Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

it's the 2nd drive I'm trying out. Could be bad luck though. Both ext2 or ext4 fail after a few hours. they work though fine if I connect them to the PC. Could it be the router, this partic. USB port?

Hard to say for certain, but I'd assume its most likely the USB (assuming your on latest firmware etc). I suggest formatting a fresh device (cheap USB's are pretty fragile) then using something like Minitool Partition Wizard to make sure the formatting is correct.

With that being said, its definitely either the router or usb its-self.

 

[Grisu]

it's the 2nd drive I'm trying out. Could be bad luck though. Both ext2 or ext4 fail after a few hours. they work though fine if I connect them to the PC. Could it be the router, this partic. USB port?

did you try on USB2.0 port (not USB3.0 converted to 2.0)?
and format on router not outside

There is very poor USB support on these routers causing many troubles!

 

[Adamm]

I went ahead and updated both the default filter list (remove redundant lists, add a few new ones), and the CDN whitelist.

Let me know if this causes any excessive false positives after running banmalware and we can reassess the additions in the near future.

 

[agilani]

Can i report symantec endpoint protection blocking known apps and sites here as well?

 

[blueshark]

best usb drive to use with asus router ?

 

[Adamm]

best usb drive to use with asus router ?

Well it depends on your usage. Personally I use a cheap 16gb no name brand I bought off eBay for router related things then have a 2TB hdd for network storage.

 

[blueshark]

Well it depends on your usage. Personally I use a cheap 16gb no name brand I bought off eBay for router related things then have a 2TB hdd for network storage.

to use only with Skynet

 

[Adamm]

to use only with Skynet

Any cheap USB will do. Skynet is not IO limited by any means.

 

[thobux]

Hard to say for certain, but I'd assume its most likely the USB (assuming your on latest firmware etc). I suggest formatting a fresh device (cheap USB's are pretty fragile) then using something like Minitool Partition Wizard to make sure the formatting is correct.

With that being said, its definitely either the router or usb its-self.

seems there was an issue with the partition. Works now.

 

[Twiglets]

Adamm,

I am finding that I cannot <Control-C> out of option 12 --> 1 --> 1 (log monitoring) of Skynet after it has been running for a few hours.
[I have a terminal session running permanently that I can visually check for any output.]

Previous versions did not have this problem and I could leave option 12 --> 1 --> 1 running for days with no problems breaking out of the loop back to the menu.

It does work if you immediately type <Control-C>, so some time has to pass for the problem to occur.

Can anyone else replicate this problem ?

 

[Adamm]

Adamm,

I am finding that I cannot <Control-C> out of option 12 --> 1 --> 1 (log monitoring) of Skynet after it has been running for a few hours.
[I have a terminal session running permanently that I can visually check for any output.]

Previous versions did not have this problem and I could leave option 12 --> 1 --> 1 running for days with no problems breaking out of the loop back to the menu.

It does work if you immediately type <Control-C>, so some time has to pass for the problem to occur.

Can anyone else replicate this problem ?

Thanks for the reminder, I noticed this a few weeks ago then totally forgot about it. It will only happen if you run banmalware/update from the menu followed by watching the logs. I'll fix it at some point today and try improve Skynets usage of "trap" which is causing the bug.

Edit; Hotfix out, no version change, I'll possibly improve this later.

 

[Skeptical.me]

UPDATED 15/09/2018


Skynet - Asus Firewall Addition


Skynet is the first comprehensive IP banning and security tool exclusively for Asus Devices.


The goal of this tool is to enhance the firmware's built in functionality such as the SPI Firewall, Brute Force Detection and AiProtect while adding easy to use tools for users to implement custom firewall rules they desire. Skynet has a range of feature from banning single IPs, domains, entire countries or pulling predefined malware lists from reputable providers. It is the one stop shop for router security and the first line of defense in your home network.

Skynet fully supports (router) OpenVPN implementations and the Astrill VPN Plugin along with user scripts like Diversion. You can read about explanations for common errors here.


