Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

I have a quick question. Every night when skynet runs banmalware it runs fine but following the updated log entry is another entry always allowing 2 ips. The logs look like this any day I look.

Jul  9 02:25:26 Skynet: [Complete] 111300 IPs / 1713 Ranges Banned. -2017 New IPs / -10 New Ranges Banned. 2654 Inbound / 0 Outbound Connections Blocked! [banmalware] [26s]
Jul  9 03:00:05 Skynet: [Complete] 111298 IPs / 1713 Ranges Banned. -2 New IPs / 0 New Ranges Banned. 2780 Inbound / 0 Outbound Connections Blocked! [save] [5s]

This happens every night. What is going on here is it normal?

 

[Adamm]

I have a quick question. Every night when skynet runs banmalware it runs fine but following the updated log entry is another entry always allowing 2 ips. The logs look like this any day I look.

Jul  9 02:25:26 Skynet: [Complete] 111300 IPs / 1713 Ranges Banned. -2017 New IPs / -10 New Ranges Banned. 2654 Inbound / 0 Outbound Connections Blocked! [banmalware] [26s]
Jul  9 03:00:05 Skynet: [Complete] 111298 IPs / 1713 Ranges Banned. -2 New IPs / 0 New Ranges Banned. 2780 Inbound / 0 Outbound Connections Blocked! [save] [5s]

This happens every night. What is going on here is it normal?

This was a cosmetic error, I pushed a fix but as there's no version jump as its a minor change. You can force update if you choose.

 

[skeal]

This was a cosmetic error, I pushed a fix but as there's no version jump as its a minor change. You can force update if you choose.

Yup...tested and your new fix works. Thanks @Adamm your support is awesome!

 

[Dee Fever]

Is there anyway to setup a fail2ban type system with skynet. Basically any IP that try's to hit my device on a port that I don't allow I want to block it for sure. Really my home connection only allows me to VPN in to my device so anything or anyone else hitting these ports needs banned from attempting any further connection in our out. I couldn't find a way to do this in the menu structure.

 

[DonnyJohnny]

Is there anyway to setup a fail2ban type system with skynet. Basically any IP that try's to hit my device on a port that I don't allow I want to block it for sure. Really my home connection only allows me to VPN in to my device so anything or anyone else hitting these ports needs banned from attempting any further connection in our out. I couldn't find a way to do this in the menu structure.

Actually not really needed as the reputable banmalware list already covered most malicious IPs used for port knocking. If you want, you can also make customised banmalware list to add in more ip blocking. But note that sometime legitimate ip may be blocked. So you may need some whitelisting work in the earlier implementation of those ip list. http://iplists.firehol.org/
Below is my custom list used
https://pastebin.com/raw/uXCxsnQ1

And also, you should be using a non-common port for vpn. No 1194\1195. This will reduce targeted port knocking on that service.

 

[Dee Fever]

Actually not really needed as the reputable banmalware list already covered most malicious IPs used for port knocking. If you want, you can also make customised banmalware list to add in more ip blocking. But note that sometime legitimate ip may be blocked. So you may need some whitelisting work in the earlier implementation of those ip list. http://iplists.firehol.org/
Below is my custom list used
https://pastebin.com/raw/uXCxsnQ1

And also, you should be using a non-common port for vpn. No 1194\1195. This will reduce targeted port knocking on that service.

I understand this but I want to ban anyone that scans my device looking for a way in. That makes more sense than depending on a ban list. Attackers that are smart won't continue coming from something on a banlist. If you are smart you make your IP appear on a ban list then come from an alternate IP.

Why would you not want to protect your network from anyone touching ports you don't even have open. I would be happy to deal with more false positives. Reality is nobody should be hitting the device but me on ports I know are open.

The other question I have is if I import a list from the web will it automatically update it every 24 hrs or a certain time frame or is it a one time pull?

 

[DonnyJohnny]

I understand this but I want to ban anyone that scans my device looking for a way in. That makes more sense than depending on a ban list. Attackers that are smart won't continue coming from something on a banlist. If you are smart you make your IP appear on a ban list then come from an alternate IP.

Why would you not want to protect your network from anyone touching ports you don't even have open. I would be happy to deal with more false positives. Reality is nobody should be hitting the device but me on ports I know are open.

The other question I have is if I import a list from the web will it automatically update it every 24 hrs or a certain time frame or is it a one time pull?

In most cases, only those known will random hit a port and they hit with ip range and not specific port. And the banmalware is already good enough. Having said that, how often u see your VPN port being hit in the first place, assuming you using uncommon port. If any, the VPN verification will not allow it thru unless you enable user/password where hackers could maybe brute force it? But most time this will become intentionally targetted attack.

The default banmalware update is 24hr once at 2.25am by cronjob.

 

[SanPe]

Hey!

I'm running nginx on my Asus AC86U.
Would it be possible for Skynet to ban IP getting a 403 or 401 error in nginx logs?
If yes, how?

Thanks

Up. Is it something I can do?

 

[Adamm]

Is there anyway to setup a fail2ban type system with skynet. Basically any IP that try's to hit my device on a port that I don't allow I want to block it for sure. Really my home connection only allows me to VPN in to my device so anything or anyone else hitting these ports needs banned from attempting any further connection in our out. I couldn't find a way to do this in the menu structure.

Somewhat, Skynet already taps into the SSH BFD and the SPI firewall will reject any invalid connections, but for anything else its up to the user to implement (who can then feed the information to Skynet if they desire).

The other question I have is if I import a list from the web will it automatically update it every 24 hrs or a certain time frame or is it a one time pull?

If you add the list to a banmalware filter and set it for daily updates, yes.

