpthread.so.0'
mmap of a spare page failed!
/usr/sbin/curl:594: can't map '/lib/libc.so.0'
/usr/sbin/curl:594: can't map '/lib/libc.so.0
/usr/sbin/curl: can't load library 'libc.so.0'
mmap of a spare page failed!

Restarted Skynet and tried another url - http://www.ciarmy.com/list/ci-badguys.txt Same error outcome

 

[Adamm]

How can the filter lists (urls providing black/sinkhole lists) that are actually in operation to be shown?

Visit this URL which is hardcoded;

https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list

How to entirely remove the default black/sinkhole list shipping with Skynet without loosing the periodic list update feature for custom urls? "banmalware reset" is not a suitable command apparently.

Once a custom filter is specified, only the custom filter is used not the default.

To my understanding the Malware List Updating is Enabled & Scheduled For 2.25am Every Day. Is there a way to increase the frequency to 4/6/8/12 hours instead globally/list specific?

Not at this time, its either weekly or daily (this is also at the request of firehol authors as they were having issues with their providers due to so many people pulling the lists so frequently)

Autoban is not clear as an installation option. What does it achieve if enabled and what happens if disabled?

Autobanning hijacks the built in SPI firewall and DOS protection functionality, so rather then packets being dropped they get blacklisted within Skynet for a more permanent solution.

This provides only for adding a custom url but not for removing? Tried with a negative (-) prefix but that does seem to work, e.g.

Only one filter can be used at a time, so either the default one, or a specified custom one. There is no need for multiple filters because a filter contains an infinite amount of URL's within.

And then there are sole ips lists, only containing a list of ips, which can be added (as per above post (#2144). But how can it be removed?

You would simply disable the banmalware feature via the installer or "reset" the list to the default via the menu option.

When uninstalling Skynet on a RT-AC5300 armv7l with Merlin 384.4 the Firewall loglevel (Logged packets type) is reset to [None]. Run this a few times and happens every time. But it should not happen.

Skynet requires this to be set to either "Dropped" or "Both" as it hijacks the functionality. Upon uninstall so users don't get spammed it sets it to "None"

Restarted Skynet and tried another url - http://www.ciarmy.com/list/ci-badguys.txt Same error outcome

You are adding IP lists not a filter list. A filter list is a text file which contains a list of IP lists. Use the default filter.list as reference how to correctly format one.

 

[Blacklistedcard]

Updated my AC86U with beta2 firmware. Getting this error....

SUSWRT-Merlin RT-AC86U 384.4-beta2 Mon Mar 5 21:33:34 UTC 2018
admin@RT-AC86U-F210:/tmp/home/root# /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh"
-o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall && sh /jffs/scripts/firewall install
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
admin@RT-AC86U-F210:/tmp/home/root#

 

[Adamm]

Updated my AC86U with beta2 firmware. Getting this error....

SUSWRT-Merlin RT-AC86U 384.4-beta2 Mon Mar 5 21:33:34 UTC 2018
admin@RT-AC86U-F210:/tmp/home/root# /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh"
-o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall && sh /jffs/scripts/firewall install
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
admin@RT-AC86U-F210:/tmp/home/root#

Works fine on my end, do you have any troubles visiting this link in a browser (or does it produce an invalid cert)?

https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh

 

[RMerlin]

curl: (60) SSL certificate problem: certificate is not yet valid

This would indicate your router's clock isn't properly set, so the certificate is set for a future date.

 

[Goobi]

@Adamm how to I go about enabling autoban? Is this something that has to be chosen at installation time as I don't see the option in the menu. Thanks in advance.