This script is open source and free to use, but if you want to support future development you can do so by donating here.

INSTALLATION;

All that's required is a USB drive that's at-least 500MB, After downloading it just works.

This script is now hosted on GitHub, you can follow the most recent changes here.

In your favourite SSH terminal;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall && sh /jffs/scripts/firewall install

After installation (or reboot) you should see output similar the following indicating the script is working.

Sep 15 21:55:39 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Elements/skynet )
Sep 15 21:56:00 Skynet: [#] 132577 IPs (+0) -- 1828 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]

USAGE;

Skynet provides both a user interactive menu, and command line interface for those who prefer it.

To open the menu its as simple as;

sh /jffs/scripts/firewall

And for the CLI users, here's a list of possible commands.

Here Are Some Example Unban Commands;
( sh /jffs/scripts/firewall unban ip 8.8.8.8 ) This Unbans The IP Specified
( sh /jffs/scripts/firewall unban range 8.8.8.8/24 ) This Unbans the CIDR Block Specified
( sh /jffs/scripts/firewall unban domain google.com ) This Unbans the URL Specified
( sh /jffs/scripts/firewall unban comment "Apples" ) This Unbans Entries With The Comment Apples
( sh /jffs/scripts/firewall unban country ) This Unbans Entries Added By The "Ban Country" Feature
( sh /jffs/scripts/firewall unban malware ) This Unbans Entries Added By The "Ban Malware" Feature
( sh /jffs/scripts/firewall unban nomanual ) This Unbans Everything But Manual Bans
( sh /jffs/scripts/firewall unban all ) This Unbans All Entries From Both Blacklists

Here Are Some Example Ban Commands;
( sh /jffs/scripts/firewall ban ip 8.8.8.8 "Apples" ) This Bans The IP Specified With The Comment Apples
( sh /jffs/scripts/firewall ban range 8.8.8.8/24 "Apples" ) This Bans the CIDR Block Specified With The Comment Apples
( sh /jffs/scripts/firewall ban domain google.com ) This Bans the URL Specified
( sh /jffs/scripts/firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) http://www.ipdeny.com/ipblocks/data/countries/

Here Are Some Example Banmalware Commands;
( sh /jffs/scripts/firewall banmalware ) This Bans IPs From The Predefined Filter List
( sh /jffs/scripts/firewall banmalware google.com/filter.list ) This Uses The Fitler List From The Specified URL
( sh /jffs/scripts/firewall banmalware reset ) This Will Reset Skynet Back To The Default Filter URL
( sh /jffs/scripts/firewall banmalware exclude "list1.ipset|list2.ipset" ) This Will Exclude Lists Matching The Names "list1.ipset list2.ipset" From The Current Filter (Quotes And Pipes Are Nessessary For Seperating Multiple Entries!)
( sh /jffs/scripts/firewall banmalware exclude reset ) This Will Reset The Exclusion List

Here Are Some Example Whitelist Commands;
( sh /jffs/scripts/firewall whitelist ip 8.8.8.8 "Apples" ) This Whitelists The IP Specified With The Comment Apples
( sh /jffs/scripts/firewall whitelist range 8.8.8.8/24 "Apples" ) This Whitelists The Range Specified With The Comment Apples
( sh /jffs/scripts/firewall whitelist domain google.com) This Whitelists the URL Specified
( sh /jffs/scripts/firewall whitelist vpn) Refresh VPN Whitelist
( sh /jffs/scripts/firewall whitelist remove all) This Removes All Non-Default Entries
( sh /jffs/scripts/firewall whitelist remove entry 8.8.8.8) This Removes IP/Range Specified
( sh /jffs/scripts/firewall whitelist remove comment "Apples" ) This Removes Entries With The Comment Apples
( sh /jffs/scripts/firewall whitelist refresh ) Regenerate Shared Whitelist Files
( sh /jffs/scripts/firewall whitelist list ips|domains|imported ) List Whitelist Entries Based On Category (Leave Blank For All)

