Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I wondered about that but the GUI only allows you to format it NTFS, FAT or HFS. Sigh..

You can format the drive via SSH to ext*, a quick search I'm sure will point you to a guide (or you can use a program on a windows PC like MiniTool Partition Wizard)

 

[M@rco]

I wondered about that but the GUI only allows you to format it NTFS, FAT or HFS. Sigh..

As you apparently already have access through SSH, if you safely backuped any data on on your thumb drive, just log into your router and execute

mkfs.ext2 /dev/sda1 -L RT-AC86U

This will create a single partition with an ext2 filesystem on your usb drive, give it the label RT-AC86U and will erase everything on the drive. (So make you sure you backup anything prior to running the command above!)

Next execute

umount /tmp/mnt/RT-AC86U

to unmount the newly formatted thumb drive and physically remove it from the usb drive for a few seconds before reconnecting it again. This way you're sure it will be recognized correctly. You can also just reboot the router if you don't care about uptime or WAN going down during reboot, instead of unmounting it, removing and reconnecting it. After this you can use your thumb drive without any issues. You can check by executing (allthoug Skynet will perform it's own checks, as you have noticed):

fdisk -l

If the disk is listed correctly now you can proceed to install Skynet. Enjoy!

 

[dvohwinkel]

I wondered about that but the GUI only allows you to format it NTFS, FAT or HFS. Sigh..

Reformatting it with mkfs.ext3 worked and it was automounted on reboot. The install worked perfectly. I actually used fdisk and made 10G for linux (ext3) and made the rest ntfs.. really not sure why.. probably because I could

 

[dvohwinkel]

Reformatting it with mkfs.ext3 worked and it was automounted on reboot. The install worked perfectly.

I am a little worried about the new requirement of using a swap file as thumb drives do not use TRIM/wear leveling that I am aware of.

 

[dvohwinkel]

You need a USB with an ext* partition

If I might suggest a future change.. making that error message mention that a ext* system is needed to install might help newbs to it like myself. My search on the error message was not returning anything helpful. Awesome tool.

 

[Adamm]

I am a little worried about the new requirement of using a swap file as thumb drives do not use TRIM/wear leveling that I am aware of.

The swap file is utilized so little you have a better chance of your hardware failing before its an issue.

If I might suggest a future change.. making that error message mention that a ext* system is needed to install might help newbs to it like myself. My search on the error message was not returning anything helpful. Awesome tool.

Done

 

[Adamm]

Will skynet work with the following entries I have manually added into to skynet?

https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset

These lists are already included when using the default banmalware filter.

I notice under /jffs/shared-Skynet-whitelist
the following appear to be whitelisted along with a whole host of badware/malware
is this normal?

This file is just a copy of the filter list used in banmalware so that Skynet/AB-Solution can whitelist the sourcing domain so there are no issues download said list. Do note its the file host being whitelisted, not the contents of the file. So in this case the only domain (after processing) being whitelisted would be iplists.firehol.org

Also is there any way to stop ab-solution from logging specific blocks? A couple of them number in the 10's of thousands per week, muddying up the counter. I'd like to keep this out of the logs, and keep it that way on reboot.

Not at this time, currently all blocks are logged.

 

[Adamm]

@Adamm

I had these issues a few days ago as well. I had updated to merlin's latest alpha, after which I was having trouble with NTP updating; I tried a factory default; and still had the same problem; Then reverted back to Alpha 2, prior to and after restoring the NTP problem persisted. Skynet was failing to initiate firewall on boot. When trying to load skynet, it fell back to amtm after 5 minutes and pushed an error in the log; NTP connections occur over and over every 30 seconds. It randomly fixed itself without me having to change anything; This is the sequence that is initiated that triggers the fix:

Feb 13 17:07:47 ntp: start NTP update
Apr 22 23:38:53 rc_service: ntp 497:notify_rc restart_diskmon
Apr 22 23:38:53 disk_monitor: Finish
Apr 22 23:38:55 disk_monitor: be idleloading

Saw the following after a long, long wait:

I'm unsure whether ntp finally made it through or if rc_service: ntp 497:notify_rc restart_diskmon fixed it.
system settings set to: pool.ntp.org

The same issue occurred immediately after factory defaulting on a fresh firmware as well.

