Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

Looks like some sort of connectivity issues on one end prevented the update to go smoothly, very much a coincidence.

For reference, is your banmalware run-time always ~90 seconds? On an AC86U this should be much closer to 20.

My syslog was recently cleared so those two shown above are all I see searching back as far as I can. The one at 02:26 was 94 s and the one at 07:23 was 84 seconds.

I just ran banmalware again and get this, and back to only 66 IPs blocked. The only things I have done was the conversion from AB-Solution to Diversion and that was no issues. Then the updates of Skynet and Diversion, again no issues. Same USB drive as before. I montor this every morning and this is the first oddity that has happened. I just verified there is no /tmp/skynet directory.

/jffs/scripts/firewall banmalware

[i] Downloading filter.list     [1s]
[i] Refreshing Whitelists    [2s]
[i] Consolidating Blacklist     dos2unix: can't open '/tmp/skynet/*': No such file or directory
cat: can't open '/tmp/skynet/*': No such file or directory
[i] Filtering IPv4 Addresses     [1s]
[i] Filtering IPv4 Ranges     [0s]
[i] Applying New Blacklist    [0s]
[i] Refreshing AiProtect Bans     [0s]
[i] Saving Changes         [0s]

[i] For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL )

[#] 66 IPs (-147247) -- 0 Ranges Banned (-1713) || 301 Inbound -- 0 Outbound Connections Blocked! [banmalware] [94s]

 

[Adamm]

@Adamm Is this EmergingThreats blocklist compatible with Skynet?

We already source a copy of ET blacklists.

https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset

It crashed my router when I added it

Please elaborate on how you added it, there's no reason it should "crash" your router (can this be reproduced?)

My syslog was recently cleared so those two shown above are all I see searching back as far as I can. The one at 02:26 was 94 s and the one at 07:23 was 84 seconds.

I just ran banmalware again and get this, and back to only 66 IPs blocked. The only things I have done was the conversion from AB-Solution to Diversion and that was no issues. Then the updates of Skynet and Diversion, again no issues. Same USB drive as before. I montor this every morning and this is the first oddity that has happened. I just verified there is no /tmp/skynet directory.

Seems like theres another factor coming into play here. Please provide the output of the following (it will be quite long so probably best to pastebin it);

sh -x /jffs/scripts/firewall banmalware

sh /jffs/scripts/firewall debug info

 

[Butterfly Bones]

Seems like theres another factor coming into play here. Please provide the output of the following (it will be quite long so probably best to pastebin it);

sh -x /jffs/scripts/firewall banmalware

sh /jffs/scripts/firewall debug info

banmalware https://pastebin.com/Cyf0wex9
debug info https://pastebin.com/FjWs5Z0U

 

[Adamm]

banmalware https://pastebin.com/Cyf0wex9
debug info https://pastebin.com/FjWs5Z0U

I should have elaborated better, the first command output would be most helpful when it fails (in this case it succeeded but its extremely slow which still is helpful).

Step 3 in particular should take around 8s, in your case its taking 80. The correlating code is the following;

        btime="$(date +%s)" && printf "[i] Consolidating Blacklist     "
        mkdir -p /tmp/skynet
        cwd="$(pwd)"
        cd /tmp/skynet || exit 1
        while IFS= read -r "domain" && [ -n "$domain" ]; do
            /usr/sbin/curl -fsL --retry 3 "$domain" -O &
        done < /jffs/shared-Skynet-whitelist
        wait
        cd "$cwd" || exit 1
        dos2unix /tmp/skynet/*
        cat /tmp/skynet/* | grep -oE '^[0-9,./]*$' | awk '!x[$0]++' | Filter_PrivateIP > /tmp/skynet/malwarelist.txt && $grn "[$(($(date +%s) - btime))s]"

Without running the sh -x command myself in real-time I can't see which part of the code its hanging at (it will either be the curl downloads or processing and combining of the lists). In either case it indicates an issue outside of Skynet's control.

I'm personally leaning towards some sort of connectivity issue versus your CPU bottle-necking.

 

[Butterfly Bones]

I should have elaborated better, the first command output would be most helpful when it fails (in this case it succeeded but its extremely slow which still is helpful).

Step 3 in particular should take around 8s, in your case its taking 80. The correlating code is the following;

        btime="$(date +%s)" && printf "[i] Consolidating Blacklist     "
        mkdir -p /tmp/skynet
        cwd="$(pwd)"
        cd /tmp/skynet || exit 1
        while IFS= read -r "domain" && [ -n "$domain" ]; do
            /usr/sbin/curl -fsL --retry 3 "$domain" -O &
        done < /jffs/shared-Skynet-whitelist
        wait
        cd "$cwd" || exit 1
        dos2unix /tmp/skynet/*
        cat /tmp/skynet/* | grep -oE '^[0-9,./]*$' | awk '!x[$0]++' | Filter_PrivateIP > /tmp/skynet/malwarelist.txt && $grn "[$(($(date +%s) - btime))s]"

Without running the sh -x command myself in real-time I can't see which part of the code its hanging at (it will either be the curl downloads or processing and combining of the lists). In either case it indicates an issue outside of Skynet's control.

I'm personally leaning towards some sort of connectivity issue versus your CPU bottle-necking.

Thank you. I have no connectivity issues that I can see. Speed tests, ipleak.net, all sites I use. Google Play Music, etc.

It is this line that hangs:

+ /usr/sbin/curl -fsL --retry 3 https://iplists.firehol.org/files/uscert_hidden_cobra.ipset -O

Here is the section below it to the [79s] timing:

+ /usr/sbin/curl -fsL --retry 3 https://iplists.firehol.org/files/uscert_hidden_cobra.ipset -O
+ cd /tmp/home/root
+ dos2unix /tmp/skynet/alienvault_reputation.ipset /tmp/skynet/bambenek_c2.ipset /tmp/skynet/bds_atif.ipset /tmp/skynet/bi_sshd_2_30d.ipset /tmp/skynet/blocklist_net_ua.ipset /tmp/skynet/coinbl_hosts_browser.ipset /tmp/skynet/coinbl_ips.ipset /tmp/skynet/cybercrime.ipset /tmp/skynet/dyndns_ponmocup.ipset /tmp/skynet/et_block.netset /tmp/skynet/et_compromised.ipset /tmp/skynet/firehol_level2.netset /tmp/skynet/firehol_level3.netset /tmp/skynet/normshield_high_attack.ipset /tmp/skynet/normshield_high_bruteforce.ipset /tmp/skynet/ransomware_online.ipset /tmp/skynet/ransomware_rw.ipset /tmp/skynet/spamhaus_edrop.netset /tmp/skynet/taichung.ipset /tmp/skynet/urandomusto_ssh.ipset /tmp/skynet/urandomusto_telnet.ipset /tmp/skynet/urlvir.ipset /tmp/skynet/uscert_hidden_cobra.ipset
+ cat /tmp/skynet/alienvault_reputation.ipset /tmp/skynet/bambenek_c2.ipset /tmp/skynet/bds_atif.ipset /tmp/skynet/bi_sshd_2_30d.ipset /tmp/skynet/blocklist_net_ua.ipset /tmp/skynet/coinbl_hosts_browser.ipset /tmp/skynet/coinbl_ips.ipset /tmp/skynet/cybercrime.ipset /tmp/skynet/dyndns_ponmocup.ipset /tmp/skynet/et_block.netset /tmp/skynet/et_compromised.ipset /tmp/skynet/firehol_level2.netset /tmp/skynet/firehol_level3.netset /tmp/skynet/normshield_high_attack.ipset /tmp/skynet/normshield_high_bruteforce.ipset /tmp/skynet/ransomware_online.ipset /tmp/skynet/ransomware_rw.ipset /tmp/skynet/spamhaus_edrop.netset /tmp/skynet/taichung.ipset /tmp/skynet/urandomusto_ssh.ipset /tmp/skynet/urandomusto_telnet.ipset /tmp/skynet/urlvir.ipset /tmp/skynet/uscert_hidden_cobra.ipset
+ Filter_PrivateIP
+ grep -vE (^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^0.)|(^169\.254\.)|(^22[4-9]\.)|(^23[0-9]\.)|(^255\.255\.255\.255)|(^8\.8\.8\.8)|(^8\.8\.4\.4)
+ grep -oE ^[0-9,./]*$
+ awk !x[$0]++
+ date +%s
+ printf \e[1;32m%s\e[0m\n [79s]
[79s]

