What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I just so happened to do a clean install for other reason and noticed, install process went smooth and all working as expected. Now we can both relax :p
I plan to do the same on my main router 86U. It's been through a lot since I got it and I want to use a faster USB stick on it.
So yeah, lean back and enjoy.
 
I plan to do the same on my main router 86U. It's been through a lot since I got it and I want to use a faster USB stick on it.
So yeah, lean back and enjoy.

If you're planning on buying an faster USB drive, I just ordered and received a Sandisk Extreme Go 64GB USB 3.1 for EUR 26,50 (CHF 30,30). Not sure whether they're lowering its price globally, but I haven't seen it this low anywhere. I believe it's still considered the fastest USB drive out there currently.
 
Last edited by a moderator:
So the only piece of software that i have installed on this was esfileexplorer which is listed under the domain estrongs.com. A whois of estrongs.com shows that it was registered by dns registrar in Xiamen, China. Can't be sure, but if/why esfileexplorer decided to phone home would be worrisome. This device isn't rooted, but esfileexplorer is commonly used as a root file explorer.
esfileexplorer is pretty well known to do some sketchy stuff in the background (like call China.) I quit using it a while back because of that.
 
esfileexplorer is pretty well known to do some sketchy stuff in the background (like call China.) I quit using it a while back because of that.
Thanks, I read up on it. i hadn't really used it in awhile and had it on the firestick to transfer files to it. I uninstalled it from all of my devices. I'm surprised that more people don't realize this.
 
Wow.... Uninstalled too. What a horrible app.

On another note what is Ban AIProtect for in the options? I have it set to Enable.

Sent from my SM-G965F using Tapatalk
 
Wow.... Uninstalled too. What a horrible app.

On another note what is Ban AIProtect for in the options? I have it set to Enable.

Sent from my SM-G965F using Tapatalk
Basically it bans what Trend Micro deems bad.
 
Which the Aiprotection doesn't do already?
I'll leave it on then.

Sent from my SM-G965F using Tapatalk
They look at traffic different ways kind of. Think of it as an added layer of security.:)
 
Not quite related but is it possible to see the IDS logs in a terminal.

I also want to filter the firewall logs, where does the log output go? I could just use grep in a terminal to say filter for specific clients or events.

Sent from my SM-G965F using Tapatalk
 
Not quite related but is it possible to see the IDS logs in a terminal.

I also want to filter the firewall logs, where does the log output go? I could just use grep in a terminal to say filter for specific clients or events.

Sent from my SM-G965F using Tapatalk

That would be your syslog server that you are forwarding your logs to :) I'm using my nas as i am too lazy to setup elk again for my home just for this.

the log are kept in the router syslog for an hour or so and skynet then wipes the log every hour or enable debug to terminal and capture it

by default traffic logs (non skynet) are not enabled in merlin - you need to go into settings and enable it for all traffic if you want to see full traffic logs.
 
I certainly don't want to see all traffic logs although some aggregate statistics or even graphing would be handy. I have Skynet debug enabled now, I will disable it as it does generate a lot of information and for limited value I assume.
If logs rotate and are flushed or whatever, it is feasible to simply create some script or something that use tail and grep to filter output to other files which would also be very resource light and not need a SSH terminal permanently logged in to run. E.g. if I wanted logs for certain internal IP's (clients) or MAC addresses.

I have Syslog also now set to send to a local file. But thankfully it is not clogging up with firewall logs when I look at it through a terminal.

-- Edit --

I have decided to keep debugging enabled as it seems logging and reporting does not work without this, and it is very useful.

I.e. I noticed from the report that my phone has a lot of blocked outbound connections to pasta.n.shifen.com - which is in China - and so I wonder if that's the ES File Explorer app people said is spyware (now uninstalled). I have also now blocked China outright (and Russia). I will progressively go through blocking the most corrupt countries on the planet - although I imagine they route traffic anyway so it won't capture all of it but it still helps.

I am impressed the report could identity that device. And that AIProtect does not seem to block that outbound connection so now I have multiple layers of protection - AIProtect, Diversion, and Skynet.. pretty solid eh?

My Android phone VPN now auto-connects when I disconnect from my home WiFi too so I get the home protection on the go (I hope).

Love how I can do this!!!
 