Here Are Some Example Import Commands;
( sh /jffs/scripts/firewall import blacklist file.txt "Apples" ) This Bans All IPs From URL/Local File With The Comment Apples
( sh /jffs/scripts/firewall import whitelist file.txt "Apples" ) This Whitelists All IPs From URL/Local File With The Comment Apples

Here Are Some Example Deport Commands;
( sh /jffs/scripts/firewall deport blacklist file.txt ) This Unbans All IPs From URL/Local File
( sh /jffs/scripts/firewall deport whitelist file.txt ) This Unwhitelists All IPs From URL/Local File

Here Are Some Example Update Commands;
( sh /jffs/scripts/firewall update ) Standard Update Check - If Nothing Detected Exit
( sh /jffs/scripts/firewall update check ) Check For Updates Only - Wont Update If Detected
( sh /jffs/scripts/firewall update -f ) Force Update Even If No Changes Detected

Here Are Some Example Settings Commands;
( sh /jffs/scripts/firewall settings autoupdate enable|disable ) Enable/Disable Skynet Autoupdating
( sh /jffs/scripts/firewall settings banmalware daily|weekly|disable ) Enable/Disable Automatic Banmalware Updating
( sh /jffs/scripts/firewall settings debugmode enable|disable ) Enable/Disable Debug Mode
( sh /jffs/scripts/firewall settings filter all|inbound|outbound ) Select What Traffic To Filter
( sh /jffs/scripts/firewall settings unbanprivate enable|disable ) Enable/Disable Unban_PrivateIP Function
( sh /jffs/scripts/firewall settings loginvalid enable|disable ) Enable/Disable Invalid Packet Logging
( sh /jffs/scripts/firewall settings banaiprotect enable|disable ) Enable/Disable Banning IP's Flagged By AiProtect
( sh /jffs/scripts/firewall settings securemode enable|disable ) Enable/Disable Insecure Settings Being Applied In WebUI

Here Are Some Example Debug Commands;
( sh /jffs/scripts/firewall debug watch ) Show Debug Entries As They Appear
( sh /jffs/scripts/firewall debug info ) Print Useful Debug Info
( sh /jffs/scripts/firewall debug clean ) Cleanup Syslog Entries
( sh /jffs/scripts/firewall debug swap install|uninstall ) Install/Uninstall SWAP File
( sh /jffs/scripts/firewall debug backup ) Backup Skynet Files To Skynets Install Directory With The Name "Skynet-Backup.tar.gz"
( sh /jffs/scripts/firewall debug restore ) Restore Backup Files From Skynets Install Directory With The Name "Skynet-Backup.tar.gz"


Here Are Some Example Stats Commands;
( sh /jffs/scripts/firewall stats ) Compile Stats With Default Top10 Output
( sh /jffs/scripts/firewall stats 20 ) Compile Stats With Customizable Top20 Output
( sh /jffs/scripts/firewall stats tcp ) Compile Stats Showing Only TCP Entries
( sh /jffs/scripts/firewall stats tcp 20 ) Compile Stats Showing Only TCP Entries With Customizable Top20 Output
( sh /jffs/scripts/firewall stats search port 23 ) Search All Debug Data For Entries On Port 23
( sh /jffs/scripts/firewall stats search port 23 20 ) Search All Debug Data For Entries On Port 23 With Customizable Top20 Output
( sh /jffs/scripts/firewall stats search ip 8.8.8.8 ) Search All Debug Data For Entries On 8.8.8.8
( sh /jffs/scripts/firewall stats search ip 8.8.8.8 20 ) Search All Debug Data For Entries On 8.8.8.8 With Customizable Top20 Output
( sh /jffs/scripts/firewall stats search malware 8.8.8.8 ) Search Malwarelists For Specified IP
( sh /jffs/scripts/firewall stats search manualbans ) Search For All Manual Bans
( sh /jffs/scripts/firewall stats search device 192.168.1.134 ) Search For All Outbound Entries From Local Device 192.168.1.134
( sh /jffs/scripts/firewall stats search device reports ) Search Previous Hourly Report History
( sh /jffs/scripts/firewall stats remove ip 8.8.8.8 ) Remove Log Entries Containing IP 8.8.8.8
( sh /jffs/scripts/firewall stats remove port 23 ) Remove Log Entries Containing Port 23
( sh /jffs/scripts/firewall stats reset ) Reset All Collected Debug Data