 

[Adamm]

It is this line that hangs:

Well that further confirms its something connectivity related (not saying its your end, its a very broad term). Do you run anything like dnscrypt or VPN selective routing which could potentially play a factor?

Also whats the output if you manually input some of the curl commands (without the "s" flag) such as the following (remember to delete the files after);

/usr/sbin/curl -fL --retry 3 https://iplists.firehol.org/files/uscert_hidden_cobra.ipset -O

 

[Butterfly Bones]

Well that further confirms its something connectivity related (not saying its your end, its a very broad term). Do you run anything like dnscrypt or VPN selective routing which could potentially play a factor?

Also whats the output if you manually input some of the curl commands (without the "s" flag) such as the following (remember to delete the files after);

/usr/sbin/curl -fL --retry 3 https://iplists.firehol.org/files/uscert_hidden_cobra.ipset -O

No dnscrypt or VPN, I've run them in the past and had issues that took too much time, so not using them until I have more time.

Since this issue came up, I did the firmware update from Asuswrt-Merlin 384.7_beta2 to the final 384.7 release, which meant some shutdowns and reboots. Here is the output of the above command:

/tmp/home/root# /usr/sbin/curl -fL --retry 3 https://iplists.firehol.org/files/uscert_
hidden_cobra.ipset -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10145  100 10145    0     0  13526      0 --:--:-- --:--:-- --:--:-- 13508

I just ran the banmalware command again, and whatever was messed up got resolved. Who knows? ¯\_(ツ)_/¯

sh /jffs/scripts/firewall banmalware

[i] Downloading filter.list     [5s]
[i] Refreshing Whitelists    [2s]
[i] Consolidating Blacklist     [12s]
[i] Filtering IPv4 Addresses     [3s]
[i] Filtering IPv4 Ranges     [0s]
[i] Applying New Blacklist    [2s]
[i] Refreshing AiProtect Bans     [0s]
[i] Saving Changes         [2s]

[i] For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL )

[#] 146680 IPs (+331) -- 1750 Ranges Banned (+26) || 58 Inbound -- 0 Outbound Connections Blocked! [banmalware] [43s]

Thank you for the assistance!

 

[Zonkd]

We already source a copy of ET blacklists.

https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset

Please elaborate on how you added it, there's no reason it should "crash" your router (can this be reproduced?)

Thanks I shall leave Skynet the way it is if its already sourcing ET!
I attempted to add the .txt blocklist by going to [3] --> Banmalware then [2] --> Change Filter List then pasted the URL. The router became unresponsive and after about 2 minutes I just powered it off and on again. I'd rather not try reproduce the issue now I have Skynet working perfectly. Set and forget!

