Skynet Skynet - Router Firewall & Security Enhancements

[M@rco]

Any custom banmalware filters have to use the same format as the default hosted on the Skynet repo. You will also need to paste the “raw” pastebin link

Am I correct when assuming that the pastebin only needs to contain the links to the lists?

 

[Adamm]

Am I correct when assuming that the pastebin only needs to contain the links to the lists?

Yes, exactly the same format as the original filter list.

 

[Ubimo]

I don't get it...

I did:
sh /jffs/scripts/firewall banmalware https://pastebin.com/raw/CAivj3C7

But nothing changed? Or did it?

 

[Adamm]

But nothing changed? Or did it?

If the filter is working, during the Skynet banmalware update function it will specifically say "Custom List Detected"

 

[DonnyJohnny]

Interested as well, but not sure if I follow your instruction @DonnyJohnny . You mean pasting both urls into the same pastebin, like

https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list
https://iplists.firehol.org/files/firehol_level1.netset

and then feeding the published pastebin link to Skynet using the command above? Will Skynet be using the pastebin link when it updates banwalmare from that moment on?

I don't get it...

I did:
sh /jffs/scripts/firewall banmalware https://pastebin.com/raw/CAivj3C7

But nothing changed? Or did it?

Ubimo did it right. When u do an update, you will see they doing it via the pastebin link u used. Other than that, like Adamm said, it will show you using custom list when u start Skynet.
More commands are found at github
https://github.com/Adamm00/IPSet_ASUS

( sh /jffs/scripts/firewall banmalware ) This Bans IPs From The Predefined Filter List
( sh /jffs/scripts/firewall banmalware google.com/filter.list ) This Uses The Fitler List From The Specified URL
( sh /jffs/scripts/firewall banmalware reset ) This Will Reset Skynet Back To The Default Filter URL

 

[M@rco]

Ubimo did it right. When u do an update, you will see they doing it via the pastebin link u used. Other than that, like Adamm said, it will show you using custom list when u start Skynet.
More commands are found at github
https://github.com/Adamm00/IPSet_ASUS

( sh /jffs/scripts/firewall banmalware ) This Bans IPs From The Predefined Filter List
( sh /jffs/scripts/firewall banmalware google.com/filter.list ) This Uses The Fitler List From The Specified URL
( sh /jffs/scripts/firewall banmalware reset ) This Will Reset Skynet Back To The Default Filter URL

Took me a while to get it (hey, it's weekend ) but now I got it. It's a matter of copying the links of the default lists listed in https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list into a new pastebin, adding the url(s) to the filter list(s) I want to add (like Firehol level 1 for example) in the same pastebin, save the pastebin and feed Skynet the raw link to the pastebin (as you both have explained above), which then replaces the original url to the Skynet master list. Skynet detects this and confirms it when executing:

marco@router:/tmp/home/root# firewall banmalware https://pastebin.com/raw/A8ZUUgRX
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 27/08/2018 -                  Asus Firewall Addition By Adamm v6.3.3                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


Custom Filter Detected: https://pastebin.com/raw/A8ZUUgRX
Downloading filter.list         [1s]
Refreshing Whitelists           [3s]
Consolidating Blacklist         [13s]
Filtering IPv4 Addresses        [5s]
Filtering IPv4 Ranges           [0s]
Applying New Blacklist          [8s]
Refreshing AiProtect Bans       [0s]
Saving Changes                  [6s]

For False Positive Website Bans Use; ( sh /opt/bin/firewall whitelist domain URL )

Skynet: [Complete] 118614 IPs / 4968 Ranges Banned. 1142 New IPs / 3121 New Ranges Banned. 1207 Inbound / 8 Outbound Connections Blocked! [banmalware] [38s]

So it all works as it should Thanks for your patience

One last question for @Adamm (at least for now ): is there any specific reason why Firehol level 1 isn't included by default? False positives or ... ? I take it you've made a careful consideration whether to in- or exclude it.

 

[drg]

Hi,

I didn't understand what pastebin was and how to use it, but I found on google and the other guys also were interested and responded .
Thank you for helping me with it.
M@rco's question is a good one. I knew that Firehol Level 4 was the one with most of the false positives, but Levels 1 - 3 are ok to ban (I used to use "ya-malware-block" and knew this info from his script.)
Any reason it wasn't included in the default list ?

Thanks!

 

[Adamm]

is there any specific reason why Firehol level 1 isn't included by default?

Any reason it wasn't included in the default list ?

Firehol lists are themselves a combination of lists. Skynet manually lists most of the worthwhile contents that makes up "level1"

 

[M@rco]

Firehol lists are themselves a combination of lists. Skynet manually lists most of the worthwhile contents that makes up "level1"

Okay, thanks for clarifying. I did notice Skynet outputting

1142 New IPs / 3121 New Ranges Banned

after adding Firehol Level 1, but that could be caused by updating banmalware in between regular updates, I guess?

 

[DonnyJohnny]

Hi,

I didn't understand what pastebin was and how to use it, but I found on google and the other guys also were interested and responded .
Thank you for helping me with it.
M@rco's question is a good one. I knew that Firehol Level 4 was the one with most of the false positives, but Levels 1 - 3 are ok to ban (I used to use "ya-malware-block" and knew this info from his script.)
Any reason it wasn't included in the default list ?

Thanks!

As Adamm mentioned, the default list would have some list that is already in level 1. Mean it is duplicated. I suggest you use http://iplists.firehol.org/ (Level 1) to compare the list and remove them, this will speed up the updating process.

Sorting with “Their %”, those with 100% mean level 1 already have the list. Remove those list from the Skynet default list.

 

[drg]

As Adamm mentioned, the default list would have some list that is already in level 1. Mean it is duplicated. I suggest you use http://iplists.firehol.org/ (Level 1) to compare the list and remove them, this will speed up the updating process.

Sorting with “Their %”, those with 100% mean level 1 already have the list. Remove those list from the Skynet default list.

Hei, thanks, I got it.

 

[Ubimo]

I found a file named "shared-Skynet-whitelist"

In this whitelist are following entries:

https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/feodo.ipset
https://iplists.firehol.org/files/bambenek_c2.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/malwaredomainlist.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/et_botcc.ipset
https://iplists.firehol.org/files/blocklist_de_bots.ipset
https://iplists.firehol.org/files/blocklist_de_ssh.ipset
https://iplists.firehol.org/files/blocklist_de_strongips.ipset
https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/uscert_hidden_cobra.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/taichung.ipset
https://iplists.firehol.org/files/urandomusto_telnet.ipset
https://iplists.firehol.org/files/urandomusto_ssh.ipset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/coinbl_ips.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset

Why are these entries in a "whitelist"?

 

[Adamm]

I found a file named "shared-Skynet-whitelist"

In this whitelist are following entries:

https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/feodo.ipset
https://iplists.firehol.org/files/bambenek_c2.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/malwaredomainlist.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/et_botcc.ipset
https://iplists.firehol.org/files/blocklist_de_bots.ipset
https://iplists.firehol.org/files/blocklist_de_ssh.ipset
https://iplists.firehol.org/files/blocklist_de_strongips.ipset
https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/uscert_hidden_cobra.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/taichung.ipset
https://iplists.firehol.org/files/urandomusto_telnet.ipset
https://iplists.firehol.org/files/urandomusto_ssh.ipset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/coinbl_ips.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset

Why are these entries in a "whitelist"?

Skynet whitelists various addresses with the "shared-*-Whitelist" format created on these forums to prevent users inadvertently locking themselves out or breaking functionality.

 

[Adamm]

I've pushed v6.3.4

Skynet will now display associated DNS data (if available!) during the stats command or when individually looking up an IP. In other words, Diversion users will get some extra information for their outbound HTTP(s) blocks.

Let me know if this works as described.

 

[DonnyJohnny]

I've pushed v6.3.4

Skynet will now display associated DNS data (if available!) during the stats command or when individually looking up an IP. In other words, Diversion users will get some extra information for their outbound HTTP(s) blocks.

Let me know if this works as described.

How Skynet determine the actual DNS? How about shared IP?
I have an outbound ip blocked. I can’t find the dns in AlienVault.

https://otx.alienvault.com/indicator/ip/69.172.201.153 - (error.net)

 

[Adamm]

How Skynet determine the actual DNS? How about shared IP?
I have an outbound ip blocked. I can’t find the dns in AlienVault.

https://otx.alienvault.com/indicator/ip/69.172.201.153 - (error.net)

Those who have Diversion installed generally have dnsmasq logging enabled, Skynet searches "/opt/var/log/dnsmasq.log" for the corresponding DNS requests so you can find the exact domain in particular being blocked.

 

[agilani]

Those who have Diversion installed generally have dnsmasq logging enabled, Skynet searches "/opt/var/log/dnsmasq.log" for the corresponding DNS requests so you can find the exact domain in particular being blocked.

So this feature relies on using the router for rdns?

 

[Adamm]

I've pushed v6.4.0

Improving on yesterdays update, Skynet will display associated domains in various additional places in a much more efficient (and better looking!) way. This should make hunting down false positives for less tech savvy users significantly easier.

 

[DonnyJohnny]

@Adamm
Just a suggestion.
Could we have an option for outgoing log only. Coz I think it is not critical to know the incoming noise that will be blocked but we need to know if there is any malicious device/app sending out to server without our knowledge or it is a false positive that we need to whitelist.
This will make syslog work less harder and less writing.

@Adamm
Not sure you read this post earlier on. Any way to make this possible?

 

[Adamm]

@Adamm
Not sure you read this post earlier on. Any way to make this possible?

Not at this time. Skynet currently logs anything it blocks (if debug mode is enabled), if you need a easy way to segregate types of logs in realtime, use the "sh /jffs/scripts/firewall debug watch" command.