Skynet Skynet - Router Firewall & Security Enhancements

[M@rco]

I know what you mean, its just there are so many various options its hard to present neatly in such a format. So people instead are directed to the readme or the commands can be generated from the menu.

Okay, thanks for clarifying @Adamm . I can imagine it would be a challenge to present it neatly. Skynet probably has enough options to fill several manpages with explanations and examples by now..

 

[OKLY]

Once it hits 10Mb it gets automatically purged. Depending on your usage this can be days or weeks worth of logs.

Thanks for clarifying, much appreciated.

 

[Adamm]

I've pushed v6.3.3

This new version fully supports Diversion 4

 

[pattiri]

Hello @Adamm,

I have a little question.

I've started to see logs like;

kernel: DROP IN=eth0 OUT= MAC=.................. SRC=90.189.148.184 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=247 ID=64983 PROTO=TCP SPT=51186 DPT=445 SEQ=2742064224 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405AC)

and when I tried to unban this IP;

/opt/bin/firewall unban ip 90.189.148.184

Unbanning 90.189.148.184
ipset v6.32: Element cannot be deleted from the set: it's not added
Saving Changes

So I guess this IP address is blocked by Asus' own firewall not Skynet right?

 

[Adamm]

I have a little question.

I've started to see logs like;

That log suggests Skynet isn't running and the SPI firewall dropped the packet.

 

[pattiri]

That log suggests Skynet isn't running and the SPI firewall dropped the packet.

but it's running;

Aug 27 11:41:12 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=.................. SRC=93.88.76.234 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=44819 PROTO=TCP SPT=40515 DPT=36963 SEQ=3778172794 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Aug 27 11:41:18 kernel: DROP IN=eth0 OUT= MAC=.................. SRC=131.156.114.50 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=247 ID=3781 PROTO=TCP SPT=56506 DPT=445 SEQ=1540450162 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
Aug 27 11:41:36 Ev kernel: DROP IN=eth0 OUT= MAC=.................. SRC=178.46.50.19 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=40937 PROTO=TCP SPT=48505 DPT=80 SEQ=2968545290 ACK=0 WINDOW=36945 RES=0x00 SYN URGP=0

these 3 logs are one after another in about 30 seconds and;

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking Services-Stop Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 7 Settings...            [Passed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking Inbound Filter Rules...            [Passed]
Checking Inbound Debug Rules                [Passed]
Checking Outbound Filter Rules...            [Passed]
Checking Outbound Debug Rules                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]
Checking For Diversion Plus Content...            [Passed]


Checking Autoupdate Setting...                [Enabled]
Checking Auto-Banmalware Update Setting...        [Enabled]
Checking Unban PrivateIP Setting...            [Enabled]
Checking Log Invalid Setting...                [Disabled]
Checking Ban AiProtect Setting...            [Disabled]
Checking Secure Mode Setting...                [Enabled]

maybe I should re-install Skynet?

Edit: Re-installed and no more "DROP" logs for about 10 minutes.

 

[Gingernut]

@Adamm

When trying to enable SSH WAN access Skynet's secure settings option reverts it back to LAN only but doesn't output anything to my syslog.

Is that normal behaviour?

Didn't even know about that option in Skynet untill another user let me know that it could be the reason I couldn't enable SSH WAN access.

 

[Adamm]

@Adamm

When trying to enable SSH WAN access Skynet's secure settings option reverts it back to LAN only but doesn't output anything to my syslog.

Is that normal behaviour?

Didn't even know about that option in Skynet untill another user let me know that it could be the reason I couldn't enable SSH WAN access.

Disable the secure mode function if you wish to expose SSH to WAN. But I highly recommend against doing so and instead using the VPN server functionality if you require remote access.

 

[visortgw]

I've pushed v6.3.3

This new version fully supports Diversion 4

@Adamm

Is there an auto update feature that I am not aware of? I checked this morning, and v6.3.3 was already installed.

 

[Adamm]

@Adamm

Is there an auto update feature that I am not aware of? I checked this morning, and v6.3.3 was already installed.

If enabled during the install process Skynet will check once per week on Monday mornings. This is opt in and can be disabled any time via running the install option.

 

[agilani]

After auto updating to 6.3.3 i don't see any more blocked entries in syslog. Did the new version disable debug mode?