 

[Torson]

Hi - thanks for all the good work. ...and 164 pages later I have a basic question: how to check if the firewall is alive and well. I have a cron job that's running every hour on the router and saves some basic information - troubleshooting is the main reason, but nowadays routers are quite proud and steady. That's the info I'm collecting and ask for help to add Skynet to it (btw as a side note to @lonelycoder, maybe Squid should make it into amtm - up to you.)
___________________________________________
CPU (over)clock speed,frequency: 1200,666

Cores 0,1 running @:
BogoMIPS : 2398.61
BogoMIPS : 2398.61

Mem: 255700 164868 90832 0 2068 14236
Swap: 262140 63788 198352

CPU temperature : 73øC

5 GHz Radio Temp: 52 (C)
2.4 GHz Radio Temp: 43 (C)

Checking squid... alive.
Checking pixelserv-tls (Diversion)... alive
Chequing USB stick...
ASRO: clean, 1989/1896832 files, 161299/3787520 blocks
since...
22:38:00 up 1:24, load average: 0.06, 0.25, 0.45

Ping: 29.681 ms
Download: 115.57 Mbit/s
Upload: 10.50 Mbit/s
______________________________________________

Thank you for any input...

 

[Adamm]

Thanks I shall leave Skynet the way it is if its already sourcing ET!
I attempted to add the .txt blocklist by going to [3] --> Banmalware then [2] --> Change Filter List then pasted the URL. The router became unresponsive and after about 2 minutes I just powered it off and on again. I'd rather not try reproduce the issue now I have Skynet working perfectly. Set and forget!

Filter lists are formatted differently, think of it as a master list that links to "content" files. This is the correct format.

Hi - thanks for all the good work. ...and 164 pages later I have a basic question: how to check if the firewall is alive and well. I have a cron job that's running every hour on the router and saves some basic information - troubleshooting is the main reason, but nowadays routers are quite proud and steady. That's the info I'm collecting and ask for help to add Skynet to it (btw as a side note to @lonelycoder, maybe Squid should make it into amtm - up to you.)
___________________________________________
CPU (over)clock speed,frequency: 1200,666

Cores 0,1 running @:
BogoMIPS : 2398.61
BogoMIPS : 2398.61

Mem: 255700 164868 90832 0 2068 14236
Swap: 262140 63788 198352

CPU temperature : 73øC

5 GHz Radio Temp: 52 (C)
2.4 GHz Radio Temp: 43 (C)

Checking squid... alive.
Checking pixelserv-tls (Diversion)... alive
Chequing USB stick...
ASRO: clean, 1989/1896832 files, 161299/3787520 blocks
since...
22:38:00 up 1:24, load average: 0.06, 0.25, 0.45

Ping: 29.681 ms
Download: 115.57 Mbit/s
Upload: 10.50 Mbit/s
______________________________________________

Thank you for any input...

Use the following command to give you all the Skynet info you would need;

sh /jffs/scripts/firewall debug info

 

[bitmonster]

Is there harm in leaving debug enabled? Is it needed for stat collection?

Some stat analysis would be awesome too, like mapping or country breakdown, if there is a tool for that.

Sent from my SM-G965F using Tapatalk

 

[M@rco]

Is there harm in leaving debug enabled? Is it needed for stat collection?

No and yes.

Some stat analysis would be awesome too, like mapping or country breakdown, if there is a tool for that.

Would definitely be cool, but there's no tool (yet) as far as I'm aware.

 

[Adamm]

Is there harm in leaving debug enabled? Is it needed for stat collection?

Some stat analysis would be awesome too, like mapping or country breakdown, if there is a tool for that.

Sent from my SM-G965F using Tapatalk

No harm in keeping it enabled beyond extra entries in your syslog, but even then Skynet does a pretty good job cleaning up after itself.

As for geo-analysis, this can’t be done without a third party package. Personally I try to keep Skynet as lightweight as possible and avoid using anything outside of stock binaries, but I do keep stats in a organised format for anyone to read or tap into (/tmp/mnt/USBNAME/skynet/skynet.log)

So to answer your question, it’s very possible but outside the scope of this project.

 

[bitmonster]

Oh totally understand about scope and I support that approach.

But if the logs can exported to a PC some tool may exist or could be leveraged somehow.. Just curious.

Sent from my SM-G965F using Tapatalk

 

[Zonkd]

Oh totally understand about scope and I support that approach.