Up. Is it something I can do?

Unfortunately not without significant modification. Supporting a web-server is out of the scope of the projects "lightweight" approach.

 

[Adamm]

I pushed v6.3.1

Skynet will now kill "stuck" processes on its own if detected. A pretty rare event and usually USB related, value set to two hours for now to account for timezone changes. There are also some banmalware improvements.

 

[Quoc Huynh]

Thanks, Adamm

 

[SanPe]

Unfortunately not without significant modification. Supporting a web-server is out of the scope of the projects "lightweight" approach.

Ok, thank you.
But, I guess it's possible to create a script to extract and store the IPs from the log in a file and make skynet import this file... If I find something working, I'll post it here.

 

[Dee Fever]

I ended up finding this and it is working just fine now.
https://www.snbforums.com/threads/h...ious-ips-using-ipset-martineau-version.38748/

So for anyone that wants to block any IP that tries to touch their router here you go. Yes I believe in blocking ahead of time before they get to a port that is open and try to exploit it. This also immediately bans any IP that try's to touch something.

https://securityzap.com/a-story-of-a-finfisher-hacker/
or
https://news.softpedia.com/news/fin...e-broke-into-hackingteam-servers-503078.shtml

If you read the story of this attack you can see that he maps out the target looking for his opportunity and then wrote his own 0-day but he needed to map out the target first to even understand what he could exploit. Meaning he scanned them for open ports and stuff he could target to exploit.

 

[Adamm]

I ended up finding this and it is working just fine now.
https://www.snbforums.com/threads/h...ious-ips-using-ipset-martineau-version.38748/

So for anyone that wants to block any IP that tries to touch their router here you go. Yes I believe in blocking ahead of time before they get to a port that is open and try to exploit it. This also immediately bans any IP that try's to touch something.

https://securityzap.com/a-story-of-a-finfisher-hacker/
or
https://news.softpedia.com/news/fin...e-broke-into-hackingteam-servers-503078.shtml

If you read the store of this attack you can see that he maps out the target looking for his oppurtunity and then wrote his own 0-day but he needed to map out the target first to even understand what he could exploit.

I'm not sure what functionality you think this script has that Skynet is lacking, its actually based off an outdated version of Skynet.

 

[Dee Fever]

I asked for the ability to block any IP that hits that router like fail2ban. Doing it automatically.

https://www.fail2ban.org/wiki/index.php/Main_Page

It is pretty simple if an ip hits port 22 on my router or any other port for that matter it is banned as simple as that. Meaning it is blocked from scanning for any other ports that I may have opened. I don't want to depend on just a list of known bad IP's from someone else. I want to target those attempting to hit my router.

Functionality it takes anything knocking on your door and denies it for the future. It like if I had a lurker outside my home that walks by everyday shining his flashlight looking for a way in attempting to open the doors and windows daily. Would I not call that police and just stop him or would I just continue let him lurk until he finds a way in.

 

[skeal]

I asked for the ability to block any IP that hits that router like fail2ban. Doing it automatically.

https://www.fail2ban.org/wiki/index.php/Main_Page

It is pretty simple if an ip hits port 22 on my router or any other port for that matter it is banned as simple as that. Meaning it is blocked from scanning for any other ports that I may have opened. I don't want to depend on just a list of known bad IP's from someone else. I want to target those attempting to hit my router.

Functionality it takes anything knocking on your door and denies it for the future. It like if I had a lurker outside my home that walks by everyday shining his flashlight looking for a way in attempting to open the doors and windows daily. Would I not call that police and just stop him or would I just continue let him lurk until he finds a way in.

I see your point about scanning port 22 but doing this for other ports could cause a whole lot of false positives. The STP function of the router simply drops what is not solicited for. So any unknown traffic gets dropped. I'm really not sure what more you could want without causing some unwanted problems. You could also enable the "DOS" option in the firewall settings.

 

[Ubimo]

From time to time I lose banned IP adresses.
For exampe three week ago system log showed me that about 110.000 IP adresses were banned by skynet. Then, about two weeks ago the number jumped to 112.004 IP adresses. Today at Jul 16 02:28:53 the number went down to 84.814 banned IP adresses.
I had to manually update banmalware through skynet menu to get back to 122.951 bannes IP adresses.
Why is this happening?

 

[skeal]

From time to time I lose banned IP adresses.
For exampe three week ago system log showed me that about 110.000 IP adresses were banned by skynet. Then, about two weeks ago the number jumped to 112.004 IP adresses. Today at Jul 16 02:28:53 the number went down to 84.814 banned IP adresses.
I had to manually update banmalware through skynet menu to get back to 122.951 bannes IP adresses.
Why is this happening?

The list is dynamically updated. Sometimes warhol or whoever leave a list out by mistake(they fix things like that quickly). That would explain why you had a low count of bans and then not to long after update the bans and get a lot more. This is somewhat normal behaviour no way to get around it. You could increase the ban malware processes but this would likely reveal more of this type of thing. Hope this helps.

 

[FadgewackeR]

Folks, sorry to drag this down to the dumbest level, but I have an issue, as any Skynet command cannot progress past this, including uninstalling.

/jffs/scripts/firewall: /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg: line 1: syntax error: unterminated quoted string

Any pointers would be very warmly received... Cheers.

 

[Adamm]

Folks, sorry to drag this down to the dumbest level, but I have an issue, as any Skynet command cannot progress past this, including uninstalling.

/jffs/scripts/firewall: /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg: line 1: syntax error: unterminated quoted string

Any pointers would be very warmly received... Cheers.

Looks like you managed to break the config file

What is the output of the following;

cat /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg