Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

Ah yassss. Lubarsky's Law of Cybernetic Entomology

 

[From Michigan]

Hello, question/problem. I am using Skynet and would like to block all TOR/VPN usage on my home network. I have tried using option 5 to import URL- https://www.dan.me.uk/torlist , but it just says "command not recognized". I have been googling on how to do this and reading thru this forum and cannot figure out what I am doing wrong.


Also I found this script -https://gist.github.com/sameer/608f6b8a28c502543434116fe6fd9d36 asus_merlin_skynet_tor_block.sh. Not sure if I should attempt to use this script or not.


If I import successfully will it just add on to the initial blocked IP's.

Thanks for any and all help.

 

[Adamm]

Hello, 1st time poster here with a question/problem. I am using Skynet and would like to block all TOR/VPN usage on my home network. I have tried using option 5 to import URL- https://www.dan.me.uk/torlist , but it just says "command not recognized". I have been googling on how to do this and reading thru this forum and cannot figure out what I am doing wrong.

I forgot to update the menu entry when adding selective blacklist/whitelist support. For now just use the manual command;

sh /jffs/scripts/firewall import blacklist xxxxxxxx.com

 

[From Michigan]

I forgot to update the menu entry when adding selective blacklist/whitelist support. For now just use the manual command;

sh /jffs/scripts/firewall import blacklist xxxxxxxx.com

Thanks so much for the quick reply.

That worked just fine.

I just tried to connect to the TOR network and it is being blocked successfully now.

Will this be persistent? Or will I have to add this list in the future?

THANKS AGAIN !!!!!

 

[Butterfly Bones]

Hi Adamm, I have one more issue I cannot seem to solve. I've been wrestling with this for a few weeks now, it affects my online TV streaming - Hulu in particular, also Netflix and Amazon Prime and Smart Home devices. Trying to solve Google DNS being blocked. Because I have numerous IoT devices that need to talk to Google DNS on different ports, that is the issue. I'm confident that my network is safe with no ports open to the WAN (tested with known good port scanner sites), and of course with Skynet running. Here is my network for background.

- 1 Linux desktop
- Chromebook (ChromeOS 67)
- 1 Vizio smart TV (built in Chromecast)
- 1 Chromecast Ultra
- 5 Google Home speakers
- 3 smart lights
- 1 printer
- 1 Android tablet
- 2 Android phones

Jun  7 09:04:21 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=<redacted> SRC=8.8.8.8 DST=<My ISP WAN IP> LEN=118 TOS=0x00 PREC=0x00 TTL=58 ID=50895 PROTO=UDP SPT=53 DPT=44488 LEN=98 MARK=0x8000000

Pertinent info from Stats - Display - 50 - Packet type All

Last 50 Unique Connections Blocked (Invalid);
https://otx.alienvault.com/indicator/ip/8.8.8.8

Top 50 Blocks (Invalid);
722x https://otx.alienvault.com/indicator/ip/8.8.8.8

Top 50 Blocked Devices (Outbound);
8x 192.168.1.xxx (No Name Found) - Vizio Smart TV
4x xx.yy.xxx.yyy (No Name Found) - my ISP Wan IP
1x 192.168.1.yy Linux Desktop

8.8.8.8 comment "ManualWlist: Google DNS"

I understand that some outbound attempts that are blocked are appropriate from links to advertising or possible malware sites that firehol or OTX have identified. It is the outbound blocks of my ISP WAN IP and the Vizio TV that are particularly troublesome.

I double checked by trying to add to whitelist:

Input IP Or Range To Whitelist:
[IP/Range]: 8.8.8.8
Input Comment For Whitelist:
[Comment]: Google DNS
Whitelisting 8.8.8.8
ipset v6.32: Element cannot be added to the set: it's already added
Saving Changes

Output of debug info

Router Model; RT-AC86U
Skynet Version; v6.2.6 (06/06/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.5_0 (May 12 2018) (4.1.27)
Install Dir; /tmp/mnt/SNB/skynet (11.1G / 14.0G Space Available)
SWAP File; /tmp/mnt/SNB/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/SNB/skynet
No Lock File Found

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking Services-Stop Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 5 Settings...            [Passed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking Inbound Filter Rules...            [Passed]
Checking Inbound Debug Rules                [Passed]
Checking Outbound Filter Rules...            [Passed]
Checking Outbound Debug Rules                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]
Checking For AB-Solution Plus Content...        [Passed]

Checking Autoupdate Setting...                [Enabled]
Checking Auto-Banmalware Update Setting...        [Enabled]
Checking Unban PrivateIP Setting...            [Enabled]
Checking Log Invalid Setting...                [Enabled]
Checking Ban AiProtect Setting...            [Enabled]
Checking Secure Mode Setting...                [Enabled]

 

[agilani]

It compliment each other. No conflict. Aiprotection is blocking based on signature from trendmicro when Skynet got its ip list from firehol which compiled from many reputable source.