But if the logs can exported to a PC some tool may exist or could be leveraged somehow.. Just curious.

Sent from my SM-G965F using Tapatalk

Geoiplookup using the maxmind database might be worth looking into. Looks to be CLI friendly. Considering trying it myself.

 

[Skeptical.me]

Wow, just checked the Stats for Skynet for the first time. Anyone have any idea whats going on here?

For instance my NAS LAN IP is 192.168.1.219

"Top 50 Blocked Devices (Outbound);
1420x 192.168.1.219 (No Name Found)"

Top 10 Targeted Ports (Inbound); (Torrent Clients May Cause Excess Hits In Debug Mode)
2752x https://www.speedguide.net/port.php?port=23
953x https://www.speedguide.net/port.php?port=1433
838x https://www.speedguide.net/port.php?port=22
530x https://www.speedguide.net/port.php?port=8545
528x https://www.speedguide.net/port.php?port=5060
502x https://www.speedguide.net/port.php?port=8080
409x https://www.speedguide.net/port.php?port=53413
407x https://www.speedguide.net/port.php?port=81
404x https://www.speedguide.net/port.php?port=3389
401x https://www.speedguide.net/port.php?port=80

Top 10 Source Ports (Inbound);
799x https://www.speedguide.net/port.php?port=12125
712x https://www.speedguide.net/port.php?port=48399
592x https://www.speedguide.net/port.php?port=55449
566x https://www.speedguide.net/port.php?port=41452
327x https://www.speedguide.net/port.php?port=49354
266x https://www.speedguide.net/port.php?port=44436
247x https://www.speedguide.net/port.php?port=44446
213x https://www.speedguide.net/port.php?port=44738
184x https://www.speedguide.net/port.php?port=55555
175x https://www.speedguide.net/port.php?port=53453

Last 10 Unique Connections Blocked (Inbound);
https://otx.alienvault.com/indicator/ip/37.79.42.207
https://otx.alienvault.com/indicator/ip/192.251.231.46
https://otx.alienvault.com/indicator/ip/185.208.209.6
https://otx.alienvault.com/indicator/ip/23.239.67.37
https://otx.alienvault.com/indicator/ip/188.19.214.3
https://otx.alienvault.com/indicator/ip/194.36.173.66
https://otx.alienvault.com/indicator/ip/184.105.247.210
https://otx.alienvault.com/indicator/ip/71.6.146.186
https://otx.alienvault.com/indicator/ip/178.46.10.184
https://otx.alienvault.com/indicator/ip/209.141.40.63

Last 10 Unique Connections Blocked (Outbound);
https://otx.alienvault.com/indicator/ip/212.178.135.62
https://otx.alienvault.com/indicator/ip/193.239.255.222
https://otx.alienvault.com/indicator/ip/213.34.77.254
https://otx.alienvault.com/indicator/ip/50.227.250.90
https://otx.alienvault.com/indicator/ip/50.200.136.108
https://otx.alienvault.com/indicator/ip/50.201.217.214
https://otx.alienvault.com/indicator/ip/212.178.154.174
https://otx.alienvault.com/indicator/ip/213.34.167.254
https://otx.alienvault.com/indicator/ip/42.53.26.227
https://otx.alienvault.com/indicator/ip/95.137.182.15

Last 10 Manual Bans;

Last 10 Unique HTTP(s) Blocks (Outbound);
https://otx.alienvault.com/indicator/ip/209.99.40.224
https://otx.alienvault.com/indicator/ip/104.244.42.66 - [api.twitter.com]
https://otx.alienvault.com/indicator/ip/104.171.24.25
https://otx.alienvault.com/indicator/ip/104.171.24.26

Top 10 HTTP(s) Blocks (Outbound);
12x https://otx.alienvault.com/indicator/ip/104.171.24.26
12x https://otx.alienvault.com/indicator/ip/104.171.24.25
6x https://otx.alienvault.com/indicator/ip/209.99.40.224
3x https://otx.alienvault.com/indicator/ip/104.244.42.66 - [api.twitter.com]

