Skynet Skynet - Router Firewall & Security Enhancements

[vw-kombi]

Hi,

I am after a nice way of viewing the log of firewall stuff in a nice format, giving me just the info I want.
I can tail -f syslog.log but I would like to only pull out the info I am interested in.
I know there are unix guru's out there that can do all sorts of stuff like this.
one option - I would like to tail -f it, but only see Date/Tine, BLOCKED - INBOUND and BLOCKED - OUTBOUD messages, and ONLY the SRC and DST values for them.
All the rest means nothing to me.
A bonus if it this can be output to another history file in some way.
Another option - maybe a process that runs over the syslog and creates this cut down version that I can just tail as required ?

Thanks in advance.

 

[jarmka]

How can I block an IP so it sticks on boot and does not require skynet to be loaded? For example, 8.8.8.8.

 

[Twiglets]

Hi,

I am after a nice way of viewing the log of firewall stuff in a nice format, giving me just the info I want.
I can tail -f syslog.log but I would like to only pull out the info I am interested in.
I know there are unix guru's out there that can do all sorts of stuff like this.
one option - I would like to tail -f it, but only see Date/Tine, BLOCKED - INBOUND and BLOCKED - OUTBOUD messages, and ONLY the SRC and DST values for them.
All the rest means nothing to me.
A bonus if it this can be output to another history file in some way.
Another option - maybe a process that runs over the syslog and creates this cut down version that I can just tail as required ?

Thanks in advance.

A perfect opportunity to learn about awk, grep, sed etc and a bit of shell programming
(yes .... I know you can do it in <Programming Lang of the day> but that has a longer learning curve )

Never too late to learn !!!

 

[Adamm]

I ran through menu 3 and then 1
I try again and get the same error

Can you reproduce this error? I cant.

 

[blueshark]

Can you reproduce this error? I cant.

Estrange i make the process today after a reboot and no error!!

 

[ScenicView]

I have some newbie questions my forum searches didn't answer:

* I don't fully understand what Skynet adds to the AC3100 firewall?

* Related to the above, does Skynet overlap aiProtect making one of them unnecessary?

*Finally, if I wanted to run Skynet with AB, will that start to bog down the router?

 

[Adamm]

I don't fully understand what Skynet adds to the AC3100 firewall?

Skynet brings a verity of IP banning functions in an easy to use format. Weather that be specific IP/domain based blocking, country blocking, blocking specific downloaded blacklists, or sourced reputation lists of known malicious hosts (aka banmalware), then to top it all off statistics to show what has been blocked. It comes with an easy to use menu or CLI usage depending on what you prefer.

Related to the above, does Skynet overlap aiProtect making one of them unnecessary?

Both work in conjunction with eachother. AiProtect uses an IPS engine to inspect traffic, where as Skynet uses a predefined blacklist.

Finally, if I wanted to run Skynet with AB, will that start to bog down the router?

Skynet's footprint is minimal, we are talking a few MB while its idle. Both AB and Skynet have been developed to work well with eachother.

 

[unsynaps]

This might be a dumb question but anyhow...

If you block "example.com" does this also block "fud.example.com"?

 

[Adamm]

This might be a dumb question but anyhow...

If you block "example.com" does this also block "fud.example.com"?

Yes and no. If the subdomain is hosted on the same server yes, but if its linked to an independent server no.

 

[DonnyJohnny]

https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/

This might be a dumb question but anyhow...

If you block "example.com" does this also block "fud.example.com"?

Skynet block based on ip. As Adamm mentioned, if sub domain is hosted under same ip then yes.
As for ab-solution (domain block), it does not have wildcard. So need specific domain to block.
Understand that if you have dnscrypt-proxy v2, it support wildcard domain blocking.
https://github.com/jedisct1/dnscrypt-proxy
Can use the installer here https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/

 

[ScenicView]

What would you recommend for the SWAP file size on install? Is larger better?

