Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

@Adamm how to I go about enabling autoban? Is this something that has to be chosen at installation time as I don't see the option in the menu. Thanks in advance.

Just run the install command again, it wont erase any data just change your boot options.

 

[Goobi]

Just run the install command again, it wont erase any data just change your boot options.

Thanks much. Works like a charm.

 

[Goobi]

Excuse the noob question. My understanding is that when using autoban IP's will only be blacklisted if they send an invalid packet twice within a 5 minute period, on the first attempt it will be silently dropped. What is considered an invalid packet? I guess I am trying to understand if a legitimate IP could be sending invalid packets and if that would have to do with bad ( not necessarily malicious) programming.

 

[Adamm]

Excuse the noob question. My understanding is that when using autoban IP's will only be blacklisted if they send an invalid packet twice within a 5 minute period, on the first attempt it will be silently dropped. What is considered an invalid packet? I guess I am trying to understand if a legitimate IP could be sending invalid packets and if that would have to do with bad ( not necessarily malicious) programming.

https://en.wikipedia.org/wiki/Stateful_firewall

 

[ScottW]

Not sure I've installed this correctly... ( I probably just don't understand how it is supposed to work. )

At startup, I get this in syslog:

Mar  9 14:42:33 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Mar  9 14:42:33 Skynet: [INFO] Startup Initiated... ( debug banmalware usb=/tmp/mnt/ASUS )
Mar  9 14:42:53 Skynet: [Complete] 3 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [20s]

With "banmalware", shouldn't there be a bunch of IPs / ranges banned? The command "ipset list" shows Whitelist 810 entries, Blacklist 3 entries, and BlockedRanges 0 entries. What happens to all the IPs downloaded from the master filter.list file urls?

 

[skeal]

Not sure I've installed this correctly... ( I probably just don't understand how it is supposed to work. )

At startup, I get this in syslog:

Mar  9 14:42:33 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Mar  9 14:42:33 Skynet: [INFO] Startup Initiated... ( debug banmalware usb=/tmp/mnt/ASUS )
Mar  9 14:42:53 Skynet: [Complete] 3 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [20s]

With "banmalware", shouldn't there be a bunch of IPs / ranges banned? The command "ipset list" shows Whitelist 810 entries, Blacklist 3 entries, and BlockedRanges 0 entries. What happens to all the IPs downloaded from the master filter.list file urls?

Go into skynet menu and run banmalware.

 

[skeal]

Go into skynet menu and run banmalware.

Use amtm its the best for use with skynet ab-solution dnscrypt etc.

 

[ScottW]

Go into skynet menu and run banmalware.

Ok, that helped a bunch. Thanks!

So does the "banmalware" parameter at startup provide for maintenance of the lists, but not the initial population? I did specify updates to the malware list during install, so I assume I only have to manually run banmalware from the menu this one time?

 

[skeal]

Ok, that helped a bunch. Thanks!

So does the "banmalware" parameter at startup provide for maintenance of the lists, but not the initial population? I did specify updates to the malware list during install, so I assume I only have to manually run banmalware from the menu this one time?

Yes its a onetime command. Each night skynet will update itself you will see it in the system logs.

 

[ScottW]

Yes its a onetime command. Each night skynet will update itself you will see it in the system logs.

Great - Thanks for the help!

 

[Blacklistedcard]

This would indicate your router's clock isn't properly set, so the certificate is set for a future date.

Yep.... That's exactly what the problem was. After a couple of hours, the time sync'd and I was able to re-install Skynet.

 

[Adamm]

Great - Thanks for the help!

For reference the list would have populated once the next timer was due, its somewhat of a limitation that its not immediately populated but I like the firewall and/or router to do a clean reboot before doing any heavy lifting just to make sure everything runs as expected and starts from a fresh slate. But as you found out, running the banmalware command in the meantime is another method to get it populated.

