Skynet Skynet - Router Firewall & Security Enhancements

[DonnyJohnny]

The output is correct, your logs were purged at 9pm. There’s a few hour gap without reports, but it looks like you managed to amass 12,000 hits in 8hours so the syslog probably purged itself before Skynet could. Although that amount of hits (compared to my single user results) seems pretty high. By the looks of it your using extra lists, so may be worth investigating what’s list is causing the significiant amount of extra hits and if it’s nessesasy. But at the end of the day that’s user preference, so if it works for you then by all means go for it.



Nothing to worry about, this just dumps the IPSet data from ram to the physical copy on your USB (skynet.ipset) which Skynet does every hour in a cronjob or commands that modify data.

The ISP is likely to be under some kind of massive port scanning... the log mainly came from 2 group of IPs as per below.

Top 50 Blocks (Inbound);
2599x https://otx.alienvault.com/indicator/ip/194.28.112.50
446x https://otx.alienvault.com/indicator/ip/5.188.62.243
429x https://otx.alienvault.com/indicator/ip/5.188.62.171
423x https://otx.alienvault.com/indicator/ip/5.188.62.20
419x https://otx.alienvault.com/indicator/ip/5.188.62.17
412x https://otx.alienvault.com/indicator/ip/5.188.62.180
406x https://otx.alienvault.com/indicator/ip/5.188.62.174
405x https://otx.alienvault.com/indicator/ip/95.215.0.167
405x https://otx.alienvault.com/indicator/ip/5.188.62.172
404x https://otx.alienvault.com/indicator/ip/5.188.62.18
404x https://otx.alienvault.com/indicator/ip/5.188.62.175
403x https://otx.alienvault.com/indicator/ip/5.188.62.173
400x https://otx.alienvault.com/indicator/ip/5.188.62.7
394x https://otx.alienvault.com/indicator/ip/5.188.62.245
392x https://otx.alienvault.com/indicator/ip/5.188.62.244
391x https://otx.alienvault.com/indicator/ip/5.188.62.167
387x https://otx.alienvault.com/indicator/ip/5.188.62.112
378x https://otx.alienvault.com/indicator/ip/5.188.62.15
375x https://otx.alienvault.com/indicator/ip/5.188.62.249
370x https://otx.alienvault.com/indicator/ip/5.188.62.71
367x https://otx.alienvault.com/indicator/ip/5.188.62.242
365x https://otx.alienvault.com/indicator/ip/5.188.62.240
353x https://otx.alienvault.com/indicator/ip/5.188.62.91
14x https://otx.alienvault.com/indicator/ip/191.101.167.26
12x https://otx.alienvault.com/indicator/ip/77.72.82.103
10x https://otx.alienvault.com/indicator/ip/5.188.11.35
10x https://otx.alienvault.com/indicator/ip/5.188.11.25
9x https://otx.alienvault.com/indicator/ip/181.214.87.95
9x https://otx.alienvault.com/indicator/ip/181.214.87.91
8x https://otx.alienvault.com/indicator/ip/181.214.87.96
8x https://otx.alienvault.com/indicator/ip/181.214.87.93
8x https://otx.alienvault.com/indicator/ip/181.214.87.88
8x https://otx.alienvault.com/indicator/ip/146.120.123.63
7x https://otx.alienvault.com/indicator/ip/5.188.11.24
7x https://otx.alienvault.com/indicator/ip/5.178.167.182
6x https://otx.alienvault.com/indicator/ip/92.38.32.178
6x https://otx.alienvault.com/indicator/ip/79.134.220.46
6x https://otx.alienvault.com/indicator/ip/77.93.31.99
6x https://otx.alienvault.com/indicator/ip/192.251.231.111
6x https://otx.alienvault.com/indicator/ip/185.56.81.51
6x https://otx.alienvault.com/indicator/ip/185.143.223.201
6x https://otx.alienvault.com/indicator/ip/181.214.87.90
6x https://otx.alienvault.com/indicator/ip/181.214.87.89
5x https://otx.alienvault.com/indicator/ip/95.46.74.118
5x https://otx.alienvault.com/indicator/ip/93.171.31.131
5x https://otx.alienvault.com/indicator/ip/79.133.242.221
5x https://otx.alienvault.com/indicator/ip/181.214.87.94
5x https://otx.alienvault.com/indicator/ip/103.207.39.195
4x https://otx.alienvault.com/indicator/ip/95.213.130.90
4x https://otx.alienvault.com/indicator/ip/95.104.75.183

Everytime when I see crazy volume of Attack from http://www.digitalattackmap.com/, my isp range is always entertained by those attacks.

 

[DonnyJohnny]

Guess the internet is getting crazy again.. I have make the hourly purge to every 30min because of the flooding in syslog causing lost of purge data like in my earlier posts. Crazy to see avg 2000 hits flooding the syslog. It’s like 1 hit every 2 Sec.
I tried changing IP, result are the same. Seems to be locked on ISP CIDR.