And now after 6.2.2, those ip blocked by ai protection will be able to add into Skynet blacklist if the function is enable under Debug option.

Autoban function is auto adding of ip to ban list that is sending very frequent invalid packet within certain period of time. What ever the case, invalid packet are default dropped even when it is not in ban list. So no worry.

Sorry if I'm late to the party. So there is an option under debug to to add aiprotection blocked ip's to the skynet blacklist similar to failtoban on linux? Where can i find more information about this?

thanks!

 

[Adamm]

Hi Adamm, I have one more issue I cannot seem to solve. I've been wrestling with this for a few weeks now, it affects my online TV streaming - Hulu in particular, also Netflix and Amazon Prime and Smart Home devices. Trying to solve Google DNS being blocked. Because I have numerous IoT devices that need to talk to Google DNS on different ports, that is the issue. I'm confident that my network is safe with no ports open to the WAN (tested with known good port scanner sites), and of course with Skynet running. Here is my network for background.

- 1 Linux desktop
- Chromebook (ChromeOS 67)
- 1 Vizio smart TV (built in Chromecast)
- 1 Chromecast Ultra
- 5 Google Home speakers
- 3 smart lights
- 1 printer
- 1 Android tablet
- 2 Android phones

Jun  7 09:04:21 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=<redacted> SRC=8.8.8.8 DST=<My ISP WAN IP> LEN=118 TOS=0x00 PREC=0x00 TTL=58 ID=50895 PROTO=UDP SPT=53 DPT=44488 LEN=98 MARK=0x8000000

Pertinent info from Stats - Display - 50 - Packet type All

Last 50 Unique Connections Blocked (Invalid);
https://otx.alienvault.com/indicator/ip/8.8.8.8

Top 50 Blocks (Invalid);
722x https://otx.alienvault.com/indicator/ip/8.8.8.8

Top 50 Blocked Devices (Outbound);
8x 192.168.1.xxx (No Name Found) - Vizio Smart TV
4x xx.yy.xxx.yyy (No Name Found) - my ISP Wan IP
1x 192.168.1.yy Linux Desktop

8.8.8.8 comment "ManualWlist: Google DNS"

I understand that some outbound attempts that are blocked are appropriate from links to advertising or possible malware sites that firehol or OTX have identified. It is the outbound blocks of my ISP WAN IP and the Vizio TV that are particularly troublesome.

I double checked by trying to add to whitelist:

Input IP Or Range To Whitelist:
[IP/Range]: 8.8.8.8
Input Comment For Whitelist:
[Comment]: Google DNS
Whitelisting 8.8.8.8
ipset v6.32: Element cannot be added to the set: it's already added
Saving Changes

Output of debug info

Router Model; RT-AC86U
Skynet Version; v6.2.6 (06/06/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.5_0 (May 12 2018) (4.1.27)
Install Dir; /tmp/mnt/SNB/skynet (11.1G / 14.0G Space Available)
SWAP File; /tmp/mnt/SNB/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/SNB/skynet
No Lock File Found

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking Services-Stop Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 5 Settings...            [Passed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking Inbound Filter Rules...            [Passed]
Checking Inbound Debug Rules                [Passed]
Checking Outbound Filter Rules...            [Passed]
Checking Outbound Debug Rules                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]
Checking For AB-Solution Plus Content...        [Passed]

Checking Autoupdate Setting...                [Enabled]
Checking Auto-Banmalware Update Setting...        [Enabled]
Checking Unban PrivateIP Setting...            [Enabled]
Checking Log Invalid Setting...                [Enabled]
Checking Ban AiProtect Setting...            [Enabled]
Checking Secure Mode Setting...                [Enabled]

If google DNS is being blocked by the SPI firewall that’s out of Skynets control and you would have the same issue without Skynet installed (we no longer deal with invalid packets, only log them), you would need to manually add an iptables rule to the top of the logdrop chain accepting requests from this IP

 

[Adamm]

Sorry if I'm late to the party. So there is an option under debug to to add aiprotection blocked ip's to the skynet blacklist similar to failtoban on linux? Where can i find more information about this?

thanks!

Yes there is, it’s a feature we added last week.

sh /jffs/scripts/firewall debug banaiprotect enable

 

[JaimeZX]

Generally speaking AiProtect is pretty limited in what it blocks, I've only seen it block a handful of (old) CVE's.

