Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

@Adamm I just want to be clear I am not blaming Skynet or you for this ongoing conundrum. I'm just scratching my head about this Google DNS being blocked. I never had it until I added IoT devices - Google Home speakers, Chromecast and the Sony Smart TV. I was a total Luddite with old non smart analog devices before. Thanks for your ongoing work on this and answering questions.

I've removed DNSCrypt and set my AC86U to use Google DNS trying to resolve this. (shrug)

 

[Adamm]

@Adamm I just want to be clear I am not blaming Skynet or you for this ongoing conundrum. I'm just scratching my head about this Google DNS being blocked. I never had it until I added IoT devices - Google Home speakers, Chromecast and the Sony Smart TV. I was a total Luddite with old non smart analog devices before. Thanks for your ongoing work on this and answering questions.

I've removed DNSCrypt and set my AC86U to use Google DNS trying to resolve this. (shrug)

From your second snippet it shows 8.8.8.8 not blocked at all and on the Whitelist, it also shows that since your first post there had been no additional hits meaning the whitelist is working as expected. Possibly your issue lies somewhere else?

Next time these devices don't work, disable Skynet and see if that fixes it. Then we can definitively rule out that Skynet either is or isn't the cause of your problems.

 

[Viktor Jaep]

To temporarily downgrade to the last v5 commit use the following command;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/8efff7acef7b83723ad6d622cd9243cbbe043b72/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall

I have also experienced this issue... I can't seem to get beyond this issue when upgrading from v5.8.5 to v6.0.4 as it will show that I'm using a legacy v5 menu, and that I must upgrade manually. I just upgraded Merlin to 384.4_2. When I try to reinstall Skynet manually, I get this:

Installing Skynet v6.0.4

Looking For Available Partitions...
[1] --> /tmp/mnt/Sandisk - (/dev/sda1)

Please Enter Partition Number Or e To Exit
[0-1]: 1

touch: /tmp/mnt/Sandisk/rwtest: Read-only file system
Writing To /tmp/mnt/Sandisk Failed - Exiting!
Looking For Available Partitions...
[1] --> /tmp/mnt/Sandisk - (/dev/sda1)

Please Enter Partition Number Or e To Exit
[0-1]:

Not sure why all of a sudden it would cause my USB drive to show as read-only? I can go back to the previous build using your command, and all works well again?

 

[Adamm]

I have also experienced this issue... I can't seem to get beyond this issue when upgrading from v5.8.5 to v6.0.4 as it will show that I'm using a legacy v5 menu, and that I must upgrade manually. I just upgraded Merlin to 384.4_2. When I try to reinstall Skynet manually, I get this:

Installing Skynet v6.0.4

Looking For Available Partitions...
[1] --> /tmp/mnt/Sandisk - (/dev/sda1)

Please Enter Partition Number Or e To Exit
[0-1]: 1

touch: /tmp/mnt/Sandisk/rwtest: Read-only file system
Writing To /tmp/mnt/Sandisk Failed - Exiting!
Looking For Available Partitions...
[1] --> /tmp/mnt/Sandisk - (/dev/sda1)

Please Enter Partition Number Or e To Exit
[0-1]:

Not sure why all of a sudden it would cause my USB drive to show as read-only? I can go back to the previous build using your command, and all works well again?

Sounds like your USB mounted incorrectly which seems to be a common issue recently (unrelated to Skynet)... Try reboot your router.

 

[Viktor Jaep]

Sounds like your USB mounted incorrectly which seems to be a common issue recently (unrelated to Skynet)... Try reboot your router.

Thanks... actually turns out my USB key had some bad files/sectors on it. Had to end up formatting the thing and starting over. Works like a champ now, and successfully upgraded to 6.0.4. I appreciate your help!

