Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

I dont know what that is or how to get that output.

Have you heard of SSH access to a router? If not you may want to read up on it some. Basically you need something like "Putty" to access your router over SSH. You do this by typing in the terminal "usernameofrouter@localipofrouter(ex192.168.1.1) or setting up the user info in the "Putty Launcher" and you will be asked to type in your password for the "WebUI interface of your router" read up on it a bit and this will make sense to you. You will have to enable SSH access on the router first. The setting is under Administration>System Tab......enjoy

 

[Davidncali001]

Come on man, of course I know what SSH and Putty are, how else would I have installed Skynet, ab-solution, etc.

I'm looking to solve this problem, it only happened after the new 6.0 and upwards versions of Skynet came out. I have been using Skynet for over a year or so and never experienced this before.

Have you heard of SSH access to a router? If not you may want to read up on it some. Basically you need something like "Putty" to access your router over SSH. You do this by typing in the terminal "usernameofrouter@localipofrouter(ex192.168.1.1) or setting up the user info in the "Putty Launcher" and you will be asked to type in your password for the "WebUI interface of your router" read up on it a bit and this will make sense to you. You will have to enable SSH access on the router first. The setting is under Administration>System Tab......enjoy

 

[skeal]

Come on man, of course I know what SSH and Putty are, how else would I have installed Skynet, ab-solution, etc.

I'm looking to solve this problem, it only happened after the new 6.0 and upwards versions of Skynet came out. I have been using Skynet for over a year or so and never experienced this before.

Then SSH into the router and run "cru l" post your results.

 

[Davidncali001]

Thank you for explaining how and where to run that command. I took a screenshot and these are the results.

Then SSH into the router and run "cru l" post your results.

 

[skeal]

Thank you for explaining how and where to run that command. I took a screenshot and these are the results.

View attachment 12402

The cron that gives you the stats each hour is there and is running. Can you run the install again?

sh /jffs/scripts/firewall install

Again using SSH.

 

[Adamm]

Thank you for explaining how and where to run that command. I took a screenshot and these are the results.

View attachment 12402

The cron is running as expected every hour as indicated by the following line;

0 * * * * sh /jffs/scripts/firewall save #Skynet_save#

Are you sure its not running at the top of the hour which will be indicated by the "[Complete]" output. Do note this cronjob will also purge the "BLOCKED" messages from your syslog to skynets personal logging file.

 

[Davidncali001]

Thank you to skeal and Adamm. I did as you said skeal and reinstalled and noticed I was just clicking Yes to all the recommended settings, so I clicked Yes to the DEBUG option So I was getting all those logs, so this time I clicked NO to DEBUG like I have in the past and now it's back without all those logs being generated. Thank You for the suggestions.

Thanks Adamm for letting me know everything looked good as was proper.

The cron that gives you the stats each hour is there and is running. Can you run the install again?

sh /jffs/scripts/firewall install

Again using SSH.

 

[Deleted member 28123]

@Adamm Many thanks for the latest releases.

The firewall install script currently only checks for 'swapon' usage in post-mount .. any chance you can include a check for fstab usage as well ie. 'swap' or even via 'cat /proc/swaps'? I already have a dedicated 3GB swap partition being used but it is not being detected.

Edit: Or you can include a 5th option, 'Use existing system swap' to bypass swap creation so that installer can complete its installation run.

Update1: I came up with a temporary workaround (for those enabling swap via fstab) which works

- Install Skynet, create swap file 256MB to finalize the installation
- Run Skynet, option 11 then 5 then 2 to uninstall swap file
- Edit firewall script /jffs/scripts/firewall - line 128 to

if [ ! grep -F "swapon" /jffs/scripts/post-mount | grep -qvE "^#" ] || [ ! grep -F "partition" /proc/swaps | grep -qvE "^partition" ] ; then

- Restart Skynet

Cheers

 

[Adamm]

@Adamm Many thanks for the latest releases.

The firewall install script currently only checks for 'swapon' usage in post-mount .. any chance you can include a check for fstab usage as well ie. 'swap' or even via 'cat /proc/swaps'? I already have a dedicated 3GB swap partition being used but it is not being detected.

Edit: Or you can include a 5th option, 'Use existing system swap' to bypass swap creation so that installer can complete its installation run.

Update1: I came up with a temporary workaround (for those enabling swap via fstab) which works

- Install Skynet, create swap file 256MB to finalize the installation
- Run Skynet, option 11 then 5 then 2 to uninstall swap file
- Edit firewall script /jffs/scripts/firewall - line 128 to

if [ ! grep -F "swapon" /jffs/scripts/post-mount | grep -qvE "^#" ] || [ ! grep -F "partition" /proc/swaps | grep -qvE "^partition" ] ; then

- Restart Skynet

Cheers

I implemented a better workaround, you will need to force update to apply the changes as there was no version change. I scan the fstab file directly rather then use /proc/swaps in-case of a slow mount.

Assuming your entry in /jffs/configs/fstab looks similar to the following it should work;

/dev/sda2              none          swap      defaults              0      0

 

[Deleted member 28123]

I implemented a better workaround, you will need to force update to apply the changes as there was no version change. I scan the fstab file directly rather then use /proc/swaps in-case of a slow mount.