Skynet relies on ntp being started so logging is accurate, otherwise you will get entries during the startup process with dates in 1970.

As for why you were having issues with ntp, thats another question entirely.

 

[Ubimo]

About every two days the banned IPs automatically decrease:
Apr 29 02:00:06 Skynet: [Complete] 106943 IPs / 1624 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 3865 Inbound / 30 Outbound Connections Blocked! [save] [6s]
Apr 29 02:29:05 Skynet: [Complete] 66219 IPs / 1592 Ranges Banned. -40724 New IPs / -32 New Ranges Banned. 3892 Inbound / 30 Outbound Connections Blocked! [banmalware] [244s]
I have to manually update banmalware (start skynet, menue 3 then 1) to get back to about 100.000 IPs. Why?

 

[Adamm]

About every two days the banned IPs automatically decrease:
Apr 29 02:00:06 Skynet: [Complete] 106943 IPs / 1624 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 3865 Inbound / 30 Outbound Connections Blocked! [save] [6s]
Apr 29 02:29:05 Skynet: [Complete] 66219 IPs / 1592 Ranges Banned. -40724 New IPs / -32 New Ranges Banned. 3892 Inbound / 30 Outbound Connections Blocked! [banmalware] [244s]
I have to manually update banmalware (start skynet, menue 3 then 1) to get back to about 100.000 IPs. Why?

So the banmalware cronjob is running as per expected, but something is happening during the process causing it to take 244 seconds (process getting stuck etc) and I assume one or more of the lists aren't properly getting processed. Hard to say what exactly is going on without debug output.

Assuming you can reproduce it by manually running the banmalware command, I would ideally need the sh -x output.

sh -x /jffs/scripts/firewall banmalware

 

[DonnyJohnny]

About every two days the banned IPs automatically decrease:
Apr 29 02:00:06 Skynet: [Complete] 106943 IPs / 1624 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 3865 Inbound / 30 Outbound Connections Blocked! [save] [6s]
Apr 29 02:29:05 Skynet: [Complete] 66219 IPs / 1592 Ranges Banned. -40724 New IPs / -32 New Ranges Banned. 3892 Inbound / 30 Outbound Connections Blocked! [banmalware] [244s]
I have to manually update banmalware (start skynet, menue 3 then 1) to get back to about 100.000 IPs. Why?

I have this problem occasionally too in the past.
I suspect it is due to memory issue or thumb drive a bit old and faulty.
What I did was reduce the memory usage by disable ai protection for now as it is taking a fair bit of memory. So far the past 1 month of update no issue. My update is every 6hr. So 1 day I will see 4 update.

 

[M@rco]

Not sure why, but I suddenly had issues accessing several Google (related) services, like youtube.com and even lmgtfy.com for example, on my laptop. I used the debug mode to see what didn't get through and found out 172.217.17.42 and 172.217.17.46 were being blocked, and apparently they're blacklisted because they're found in BanMalWare:

firewall stats search ip 172.217.17.46

(..)

172.217.17.46 is NOT in set Skynet-Whitelist.
172.217.17.46 is in set Skynet-Blacklist.
172.217.17.46 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware"


172.217.17.46 First Tracked On Apr 29 06:41:50
172.217.17.46 Last Tracked On Apr 30 09:56:04
635 Blocks Total

However, OTX Alienvault lists nothing out of the ordinary (as far as I can tell):

https://otx.alienvault.com/indicator/ip/172.217.17.42
https://otx.alienvault.com/indicator/ip/172.217.17.46

I've whitelisted both and everything appears to run fine again now.