Adamm - a big THANK YOU, I've got an intermediate knowledge of using Tech, but I'm trying to learn much more ( so i can come here and help troubleshoot issues with others), anyhow, this is such a great tool for my Router. Its already blocking IP's mainly targeting my NAS by the looks of it. This Firewall gives me easily to understand data about what is normally unseen. It helps to diagnose. Thanks for your efforts.

 

[M@rco]

Adamm - a big THANK YOU

*checks browser zoom level*

 

[Skeptical.me]

*checks browser zoom level*

Thats just my appreciation all up in your screen. At least I didn'y evoke the ALL CAPS for numerous paragraphs lol

 

[zerowalker]

Is it possible for it to route to some page so i can tell if the ip address was blocked by skynet?
Run into issues when i couldn't figure out why some stuff didn't work, and had kinda forgotten about the Router;p

 

[thobux]

Interesting. I had to whitelist wikipedia.org

 

[Adamm]

Is it possible for it to route to some page so i can tell if the ip address was blocked by skynet?
Run into issues when i couldn't figure out why some stuff didn't work, and had kinda forgotten about the Router;p

Not currently possible, Skynet has other tools to assist in this area.

Interesting. I had to whitelist wikipedia.org

I can't reproduce this on the default list. Are you sure it wasn't blocked by diversion but by adding it to the Skynet whitelist you inadvertently added it there?

skynet@RT-AC86U-2EE8:/tmp/home/root# nslookup wikipedia.org
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      wikipedia.org
Address 1: 103.102.166.224 text-lb.eqsin.wikimedia.org
Address 2: 2001:df2:e500:ed1a::1 text-lb.eqsin.wikimedia.org
skynet@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 103.102.166.224
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 24/09/2018 -           Asus Firewall Addition By Adamm v6.4.7                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


[i] Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 1.8M
[i] Monitoring From Sep 24 14:57:12 To Sep 26 03:47:07
[i] 7886 Block Events Detected
[i] 1227 Unique IPs
[i] 0 Manual Bans Issued

Associated Domain(s);
en.m.wikipedia.org
login.wikimedia.org
meta.wikimedia.org
meta.m.wikimedia.org
en.wikipedia.org
wikipedia.org
wikimedia.org


Exact Matches;


Possible CIDR Matches;


[#] 160143 IPs (+0) -- 1991 Ranges Banned (+0) || 6057 Inbound -- 1244 Outbound Connections Blocked! [stats] [10s]

skynet@RT-AC86U-2EE8:/tmp/home/root#

 

[thobux]

I can't reproduce this on the default list. Are you sure it wasn't blocked by diversion but by adding it to the Skynet whitelist you inadvertently added it there?

Hmm, that's possible. Interestingly I can't find the specific whiteliste entry in Skynet anymore. But I also get
`touch: /tmp/mnt/sda1/skynet/events.log: Input/output error`

 

[thobux]

and then there's

[i] Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 3.3M
[i] Monitoring From Sep 20 08:30:37 To Sep 25 23:51:21
[i] 13630 Block Events Detected
[i] 1894 Unique IPs
grep: /tmp/mnt/sda1/skynet/events.log: Input/output error
[i]  Manual Bans Issued

Associated Domain(s);
de.wikipedia.org
meta.wikimedia.org
login.wikimedia.org
en.wikipedia.org
wikipedia.org


Exact Matches;
https://iplists.firehol.org/files/blocklist_net_ua.ipset - 91.198.174.192


Possible CIDR Matches;

 

[dmsims]

Both Alexa on a 7th Gen Fire HD and World of Tanks updater are blocked