Assuming your entry in /jffs/configs/fstab looks similar to the following it should work;

/dev/sda2              none          swap      defaults              0      0

Thank you sir!

My fstab is similar but I'm using UUID instead of partition path - are you checking for a match against 'swap'? if so, then usage of UUID or path shouldn't matter.

As for forcing an update, I am seeing the error 'Skynet: [ERROR] 404 Error Detected - Stopping Update'

 

[Adamm]

My fstab is similar but I'm using UUID instead of partition path - are you checking for a match against 'swap'? if so, then usage of UUID or path shouldn't matter.

Yeah just grepping the word swap for now.

As for forcing an update, I am seeing the error 'Skynet: [ERROR] 404 Error Detected - Stopping Update'

That would imply curl failed to download the following file after 3 retries;

https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh

Maybe one of GitHub's CDN's are having a brief downtime in your location, keep trying and it should eventually work.

 

[Deleted member 28123]

Just checked and surely enough - it's an outage as I was able to load the contents of the url via an alternative method.

Same 2 lines I edited after making my initial post and I see your change ... jffs partition loads before usb partition/s, cool!

Just in case others use system enabled swap, you can ignore the swap error you see in the logs as some other minor changes need to be made to the firewall script.

@Adamm - Thanks again. A donation is on its way to you

 

[Adamm]

Just in case others use system enabled swap, you can ignore the swap error you see in the logs as some other minor changes need to be made to the firewall script.

Can you elaborate alittle further what error you get?

@Adamm - Thanks again. A donation is on its way to you

Appreciated buddy, thanks a bunch.

 

[Deleted member 28123]

Can you elaborate a little further what error you get?

Never mind - The error I got in the logs was about a missing SWAP file but that was because I made an error editing line 2690. It appears to have gone away after the forced update. I've updated my post to reflect the same.

 

[skeal]

Wow traffic in this forum has fallen off....must be boring having such a great successful script bud!! Version 6.0.3 really works excellent!

 

[eclp]

Quick question. Can debug mode be permanently disabled?

 

[skeal]

Quick question. Can debug mode be permanently disabled?

Yes rerun the install and answer 2 to the debug question.

 

[ScottW]

I'm not getting what I expect from some of the "stats" commands. Example:

1. I run "firewall stats" and see IP 104.16.55.111 under "Top 10 HTTP(s) Blocks (Outbound)".
2. I run "firewall stats search ip 104.16.55.111". The response shows "Blacklist Reason" as "BanMalware".
3. I run "firewall stats search malware 104.16.55.111". The response is empty (i.e., nothing under "Exact Matches" or "Possible CIDR Matches").

I updated the malware list (option 3, 1) and tried again, same result. If "search IP" shows the reason as BanMalware, shouldn't the "search malware" show the specific block or range responsible for the block of that IP?

 

[Adamm]

I'm not getting what I expect from some of the "stats" commands. Example:

1. I run "firewall stats" and see IP 104.16.55.111 under "Top 10 HTTP(s) Blocks (Outbound)".
2. I run "firewall stats search ip 104.16.55.111". The response shows "Blacklist Reason" as "BanMalware".
3. I run "firewall stats search malware 104.16.55.111". The response is empty (i.e., nothing under "Exact Matches" or "Possible CIDR Matches").

I updated the malware list (option 3, 1) and tried again, same result. If "search IP" shows the reason as BanMalware, shouldn't the "search malware" show the specific block or range responsible for the block of that IP?

Currently that IP isn't listed on any default list. However if you use a custom list the output from "stats search malware" may not be accurate. Currently the command searches URL's from the default filter list (in hindsight this should use the custom list if in use, I'll correct this in an update shortly). So assuming this is the case, searching every available list on firehol the IP in question does actually appear on two lists;

root@skynet:~/blocklist-ipsets# grep -F "104.16.55." *.ipset *.netset
coinbl_hosts.ipset:104.16.55.111
coinbl_hosts_optional.ipset:104.16.55.111

Edit;

The update is out correcting this, no version change so you will need to force update.

 

[ScottW]

Currently that IP isn't listed on any default list. However if you use a custom list the output from "stats search malware" may not be accurate. Currently the command searches URL's from the default filter list (in hindsight this should use the custom list if in use, I'll correct this in an update shortly). So assuming this is the case, searching every available list on firehol the IP in question does actually appear on two lists;

root@skynet:~/blocklist-ipsets# grep -F "104.16.55." *.ipset *.netset
coinbl_hosts.ipset:104.16.55.111
coinbl_hosts_optional.ipset:104.16.55.111

Edit;

The update is out correcting this, no version change so you will need to force update.

I'm more confused now. I think one of the lists you found it on ("coinbl_hosts.ipset") *is* in the default filter.list (last line).

I'll grab the update... But I'm still not clear why "stats search malware 104.16.55.111" didn't find that IP -- because if I understand right, the list in which it occurs *is* on the default filter.list.