And i get an error saying txt file busy when trying to check it through ssh. Can't even restart.
"-sh: firewall: Text file busy"

Looks like skynet is kaput after this
Aug 27 01:25:02 Skynet: [INFO] New Version Detected - Updating To v6.3.3...

soft restart didn't work
doing a hard reset now

Looks like the hard reset fixed it.

 

[Adamm]

After auto updating to 6.3.3 i don't see any more blocked entries in syslog. Did the new version disable debug mode?

And i get an error saying txt file busy when trying to check it through ssh. Can't even restart.
"-sh: firewall: Text file busy"

Looks like skynet is kaput after this
Aug 27 01:25:02 Skynet: [INFO] New Version Detected - Updating To v6.3.3...

soft restart didn't work
doing a hard reset now

Looks like the hard reset fixed it.

Can't say I've ever seen the error, but looks like the hard reset corrected whatever was going on

 

[DonnyJohnny]

@Adamm
Just a suggestion.
Could we have an option for outgoing log only. Coz I think it is not critical to know the incoming noise that will be blocked but we need to know if there is any malicious device/app sending out to server without our knowledge or it is a false positive that we need to whitelist.
This will make syslog work less harder and less writing.

 

[skeal]

@Adamm
Just a suggestion.
Could we have an option for outgoing log only. Coz I think it is not critical to know the incoming noise that will be blocked but we need to know if there is any malicious device/app sending out to server without our knowledge or it is a false positive that we need to whitelist.
This will make syslog work less harder and less writing.

I like this idea as well. I don't have a lot of outgoing traffic, but it would be nice to be able to just log outgoing only.

 

[drg]

Hello,

I recently moved from my old AC66U_A1 to a new AC68U and I've installed Skynet. I have a question I haven't managed to solve by myself.
How can I add an additional filter list URL to check it daily ? I noticed that the default filter.list is not having Firehol_Level1 and I want to add it.
Or maybe is checking that list as well and I don't see it

Thank you in advance!

 

[DonnyJohnny]

Hello,

I recently moved from my old AC66U_A1 to a new AC68U and I've installed Skynet. I have a question I haven't managed to solve by myself.
How can I add an additional filter list URL to check it daily ? I noticed that the default filter.list is not having Firehol_Level1 and I want to add it.
Or maybe is checking that list as well and I don't see it

Thank you in advance!

This is the default list you currently using
https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

You may want to use pastebin (https://pastebin.com/) to copy and paste and then add it your additional URL like below (link took from Local Copy under http://iplists.firehol.org/)
https://iplists.firehol.org/files/firehol_level1.netset

Submit the pastebin and copy the RAW link.
Use the following command

sh /jffs/scripts/firewall banmalware (pastebin RAW link)

- exclude the ()

 

[Ubimo]

I did:

sh /jffs/scripts/firewall banmalware https://iplists.firehol.org/files/firehol_level1.netset

Then this was the output:
url: try 'curl --help' for more information
curl: Remote file name has no length!
curl: try 'curl --help' for more information
/jffs/scripts/firewall: line 3267: can't fork

And syslog output:
Sep 2 11:41:07 dnsmasq[4592]: failed to allocate 192 bytes

What did I do wrong?

 

[M@rco]

This is the default list you currently using
https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

You may want to use pastebin (https://pastebin.com/) to copy and paste and then add it your additional URL like below (link took from Local Copy under http://iplists.firehol.org/)
https://iplists.firehol.org/files/firehol_level1.netset

Submit the pastebin and copy the RAW link.
Use the following command

sh /jffs/scripts/firewall banmalware (pastebin RAW link)

- exclude the ()

Interested as well, but not sure if I follow your instruction @DonnyJohnny . You mean pasting both urls into the same pastebin, like

https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list
https://iplists.firehol.org/files/firehol_level1.netset

and then feeding the published pastebin link to Skynet using the command above? Will Skynet be using the pastebin link when it updates banwalmare from that moment on?

 

[Ubimo]

Ma@rco, I tried this, it did not work. All IPs got unbanned.

 

[Adamm]

Any custom banmalware filters have to use the same format as the default hosted on the Skynet repo. You will also need to paste the “raw” pastebin link