Just curious: is the banmalware list cross-referenced with Alienvault? Would that be useful to prevent false positives? Or is Google using the same IP's for shady and legit services? Never had these issues before...

 

[Adamm]

Just curious: is the banmalware list cross-referenced with Alienvault? Would that be useful to prevent false positives? Or is Google using the same IP's for shady and legit services? Never had these issues before...

Probably just a false positive from people abusing googleapi.

It only appears on one providers list;

root@skynet:~/blocklist-ipsets# grep "172.217.17.42" *
blocklist_de.ipset:172.217.17.42
blocklist_de_apache.ipset:172.217.17.42
firehol_level2.netset:172.217.17.42

But that list is also included in firehol's level2 combined list.

 

[DonnyJohnny]

@Adamm
Is there a function where it will clear the physical log after it exceed certain file size like 5mb or 10mb.
Reason I asked coz I realised that it took longer time to search the result if the log file size is very big.

 

[Adamm]

@Adamm
Is there a function where it will clear the physical log after it exceed certain file size like 5mb or 10mb.
Reason I asked coz I realised that it took longer time to search the result if the log file size is very big.

To clear the log;

sh /jffs/scripts/firewall stats reset

Also v6.1.5 is out, mostly minor changes (error message improvements, small under the hood stuff) and Skynet now blocks outbound connections originating from the router its-self (not just clients).

 

[DonnyJohnny]

To clear the log;

sh /jffs/scripts/firewall stats reset

Also v6.1.5 is out, mostly minor changes (error message improvements, small under the hood stuff) and Skynet now blocks outbound connections originating from the router its-self (not just clients).

Thx... I was thinking if the function can be integrated and automated.

But of coz I can also do a weekly cron job on my own.

Also, 6.15 update. There is something additional in the log. Extra number in the outbound connection.

May  6 15:06:38 Skynet: [Complete] 374649 IPs / 38490 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 0 Outbound Connections Blocked! [stats] [5s]
May  6 15:10:28 Skynet: [Complete] 374649 IPs / 38490 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 5 Inbound / 0 0 Outbound Connections Blocked! [stats] [5s]

 

[Adamm]

Thx... I was thinking if the function can be integrated and automated.

But of coz I can also do a weekly cron job on my own.

Also, 6.15 update. There is something additional in the log. Extra number in the outbound connection.

May  6 15:06:38 Skynet: [Complete] 374649 IPs / 38490 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 0 Outbound Connections Blocked! [stats] [5s]
May  6 15:10:28 Skynet: [Complete] 374649 IPs / 38490 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 5 Inbound / 0 0 Outbound Connections Blocked! [stats] [5s]

I just pushed a hotfix (no version change so force update required if you are already on 6.1.5)

This will speed up stats significantly (I was using sed in a situation where it was stupidly slow compared to awk) and fix the logging.

 

[XIII]

This week I enabled logging/stats for the first time. I’m surprised to see that I only have 2 kind of entries (after 1 week of gathering data):

https://www.speedguide.net/port.php?port=xxx
https://otx.alienvault.com/indicator/ip/aaa.bbb.ccc.ddd

The first entry appears twice. All the others are the “alien vault” kind.

I don’t understand why they appear, as both are in the shared(2) SkyNet whitelist...

What’s wrong (with my understanding)?

 

[Adamm]

This week I enabled logging/stats for the first time. I’m surprised to see that I only have 2 kind of entries:

https://www.speedguide.net/port.php?port=xxx
https://otx.alienvault.com/indicator/ip/aaa.bbb.ccc.ddd

The first entry appears twice. All the others are the “alien vault” kind.

I don’t understand why they appear, as both are in the shared(2) SkyNet whitelist...

What’s wrong (with my understanding)?

These are just links to data on the specified port or IP (convenient for terminals like Xshell where you can click on URL's). The port and IP at the end are the real data there, the prefix links to the speedguide and alienvault websites are just artificially added during processing for convenience.

 

[XIII]

Ah, thanks!