 

[Viktor Jaep]

Quick question for Adamm... I was wondering if you/Skynet has any control over the logfile entries written into the syslog? It would be super helpful to indicate in there why something was blocked? Instead of the standard entry:

Mar 30 11:55:06 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=70:8b:cd:cf:5f:d8:00:01:5c:a2:6a:46:08:00 SRC=191.101.167.235 DST=33.218.82.175 LEN=40 TOS=0x00 PREC=0x20 TTL=244 ID=54321 PROTO=TCP SPT=46671 DPT=8545 SEQ=1420303787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0

How about something like:

Mar 30 11:55:06 kernel: [BLOCKED - INBOUND - MALWARE] IN=eth0 OUT= MAC=70:8b:cd... etc

or:

Mar 30 11:55:06 kernel: [BLOCKED - INBOUND - BANNED COUNTRY - RU] IN=eth0 OUT= MAC=70:8b:cd... etc

Would that be a possiblity? Thanks!

EDIT: After thinking through this a bit more, I'll bet the answer is "no", right? Skynet's only function is probably only to compile the IP blacklists from the country/malware bans etc. that we configure, and passes those along to the firewall function to handle. Skynet is not actively monitoring each individual hit in order to manipulate a logfile entry like this... am I right?

 

[Adamm]

Quick question for Adamm... I was wondering if you/Skynet has any control over the logfile entries written into the syslog? It would be super helpful to indicate in there why something was blocked? Instead of the standard entry:

Mar 30 11:55:06 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=70:8b:cd:cf:5f:d8:00:01:5c:a2:6a:46:08:00 SRC=191.101.167.235 DST=33.218.82.175 LEN=40 TOS=0x00 PREC=0x20 TTL=244 ID=54321 PROTO=TCP SPT=46671 DPT=8545 SEQ=1420303787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0

How about something like:

Mar 30 11:55:06 kernel: [BLOCKED - INBOUND - MALWARE] IN=eth0 OUT= MAC=70:8b:cd... etc

or:

Mar 30 11:55:06 kernel: [BLOCKED - INBOUND - BANNED COUNTRY - RU] IN=eth0 OUT= MAC=70:8b:cd... etc

Would that be a possiblity? Thanks!

EDIT: After thinking through this a bit more, I'll bet the answer is "no", right? Skynet's only function is probably only to compile the IP blacklists from the country/malware bans etc. that we configure, and passes those along to the firewall function to handle. Skynet is not actively monitoring each individual hit in order to manipulate a logfile entry like this... am I right?

Yeah unfortunately this isn’t possible with our current design. It would require each type of ban to have its own ipset, then individual iptables rules for each ipset due to limited iptables functionality.

In theory this is possible, but the overhead required (plus the redesign of just about every command) definitely isn’t worth the trouble when 99% of hits are from scanners in some random botnet. Fortunately we have various stat commands to break down this data in a more easy to digest format.

 

[Spydawg]

Skynet is banning my IP for my cell phone preventing me from connecting to PLEX.. Anyway to have it not block inbound connection to Ports that Plex uses? or with this open up my plex server to attacks?

 

[DonnyJohnny]

Skynet is banning my IP for my cell phone preventing me from connecting to PLEX.. Anyway to have it not block inbound connection to Ports that Plex uses? or with this open up my plex server to attacks?

Have you check why was the ip banned? Autoban? Banmalware ban?
If autoban, then need to find out why such behaviour is occurring. Suppose 2 invalid packet within 5min trigger autoban.

If it is banmalware, is the ip really blacklisted for malicious behaviour? Ip is shared by many and one bad egg trigger the ip to be banned across? Which list it came from? Is the list up to date or not. If not up to date, may consider removing it by creating your own filter list.

Allowing any ip to enter a particular port defeat the purpose of Skynet. It fall back to how strong your Plex sever is. Whether Plex have vulnerabilities or weak security in place. And of coz yes, it is open for Attack then.

 

[thelonelycoder]

@Adamm Do you want to handle this in Skynet:

If running the install url through amtm or directly and you quit Skynet without installing, it leaves the unused file /jffs/firewall.

amtm then throws an error "grep: /jffs/scripts/firewall-start: No such file or directory" in this amtm code around line 540:

if [ -f /jffs/scripts/firewall ] && grep -qE "sh /jffs/scripts/firewall .* # Skynet" /jffs/scripts/firewall-start; then
...