 

[Adamm]

How do I block an Ip range? I tried for example blocking "21.0.0.0 - 21.255.255.255" and 21.0.0.0-21.255.255.255 and it says invalid range; how do I block this entire range properly? Does 21.0.0.0/8 do the whole range?

You need to use CIDR format with Skynet.

 

[Adamm]

Thanks, that worked perfectly. How do I block a country / ip range so as to allow ONLY http/https?

Not currently possible, Skynet either blocks all or nothing.

If I import a list of CIDR manually unparsed into skynet.ipset, will that be safe and will skynet parse it on the next update?

No, but you can import a list via the appropriate command.

sh /jffs/scripts/firewall import xxxx.com/list.txt

or

sh /jffs/scripts/firewall import /location/to/list.txt

 

[Adamm]

Awesome; will importing via sh "/jffs/scripts/firewall import /location/to/list.txt" add it to the skynet list, aka does sky net take over for the built in IP tables rules sets?

Using the above command will add every IP/CIDR range in the file you specify to Skynets blacklist. This is a one time command so you could theoretically use it multiple times for different lists.

What about adding an entry to "customlisturl=" in skynet.cfg? Can this do local entries? If so can I add multiple entries with a comma?

The config file is not supposed to be manually edited, the setting you are referring to is for a completely different function.

I'd like to block entire countries, though only allow http/https from those countries. Anybody know how to do this with IP Tables?

Skynet can block countries but it doesn’t allow specific traffic. The method you posted is also a pretty terrible one, it potentially would create thousands of IPTables rules.

The best method of doing so would be to create an IPSet with the entries much like Skynet does, but for the IPTables rule have an exception for ports 80 and 443. But to not confuse other users let’s keep this thread Skynet related.

 

[Droma]

hello Adamm,
Recently I saw that Skynet on my system block all non-encrypted pages. Can I reslove this ? Any advice ?

 

[DonnyJohnny]

hello Adamm,
Recently I saw that Skynet on my system block all non-encrypted pages. Can I reslove this ? Any advice ?

Unless you add to block particular port traffic, if not Skynet only block by ip.
So prior to that, what did you do before this happened?

If it is just a particular site, then follow the instruction below to whitelist them if needed.
https://github.com/Adamm00/IPSet_ASUS/wiki#applicationexe-or-websitecom-is-blocked

If you did add some port blocking, then use the unban option to unban it?

By the way, you have no syslog, system info, no version info.

 

[Adamm]

hello Adamm,
Recently I saw that Skynet on my system block all non-encrypted pages. Can I reslove this ? Any advice ?

Unless you add to block particular port traffic, if not Skynet only block by ip.
So prior to that, what did you do before this happened?

If it is just a particular site, then follow the instruction below to whitelist them if needed.
https://github.com/Adamm00/IPSet_ASUS/wiki#applicationexe-or-websitecom-is-blocked

If you did add some port blocking, then use the unban option to unban it?

By the way, you have no syslog, system info, no version info.

Skynet only blocks whatever is in the blacklist. Any time there is a hit, it is printed to the syslog (assuming debug mode is on), there are no exceptions to this rule.

 

[Droma]

so if it not Skynet that what can be ?
Regards

 

[DonnyJohnny]

so if it not Skynet that what can be ?
Regards

Could be because you are not using ASUS router and firmware not compiled by Eric
https://www.snbforums.com/threads/a...d-forks-on-non-asus-devices-is-illegal.44636/

 

[Droma]

maybe You are right. I would like to give new life this R7000, but probably I have to buy new Asus Router.
Thanks for help and sorry for my replys. Should I delete my signature now ?

 

[XIII]

On a router that is on 192.168.3.1 and serving 192.168.3.x addresses I see this:

add Skynet-Whitelist 192.168.1.0/24 comment "nvram: LAN Subnet"
add Skynet-Whitelist 192.168.3.0/24 comment "nvram: lan_ipaddr"

Is this correct?

(Glad to see 3.0/24, but surprised about 1.0/24)

 

[Adamm]

On a router that is on 192.168.3.1 and serving 192.168.3.x addresses I see this:

add Skynet-Whitelist 192.168.1.0/24 comment "nvram: LAN Subnet"
add Skynet-Whitelist 192.168.3.0/24 comment "nvram: lan_ipaddr"

Is this correct?

(Glad to see 3.0/24, but surprised about 1.0/24)

192.168.1.0/24 is hardcoded to prevent people accidentally locking themselves out.

 

[XIII]

192.168.1.0/24 is hardcoded to prevent people accidentally locking themselves out.

That's actually what I feared I might have done myself to cause this issue, but I guess I need to look for another root cause now... (still clueless)

 

[Scheggiaimpazzita]

what are you waiting for? Get a bigger flash drive.... $2-$5???????

OK, here's a fun one.

