Skynet Skynet - Router Firewall & Security Enhancements

[SMS786]

Just a general question..does the lock file activate during non-installation instances also? Because I checked into Skynet today and saw that it was active. The last time I updated was a couple of days ago to the latest version. It cleared up after a few minutes, I just wanted to see if this was normal behaviour.

https://imgbb.com/

 

[Adamm]

Just a general question..does the lock file activate during non-installation instances also? Because I checked into Skynet today and saw that it was active. The last time I updated was a couple of days ago to the latest version. It cleared up after a few minutes, I just wanted to see if this was normal behaviour.

Yes, almost every command that adds/removes data creates a lockfile to prevent commands interfering with each-other. In this case Skynet was starting up as you can tell by the command shown next to "Lock File Detected"

 

[deddc23efb]

While trying to track down some false positives, I was surprised to see blacklist entries for shopify and surica. The one that surprises me the most is for google DNS 8.8.8.8? It's not feasible to manually whitelist these things all the time. How are people dealing with these erroneous or overly broad IP address ranges?

eg:
Debug Data Detected in /tmp/mnt/asusapp/skynet/skynet.log - 284.0K
Monitoring From Mar 25 22:36:15 To Mar 25 23:04:35
1282 Block Events Detected
47 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

8.8.8.8 is NOT in set Skynet-Whitelist.
8.8.8.8 is in set Skynet-Blacklist.
8.8.8.8 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware"

 

[skeal]

While trying to track down some false positives, I was surprised to see blacklist entries for shopify and surica. The one that surprises me the most is for google DNS 8.8.8.8? It's not feasible to manually whitelist these things all the time. How are people dealing with these erroneous or overly broad IP address ranges?

eg:
Debug Data Detected in /tmp/mnt/asusapp/skynet/skynet.log - 284.0K
Monitoring From Mar 25 22:36:15 To Mar 25 23:04:35
1282 Block Events Detected
47 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

8.8.8.8 is NOT in set Skynet-Whitelist.
8.8.8.8 is in set Skynet-Blacklist.
8.8.8.8 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware"

Skynet has a backup. Create the backup and restore the backup if needed.

 

[Adamm]

While trying to track down some false positives, I was surprised to see blacklist entries for shopify and surica. The one that surprises me the most is for google DNS 8.8.8.8? It's not feasible to manually whitelist these things all the time. How are people dealing with these erroneous or overly broad IP address ranges?

eg:
Debug Data Detected in /tmp/mnt/asusapp/skynet/skynet.log - 284.0K
Monitoring From Mar 25 22:36:15 To Mar 25 23:04:35
1282 Block Events Detected
47 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

8.8.8.8 is NOT in set Skynet-Whitelist.
8.8.8.8 is in set Skynet-Blacklist.
8.8.8.8 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware"

The filter list can be customized to your liking, the default is an example for users to either add/remove from or keep the same if it fits their needs. IP Banning isn't a perfect solution, some websites get mistakenly listed due to shared hosting etc. I also don't maintain these lists myself so I have no control over this, especially when you are referencing websites on a server with 790 others.

What I do have control over is that all router services are Whitelisted upon startup, so if you happened to set 8.8.8.8 as your DNS, it would be whitelisted.

 

[deddc23efb]

The filter list can be customized to your liking, the default is an example for users to either add/remove from or keep the same if it fits their needs. IP Banning isn't a perfect solution, some websites get mistakenly listed due to shared hosting etc. I also don't maintain these lists myself so I have no control over this, especially when you are referencing websites on a server with 790 others.

What I do have control over is that all router services are Whitelisted upon startup, so if you happened to set 8.8.8.8 as your DNS, it would be whitelisted.

Thanks Adamm. I understand most of this is out of your control. It must be infuriating for the owners of the affected services. It's a difficult problem/balancing act.

I can whitelist 8.8.8.8 easily enough. The IP ranges/blocks that host other services, not so easy to be proactive about it - you don't know they're broken until you try to use them.

/dedd

 

[SMS786]

Yes, almost every command that adds/removes data creates a lockfile to prevent commands interfering with each-other. In this case Skynet was starting up as you can tell by the command shown next to "Lock File Detected"

Great to know, thanks. It's always fascinating to get insights on how our everyday scripts work.

 

[Ubimo]

I get a LOT of these lines in system log:
Mar 26 17:50:16 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x08 PREC=0x40 TTL=247 ID=55947 PROTO=TCP SPT=57833 DPT=3029 SEQ=4027583140 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
I'm concerned, what should I do?