 

[DonnyJohnny]

What would you recommend for the SWAP file size on install? Is larger better?

Linux has good memory management. 512mb is more than enough. I hardly see it going above 50mb.

 

[Adamm]

What would you recommend for the SWAP file size on install? Is larger better?

Any of the offered sizes will do just fine, the router rarely dips into swap but on the 384 codebase multiple instances of curl and IPSet like Skynet uses will error out if one isn’t available.

 

[HuskyHerder]

@Adamm

Any of the offered sizes will do just fine, the router rarely dips into swap but on the 384 codebase multiple instances of curl and IPSet like Skynet uses will error out if one isn’t available.

While we are on the subject of swap files. Is there a way to increase the size of an existing file, without damaging anything? Mainly just curious as I set mine large enough earlier not to worry about it.

Or would the better route be to use amtm to delete the swap and then recreate it as desired? Would this cause any issues with existing data on the drive ? I assume its carved out of free/available space and would not pose an issue.

 

[Adamm]

@Adamm



While we are on the subject of swap files. Is there a way to increase the size of an existing file, without damaging anything? Mainly just curious as I set mine large enough earlier not to worry about it.

Or would the better route be to use amtm to delete the swap and then recreate it as desired? Would this cause any issues with existing data on the drive ? I assume its carved out of free/available space and would not pose an issue.

Skynet can handle it for you seamlessly.

sh /jffs/scripts/firewall debug swap uninstall

Then;

sh /jffs/scripts/firewall debug swap install

 

[Adamm]

I've pushed v6.1.7

As per a suggestion from yecarrillo on Github, I added support to specify either blacklist or whitelist for the location of the import and deport commands. This means you can import an IP list directly to your whitelist now (whereas before it only allowed blacklist). The readme with example commands has been updated accordingly.

 

[tester83]

Hi Adamm. Why is it necessary to save data on external usb memory? I used older version of skynet and i never used external usb to save data. thank you!


on version 5.8.5 i can choose where to install the script: jffs or usb

 

[Adamm]

Hi Adamm. Why is it necessary to save data on external usb memory? I used older version of skynet and i never used external usb to save data. thank you!


on version 5.8.5 i can choose where to install the script: jffs or usb

Newer routers require a swap file due to the updated Broadcom SDK and increased resource usage by the 384 codebase. It was much easier to streamline this for all devices and effectively future proof them.

It also gives Skynet more “wiggle room” to what we can store as we are no longer limited by available JFFS space and hogging it so to speak.

v6 feature and functionality wise is much better, requiring a USB was a trade-off for a better overall script.

 

[ScenicView]

My top outbound block is:
https://otx.alienvault.com/indicator/ip/205.234.175.175

When I look this up I see two companies who make software I have on my machine (onone and Macphun) listed under passive DNS. I notice that it is not flagged as malicious under Google Safe Browsing and under Validation is listed next to Whitelisted IP.

I just want to make sure this means what I think it means and it's ok to whitelist in Skynet.

 

[Adamm]

My top outbound block is:
https://otx.alienvault.com/indicator/ip/205.234.175.175

When I look this up I see two companies who make software I have on my machine (onone and Macphun) listed under passive DNS. I notice that it is not flagged as malicious under Google Safe Browsing and under Validation is listed next to Whitelisted IP.

I just want to make sure this means what I think it means and it's ok to whitelist in Skynet.

admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 205.234.175.175
#!/bin/sh
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 17/05/2018 -           Asus Firewall Addition By Adamm v6.1.8                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 7.5M
Monitoring From May 14 16:00:31 To May 19 22:19:31
33128 Block Events Detected
2566 Unique IPs
0 Autobans Issued
0 Manual Bans Issued

Exact Matches;
https://iplists.firehol.org/files/coinbl_ips.ipset - 205.234.175.175

The IP is listed for coin mining, but as its a CDN IP (owned by Cachefly) its probably related to another website which inadvertently got the server blacklisted.