 

[Bamsefar]

Question, and a rather basic one I guess: I did run Skynet once upon a time, however after a few - let's call it minor issues with stability - odd happenings I removed it all and installed my own old stuff (that does basically the same thing however not as advanced as Skynet, nor auto update or anything). So, is there a way to have autoupdate to ONLY update to say at least one week old stuff? Not the latest but more the most stable?

 

[Adamm]

Question, and a rather basic one I guess: I did run Skynet once upon a time, however after a few - let's call it minor issues with stability - odd happenings I removed it all and installed my own old stuff (that does basically the same thing however not as advanced as Skynet, nor auto update or anything). So, is there a way to have autoupdate to ONLY update to say at least one week old stuff? Not the latest but more the most stable?

Skynet for the last year has gone through various development stages. Some being more indepth then others requiring significant rewrites. With that being said Skynet is more or less done with any major changes (atleast with this version). Updates lately have been more QOL or aesthetic. While I can't make any guarantees, there shouldn't be major bugs until a time comes where another significant update is appropriate.

 

[skeal]

You rock @Adamm !

 

[dandle]

Hi @Adamm

Lately this script has been blocking YouTube for me. I've whitelisted the IPs when performing a debug watch, however it can become frustrating when I keep having to do this multiple times as it seems different IP addresses are used. Is it possible to add the full range of IPs being used by Youtube to be whitelisted universally?

Thanks

 

[Adamm]

Hi @Adamm

Lately this script has been blocking YouTube for me. I've whitelisted the IPs when performing a debug watch, however it can become frustrating when I keep having to do this multiple times as it seems different IP addresses are used. Is it possible to add the full range of IPs being used by Youtube to be whitelisted universally?

Thanks

I use YouTube daily and have never run into any issues, if you could provide any example IP's I can investigate further.

 

[juched]

I use YouTube daily and have never run into any issues, if you could provide any example IP's I can investigate further.

I find the same. I had to unban IP 24.156.131.82.


Sent from my iPhone using Tapatalk

 

[Adamm]

I find the same. I had to unban IP 24.156.131.82.

That IP is not currently blocked by any list.

admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 24.156.131.82
#!/bin/sh
#############################################################################################################
#                    _____ _                     _           _____                     #
#                   / ____| |                   | |         | ____|                    #
#                  | (___ | | ___   _ _ __   ___| |_  __   _| |__                      #
#                   \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                     #
#                   ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                    #
#                  |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                     #
#                                __/ |                                                 #
#                               |___/                                                  #
#                                                        #
## - 3/03/2018 -           Asus Firewall Addition By Adamm v5.8.5                    #
##                   https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 3.8M
Monitoring From Mar 7 06:58:37 To Mar 12 05:24:54
17109 Block Events Detected
2189 Unique IPs
8 Autobans Issued
1 Manual Bans Issued

Exact Matches;


Possible CIDR Matches;


Skynet: [Complete] 95991 IPs / 1589 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 573 Inbound / 422 Outbound Connections Blocked! [7s]

 

[juched]

That IP is not currently blocked by any list.

admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 24.156.131.82
#!/bin/sh
#############################################################################################################
#                    _____ _                     _           _____                     #
#                   / ____| |                   | |         | ____|                    #
#                  | (___ | | ___   _ _ __   ___| |_  __   _| |__                      #
#                   \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                     #
#                   ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                    #
#                  |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                     #
#                                __/ |                                                 #
#                               |___/                                                  #
#                                                        #
## - 3/03/2018 -           Asus Firewall Addition By Adamm v5.8.5                    #
##                   https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 3.8M
Monitoring From Mar 7 06:58:37 To Mar 12 05:24:54
17109 Block Events Detected
2189 Unique IPs
8 Autobans Issued
1 Manual Bans Issued

Exact Matches;


Possible CIDR Matches;


Skynet: [Complete] 95991 IPs / 1589 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 573 Inbound / 422 Outbound Connections Blocked! [7s]

Yup. I did the same search and it wasn’t in the malware list. There wasn’t a reason mentioned. This happened a few times with YouTube. Wonder if this is somehow kicking off the IPS in the router.




Sent from my iPhone using Tapatalk