Skynet Version; v6.0.4 (24/03/2018)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_0 (Mar 17 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/USB/skynet (3.2G / 3.7G Space Available)
SWAP File; /tmp/mnt/USB/myswap.swp (256.3M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/USB/skynet

106957 IPs / 1675 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 16 Inbound / 0 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

[1-14]:

 

[skeal]

I get a LOT of these lines in system log:
Mar 26 17:50:16 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x08 PREC=0x40 TTL=247 ID=55947 PROTO=TCP SPT=57833 DPT=3029 SEQ=4027583140 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
I'm concerned, what should I do?


Skynet Version; v6.0.4 (24/03/2018)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_0 (Mar 17 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/USB/skynet (3.2G / 3.7G Space Available)
SWAP File; /tmp/mnt/USB/myswap.swp (256.3M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/USB/skynet

106957 IPs / 1675 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 16 Inbound / 0 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

[1-14]:

Re-launch the installer and the third question deals with debug so select 2 and those log entries will go away.

 

[Ubimo]

Re-launch the installer and the third question deals with debug so select 2 and those log entries will go away.

Thanks, now I just don't see the entries any more. I'm more concerned that there are so many entries. Is this normal? Like every 2 seconds? Am I beeing attacked? I don't run a torrent client.

 

[skeal]

Thanks, now I just don't see the entries any more. I'm more concerned that there are so many entries. Is this normal? Like every 2 seconds? Am I beeing attacked? I don't run a torrent client.

Yes it is normal to see this kind of traffic. Your router is being scanned for vulnerabilities every second from somewhere.

 

[Butterfly Bones]

Thanks, now I just don't see the entries any more. I'm more concerned that there are so many entries. Is this normal? Like every 2 seconds? Am I beeing attacked? I don't run a torrent client.

Read this for more clarity. That is Skynet keeping the evil probes out, feel relieved. That happens always, this is the first time you see it.
https://www.snbforums.com/threads/s...-manual-ip-blocking.16798/page-85#post-369413

 

[Ubimo]

Thanks, one more question, why was this blocked?
Mar 26 18:44:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.241 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=20543 DF PROTO=TCP SPT=52703 DPT=80 SEQ=1676702167 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
It seem that originated from my pc. I tried to look up(google) one IP which was blocked. Just to see where it's from.
Edit: Nevermind, I know now. I tried to connect to this ip. (instead of googleing it)

 

[skeal]

Thanks, one more question, why was this blocked?
Mar 26 18:44:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.241 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=20543 DF PROTO=TCP SPT=52703 DPT=80 SEQ=1676702167 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
It seem that originated from my pc. I tried to look up(google) one IP in question.

The ip address that is yours is trying to communicate with a banned ip or ip range. Check the destination in whois to see who it is. Use alienvault to see if its a malicious site.

 

[Ubimo]

If I disable debug mode, I won't see skynet update logs every hour, am I right?
It would be good to differ between debug modes. Like "dont log "blocked" messages but log "skynet updates"".

 

[skeal]

If I disable debug mode, I won't see skynet update logs every hour, am I right?
It would be good to differ between debug modes. Like "dont log "blocked" messages but log "skynet updates"".

Every hour there is a one line summary from Skynet.

 

[clvk07]

is it possible to set Skynet in debug mode without all the entries appearing in the main asus webui syslog?

 

[skeal]

is it possible to set Skynet in debug mode without all the entries appearing in the main asus webui syslog?

No.

 

[DonnyJohnny]

is it possible to set Skynet in debug mode without all the entries appearing in the main asus webui syslog?

Why you worry about the Skynet log.. did u realised that it will be sum up if there are 25 entries of inbound/outbound blocked. It is not taking a lot of your space...

Debug mode will not be affecting the performance of your router in term of speed. It only utilise a bit of your cpu and memory.

Having debug mode on will allow u to check on those false positive blocking and you can easily whitelist them.

 

[Adamm]

I've updated the telemetry list used in Banmalware to v4.12.0 from the project its sourced from. Last time we attempted this it didn't go over so well as there were some false positives causing issues with select Microsoft services due to a recent windows update. Since then I worked with the developer in ironing them out and hopefully now we will have a much smoother update.

If anyone has issues with Microsoft services (Office 360, Windows Store, OneDrive, Azure, XBOX Live) please follow this guide then report your findings here if possible. That way we can not only fix the our copy of the list but also inform the developer of the project its sourced from.