Last edited:
I certainly don't want to see all traffic logs although some aggregate statistics or even graphing would be handy. I have Skynet debug enabled now, I will disable it as it does generate a lot of information and for limited value I assume.
If logs rotate and are flushed or whatever, it is feasible to simply create some script or something that use tail and grep to filter output to other files which would also be very resource light and not need a SSH terminal permanently logged in to run. E.g. if I wanted logs for certain internal IP's (clients) or MAC addresses.

I have Syslog also now set to send to a local file. But thankfully it is not clogging up with firewall logs when I look at it through a terminal.

Take a look at the built in skynet reports then.

firewall stats display
firewall stats search

Its not a replacement for searching through logs though.

With debug turned on skynet does a decent job of cleaning up syslog on the router itself. Only the last hour is in syslog so if you need it to troubleshoot its there.
 
On another note what is Ban AIProtect for in the options? I have it set to Enable.

AiProtect only blocks exploits but allows all other traffic from a potentially malicious IP. Skynet taps into AiProtect's logs and takes this a step further, so any time an IP is flagged for trying to exploit your router Skynet will block ALL further traffic.

Not quite related but is it possible to see the IDS logs in a terminal.

AiProtect doesn't use a log file but instead a SQLite database.

I also want to filter the firewall logs, where does the log output go? I could just use grep in a terminal to say filter for specific clients or events.

Skynet purges its own logs from syslog to "/tmp/mnt/USBNAME/skynet/skynet.log"

My Android phone VPN now auto-connects when I disconnect from my home WiFi too so I get the home protection on the go (I hope).

I have a similar setup with my iPhone, very convenient.
 
Anyone else blocking Brazil? I added Brazil to y block list, but there are a whole host of microsoft servers in brazil that are getting blocked. It doesn't seem to impact any functionality that i've been able to pin down so far though so I've left it blocked for now.

The brazil microsoft ip's being blocked all on port 443
191.232.99.18
191.232.101.210
191.232.102.2
191.232.107.114
191.232.102.18
191.232.102.2

I think it may be office 365 business services. It's happening on my wifes iphone which is only running outlook and onedrive. Or maybe azure hosted services for some adtech.
 
Last edited:
I've pushed v6.5.1

This fixes an issue with uppercase country abbreviations
Some minor aesthetic improvements
Support for Johns LTS fork w/ securemode (thanks @jsbeddow for the help finding correct values)
 
This is likely coincidence with the v6.5.1 upgrade. The 02:26 cron running banmalware command cleared most blocks out! Yikes!

From my syslog this morning (I manually ran banmalware at 07:23 to get blocking back, all blocks shown were Invalid).

Code:
Oct 15 01:25:00 Skynet: [%] New Version Detected - Updating To v6.5.1
Oct 15 01:25:03 Skynet: [%] Restarting Firewall Service
Oct 15 01:25:04 rc_service: service 7960:notify_rc restart_firewall
Oct 15 01:25:04 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Oct 15 01:25:04 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Oct 15 01:25:04 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Oct 15 01:25:26 Skynet: [#] 148615 IPs (+0) -- 1706 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [22s]
Oct 15 02:00:03 Skynet: [#] 148615 IPs (+0) -- 1706 Ranges Banned (+0) || 55 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Oct 15 02:26:34 Skynet: [#] 66 IPs (-148549) -- 0 Ranges Banned (-1706) || 91 Inbound -- 0 Outbound Connections Blocked! [banmalware] [94s]
Oct 15 03:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 04:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 05:00:01 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 05:20:02 Diversion: rotated dnsmasq log files, from /opt/share/diversion/file/rotate-logs.div
Oct 15 06:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 07:00:00 Skynet: [#] 66 IPs (+0) -- 0 Ranges Banned (+0) || 91 Inbound -- 0 Outbound Connections Blocked! [save] [0s]
Oct 15 07:23:54 Skynet: [#] 147313 IPs (+147247) -- 1713 Ranges Banned (+1713) || 91 Inbound -- 0 Outbound Connections Blocked! [banmalware] [84s]
 
This is likely coincidence with the v6.5.1 upgrade. The 02:26 cron running banmalware command cleared most blocks out! Yikes!

Looks like some sort of connectivity issues on one end prevented the update to go smoothly, very much a coincidence.

For reference, is your banmalware run-time always ~90 seconds? On an AC86U this should be much closer to 20.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top