So that's interesting. I would have assumed that TrendMicro uses routers with AiProtect as sensors on the web that keep them informed as to what adversary activity is going on. Which I am ok participating as a sensor. But at the same time, I would also expect that as a "data contributor" they should be updating AiP with the latest threat information. :dunno:

Skynet uses reputation data to actively block new botnets/scanners. If you are reffering to the "hidden cobra" lists, Skynet directly sources the previous list released last year, the new list I'm sure overlaps with Skynets other reputation databases.

OK, yep. That checks, I just don't know who is responsible for maintaining those lists Skynet uses (and it's not important that I know, necessarily) but I am curious to know whether they ingest things like the HIDDEN COBRA in a timely manner. ?

Thanks again!

 

[Adamm]

OK, yep. That checks, I just don't know who is responsible for maintaining those lists Skynet uses (and it's not important that I know, necessarily) but I am curious to know whether they ingest things like the HIDDEN COBRA in a timely manner. ?

Skynet sources lists from 25 reputable providers, with two of those lists themselves being a combination of 10-20 lists each. So between all these sources of data I'd say Skynet does a pretty decent job of staying relevant.

 

[agilani]

Yes there is, it’s a feature we added last week.

sh /jffs/scripts/firewall debug banaiprotect enable

DUDE!
DUDE!!



p.s. in case it didn't come across, thanks of the highest order!

 

[Adamm]

I've pushed v6.2.7

Skynet will now look for (and delete!) files associated with the VPNFilter malware if secure mode is enabled.
Some other small changes include the import command being fixed in the main menu, and not hard exiting on select commands when a firewall service restart is required.

 

[martinr]

I've pushed v6.2.7

Skynet will now look for (and delete!) files associated with the VPNFilter malware if secure mode is enabled.
Some other small changes include the import command being fixed in the main menu, and not hard exiting on select commands when a firewall service restart is required.

I notice, under the debug options, there are now toggles for secure mode and ban aiprotection. Does Skynet show anywhere the current status of those 2 options, whether they’re on or off?

And is there an easy way to check if Skynet found any VPNFilter-related files?

 

[Adamm]

I notice, under the debug options, there are now toggles for secure mode and ban aiprotection. Does Skynet show anywhere the current status of those 2 options, whether they’re on or off?

The "debug info" command shows the status of all toggles.

And is there an easy way to check if Skynet found any VPNFilter-related files?

Skynet will print any security warnings directly to the syslog, it checks upon startup and once per hour. Realistically though the chance of being infected is quite small so hopefully this will never be a concern for most users.

 

[Mutzli]

I notice, under the debug options, there are now toggles for secure mode and ban aiprotection. Does Skynet show anywhere the current status of those 2 options, whether they’re on or off?

And is there an easy way to check if Skynet found any VPNFilter-related files?

Select 11 - Debug Options and than 3 - Print Debug Info

 

[johnathonm]

Hey there,

What do these mean in the context of the VPNFILTER related files and how might I fix them?

Checking Services-Stop Entry... [Failed]
Checking Log Invalid Setting... [Disabled]

Thanks,

J

 

[johnathonm]

Hi Adamm,

I don't know if this should be happening but I am finding that upon reboot that my swapfile is not enabled. I have to go and enable it manually. Is automatically swapon'ing the swap something you might consider adding or is it an issue on my end. I did create the swap file via skynet on my external USB 3 ext2 formatted media. I am using the AC68U Extreme with merlins latest firmware. Your software is also fully up to date.

Thanks,

J

 

[Adamm]

Hey there,

What do these mean in the context of the VPNFILTER related files and how might I fix them?

Checking Services-Stop Entry... [Failed]
Checking Log Invalid Setting... [Disabled]

Thanks,

J

Both are unrelated, the failed test means the entry from /jffs/scripts/services-stop is missing (probably due to entware), this can be fixed by running the installer again.

The second means the "log invalid" feature is disabled, this is just some extra debug output, unnecessary in most cases unless you're trying to track something down in the logdrop chain.

I don't know if this should be happening but I am finding that upon reboot that my swapfile is not enabled. I have to go and enable it manually. Is automatically swapon'ing the swap something you might consider adding or is it an issue on my end. I did create the swap file via skynet on my external USB 3 ext2 formatted media. I am using the AC68U Extreme with merlins latest firmware. Your software is also fully up to date.

Again my guess is this is due to entware (and will also be fixed by running the installer again), their installer is terrible in the fact it overwrites several jffs scripts completely. @ryzhov_al @zyxmon would be great if you guys could improve this, there's really no need to overwrite files.

 

[johnathonm]

I just got banhammered...?

 

[skeal]

I've pushed v6.2.7

Skynet will now look for (and delete!) files associated with the VPNFilter malware if secure mode is enabled.
Some other small changes include the import command being fixed in the main menu, and not hard exiting on select commands when a firewall service restart is required.

Awesome @Adamm !!