Skynet is blocking some IPs that I'd like to whitelist, but when I try to go in via AMTM I get
Skynet: [ERROR] Legacy v5 Installation Detected - Please Run Installer Manually To Upgrade!

So I try to run the v6 installer, but it doesn't work though because I still only have a 256MB USB so I can't have a swap file. Can I not even access the v5 menu anymore?

I also got that error and had to dig a bit to understand that the message was due to the fact that my V5 installation was without swap file.
Should be nice to add a specific warning and also to check the presence of swap file prior to run the automatic upgrade eventually stopping it.
I don't use swap files because I hate them. Normally I use the right amount of memory. In that case my AC88U's memory was at low usage ratio (36%) so I didn't want to add extra cpu work and usb stick wear with a swap file.
But the V6 script didn't allow to do this, so I surrended to the use of swap file.

 

[Adamm]

That's actually what I feared I might have done myself to cause this issue, but I guess I need to look for another root cause now... (still clueless)

In relation to that issue, as you said yourself when you disabled Skynet the issue still persisted, so you can rule it out entirely.

It seems you keep restoring the same backups which is probably part of the reason its still not working. I suggest using the initialize function and starting fresh (at-least in regard to firmware settings).

 

[Adamm]

I also got that error and had to dig a bit to understand that the message was due to the fact that my V5 installation was without swap file.
Should be nice to add a specific warning and also to check the presence of swap file prior to run the automatic upgrade eventually stopping it.

The error you saw was right, when upgrading from v5 --> v6 it required manual interaction to convert the old installation.

The error for not having a swap file is different (but as the version check is first thats the one you saw);

        if ! grep -F "swapon" /jffs/scripts/post-mount | grep -qvE "^#" && ! grep -F "swap" /jffs/configs/fstab 2>/dev/null | grep -qvE "^#"; then
            logger -st Skynet "[ERROR] Skynet Requires A SWAP File - Install One By Running ( $0 debug swap install )"
            exit 1
        fi

I don't use swap files because I hate them. Normally I use the right amount of memory. In that case my AC88U's memory was at low usage ratio (36%) so I didn't want to add extra cpu work and usb stick wear with a swap file.
But the V6 script didn't allow to do this, so I surrended to the use of swap file.

Unavoidable with the new 384 codebase unfortunately. Without a swap file Skynet would run into fork() errors. Was kind of a weird issue as the system never ran out of ram, but it was an issue on Asus's part in the firmware that was completely out of my hands so I didn't have any other option.

 

[dvohwinkel]

@Adamm I am seeing this on my RT-AC86U running 384.3 Beta 3

#!/bin/sh
#############################################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 21/04/2018 - Asus Firewall Addition By Adamm v6.1.4 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################


Installing Skynet v6.1.4

Looking For Available Partitions...
No Compatible Partitions Found - Exiting!


dave@RT-AC86U:/jffs/scripts# mount
ubi:rootfs_ubifs on / type ubifs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,mode=0755)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,noexec,relatime,size=420k)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mtd:bootfs on /bootfs type jffs2 (ro,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
mtd:data on /data type jffs2 (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
/dev/mtdblock8 on /jffs type jffs2 (rw,noatime)
/dev/sda on /tmp/mnt/RT-AC86U type tntfs (rw,nodev,relatime,uid=0,gid=0,umask=00,allow_utime=0022,nls=utf8,min_prealloc_size=64k,max_prealloc_size=30031248,readahead=1M,user_xattr,case_sensitive,fail_safe,hidden=show,dotfile=show,errors=continue,mft_zone_multiplier=1)

I have scripts enabled and formatted jffs.

 

[Adamm]

@Adamm I am seeing this on my RT-AC86U running 384.3 Beta 3

#!/bin/sh
#############################################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 21/04/2018 - Asus Firewall Addition By Adamm v6.1.4 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################


Installing Skynet v6.1.4

Looking For Available Partitions...
No Compatible Partitions Found - Exiting!


dave@RT-AC86U:/jffs/scripts# mount
ubi:rootfs_ubifs on / type ubifs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,mode=0755)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,noexec,relatime,size=420k)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mtd:bootfs on /bootfs type jffs2 (ro,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
mtd:data on /data type jffs2 (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
/dev/mtdblock8 on /jffs type jffs2 (rw,noatime)
/dev/sda on /tmp/mnt/RT-AC86U type tntfs (rw,nodev,relatime,uid=0,gid=0,umask=00,allow_utime=0022,nls=utf8,min_prealloc_size=64k,max_prealloc_size=30031248,readahead=1M,user_xattr,case_sensitive,fail_safe,hidden=show,dotfile=show,errors=continue,mft_zone_multiplier=1)

I have scripts enabled and formatted jffs.

You need a USB with an ext* partition

 

[dvohwinkel]

You need a USB with an ext* partition

I wondered about that but the GUI only allows you to format it NTFS, FAT or HFS. Sigh..