Top 10 Blocks (Inbound);
1304x https://otx.alienvault.com/indicator/ip/193.106.31.194
799x https://otx.alienvault.com/indicator/ip/104.248.178.201
598x https://otx.alienvault.com/indicator/ip/5.188.87.6
460x https://otx.alienvault.com/indicator/ip/193.29.13.157
393x https://otx.alienvault.com/indicator/ip/122.228.10.50
371x https://otx.alienvault.com/indicator/ip/5.188.86.36
338x https://otx.alienvault.com/indicator/ip/31.192.108.68
275x https://otx.alienvault.com/indicator/ip/194.28.112.51
265x https://otx.alienvault.com/indicator/ip/77.72.83.238
247x https://otx.alienvault.com/indicator/ip/31.192.108.75

Top 10 Blocks (Outbound);
292x https://otx.alienvault.com/indicator/ip/50.227.250.90
218x https://otx.alienvault.com/indicator/ip/212.178.154.174
203x https://otx.alienvault.com/indicator/ip/50.200.136.108
196x https://otx.alienvault.com/indicator/ip/213.34.77.254
175x https://otx.alienvault.com/indicator/ip/213.34.167.254
155x https://otx.alienvault.com/indicator/ip/212.178.135.62
111x https://otx.alienvault.com/indicator/ip/50.201.217.214
7x https://otx.alienvault.com/indicator/ip/5.167.64.154
6x https://otx.alienvault.com/indicator/ip/193.239.255.222
3x https://otx.alienvault.com/indicator/ip/159.151.129.61

Top 10 Blocked Devices (Outbound);
1420x 192.168.1.219 (No Name Found)
33x 192.168.1.151 iPhone-X-2

[#] 149053 IPs (+0) -- 1694 Ranges Banned (+0) || 20 Inbound -- 0 Outbound Connections Blocked! [stats] [9s]

 

[Adamm]

Anyone have any idea whats going on here?

It means the majority of your outbound connections that were blocked originated from your NAS.

Now what’s being blocked is the real question, p2p applications like torrent clients will always be a significiant source of blocks, or possibly you have some other plugin that’s trying to access blocked IP’s.

In your case most of the 1400 hits come from 7 IP’s, so I’m leaning towards some sort of plugin or application running on your nas.

 

[Skeptical.me]

It means the majority of your outbound connections that were blocked originated from your NAS.

Now what’s being blocked is the real question, p2p applications like torrent clients will always be a significiant source of blocks, or possibly you have some other plugin that’s trying to access blocked IP’s.

In your case most of the 1400 hits come from 7 IP’s, so I’m leaning towards some sort of plugin or application running on your nas.

Definitely not P2P I haven't used a client in a very long time.

On my NAS currently RAID 1 Volume is in Degraded state due to disk failure. So, I can't check much at all. I'm waiting for a new HDD to arrive.

I'll have to ask over at the QNAP forum where these URL's/IP's could be originating from. I use a lot of the QNAP Club Repository .qpkg's ... so, no doubt its originating from one of those.

This Firewall is pretty great.

 

[Butterfly Bones]

For reference, is your banmalware run-time always ~90 seconds? On an AC86U this should be much closer to 20.

Just to followup after a day of blocking and updates. Back to 20 seconds!

Oct 16 02:25:20 Skynet: [#] 149478 IPs (+2798) -- 1706 Ranges Banned (-44) || 1247 Inbound -- 0 Outbound Connections Blocked! [banmalware] [20s]

Thank you again Adamm for the great utility and assistance.

 

[Torson]

@Adamm, thank you - sh /jffs/scripts/firewall debug info does it, although I'd prefer the short version 'n' passed/enabled, 2 disabled and one can do the full print-out on an as needed basis. ... On another related topic derived from Merlin's threads - constantly reading/writing to the jffs partition - your view please.