I would prefer if you remove the file in Skynet if install is aborted, rather than I build in a check in amtm. A stale file is not a good idea.
Thanks

 

[Adamm]

I would prefer if you remove the file in Skynet if install is aborted, rather than I build in a check in amtm. A stale file is not a good idea.
Thanks

On my mobile so can’t check the specific code, but in this case wouldn’t silencing strerr on the grep call give the desired functionality as if Skynet weren’t installed? At least that’s how I handle checking files that may not exist for specific entries.

I think removing the script every time installation is aborted would be counter productive (the install function is also used for changing Skynet options/moving installation dir)

 

[thelonelycoder]

On my mobile so can’t check the specific code, but in this case wouldn’t silencing strerr on the grep call give the desired functionality as if Skynet weren’t installed? At least that’s how I handle checking files that may not exist for specific entries.

I think removing the script every time installation is aborted would be counter productive (the install function is also used for changing Skynet options/moving installation dir)

The problem is, if the user doesn't install Skynet, the file remains in jffs.
In AB and amtm I don't specify a curl download location for this and other reasons.
I only move the files to the destination once installation is complete. We've had a brief private discussion about that.

It's not urgent, take your time. amtm simply throws that error in between the menu items when that happens.
I believe @M@rco also reported this amtm error a longer while ago.

 

[JacquesR]

Is anyone using Skynet perhaps using either or both of Sonarr or Radarr? One of my recent updates to Skynet (I only noticed the problem today, and can't say when this started) has disabled Sonarr and Radarr being able to poll for program updates, and the debug log isn't showing anything relevant being blocked. I've uninstalled Skynet as a result, but would like to figure this out, so would appreciate hearing about any relevant experiences.

 

[Adamm]

Is anyone using Skynet perhaps using either or both of Sonarr or Radarr? One of my recent updates to Skynet (I only noticed the problem today, and can't say when this started) has disabled Sonarr and Radarr being able to poll for program updates, and the debug log isn't showing anything relevant being blocked. I've uninstalled Skynet as a result, but would like to figure this out, so would appreciate hearing about any relevant experiences.

With debug mode enabled, Skynet will log any time a connection is blocked, there is never an exception to this rule. So I suggest following this guide, identifying the blocked IP if it is Skynet causing issues and whitelisting it accordingly.

 

[Adamm]

The problem is, if the user doesn't install Skynet, the file remains in jffs.
In AB and amtm I don't specify a curl download location for this and other reasons.
I only move the files to the destination once installation is complete. We've had a brief private discussion about that.

I agree this can potentially be a stale file in a sense, but I also disagree that its the same type as we previously discussed. Assuming someone followed the install instructions (or used AMTM), the downloaded file will always be located at /jffs/scripts/firewall as we do specify the location in curl so there will never be a case of having an "older" stale version lying around in some potentially obscure location on the filesystem (although this did bring up an edge case where if someone manually downloads skynet to the wrong directory that I should detect and move it during the install process).

So at-least for the time being, I resolved this by silencing strerr in this commit.

 

[JacquesR]

With debug mode enabled, Skynet will log any time a connection is blocked, there is never an exception to this rule. So I suggest following this guide, identifying the blocked IP if it is Skynet causing issues and whitelisting it accordingly.

Thanks Adamm - not seeing anything there, so I'll assume it's an error in some other part of my config for now, and keep hunting!

 

[thelonelycoder]

So at-least for the time being, I resolved this by silencing strerr in this commit.

That'll do for now. Or maybe for forever.

 

[Droma]

I would like to ask You, becasue I use Skynet on my router and recently my son can't play on paladins on xbox one. Can You help me how can I resolve this problem ?

Regards ​

 

[Adamm]

I would like to ask You, becasue I use Skynet on my router and recently my son can't play on paladins on xbox one. Can You help me how can I resolve this problem ?

Regards ​

If you go ahead and run banmalware it should be fixed. I've decided on removing the telemetry list, more hassle then its worth, microsoft changes IP's around too frequently. A DNS based solution will probably be more effective like AB-Solution for lists of this kind.

 

[Droma]

Thanks Adamm I will try do that.
Regards