Skynet Skynet - Router Firewall & Security Enhancements

[Skeptical.me]

I've encountered an issue that I'm not sure what to do about. In SkyNet stats I don't just see URL's and IP addresses:

Top 10 Blocks (Inbound);
/jffs/scripts/firewall: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
line 3847: can't fork
2x https://otx.alienvault.com/indicator/ip/78.128.112.38
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
2x https://otx.alienvault.com/indicator/ip/78.128.112.14
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
2x https://otx.alienvault.com/indicator/ip/54.39.179.181
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
2x https://otx.alienvault.com/indicator/ip/203.24.188.185
/jffs/scripts/firewall: /jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
line 3847: can't fork
/jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
2x https://otx.alienvault.com/indicator/ip/176.119.7.34
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
2x https://otx.alienvault.com/indicator/ip/122.228.10.50
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
1x https://otx.alienvault.com/indicator/ip/95.173.247.78
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
1x https://otx.alienvault.com/indicator/ip/92.53.90.182
/jffs/scripts/firewall: line 3847: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
can't fork
1x https://otx.alienvault.com/indicator/ip/77.72.82.14
/jffs/scripts/firewall: /jffs/scripts/firewall: line 3847: xargs: Cannot allocate memory
/jffs/scripts/firewall: line 3847: awk: Cannot allocate memory
line 3847: can't fork

ANy advice is welcomed, and appreciated.

 

[agilani]

Definitely not P2P I haven't used a client in a very long time.

On my NAS currently RAID 1 Volume is in Degraded state due to disk failure. So, I can't check much at all. I'm waiting for a new HDD to arrive.

I'll have to ask over at the QNAP forum where these URL's/IP's could be originating from. I use a lot of the QNAP Club Repository .qpkg's ... so, no doubt its originating from one of those.

This Firewall is pretty great.

The Qnap nas was on the list of equipment that got owned with rce. May i recommend you wipe the os and install a fresh copy of the qnap os.

And look at the logs for your nas (192.168.1.219) and see what outgoing ports are being blocked. The logs would be more helpfull than the stats you posted.

Inbound blocks also don't mean a lot. The device may setup upnp and have open ports to the outside (plex on the qnap for example) or you may have turned on port forwarding. And now you are seeing the noise of just accepting incoming connections on the internet.

Now if you didn't intend the NAS to be open to the internet start by disabling upnp and check your port forwarding.

 

[bitmonster]

One should always disable UPnP... I have never enabled this and notice no issues.

Sent from my SM-G965F using Tapatalk

 

[Skeptical.me]

The Qnap nas was on the list of equipment that got owned with rce. May i recommend you wipe the os and install a fresh copy of the qnap os.

And look at the logs for your nas (192.168.1.219) and see what outgoing ports are being blocked. The logs would be more helpfull than the stats you posted.

Inbound blocks also don't mean a lot. The device may setup upnp and have open ports to the outside (plex on the qnap for example) or you may have turned on port forwarding. And now you are seeing the noise of just accepting incoming connections on the internet.

Now if you didn't intend the NAS to be open to the internet start by disabling upnp and check your port forwarding.

Thanks,

UPnP has always been turned off. I turn it off on the router and nas. And I never forward any ports. No WAN access etc. Plex has no access from the WAN.

 

[agilani]

Thanks,

UPnP has always been turned off. I turn it off on the router and nas. And I never forward any ports. No WAN access etc. Plex has no access from the WAN.

Better check that. You shouldn't have inbound traffic for an internal ip address without either port forwarding on upnp.

http://192.168.1.1/Main_IPTStatus_Content.asp

Traffic being blocked inbound without upnp or port forwarding will typically show the wan interface ip address, not an internal rfc1918 device.

 

[Skeptical.me]

Better check that. You shouldn't have inbound traffic for an internal ip address without either port forwarding on upnp.

http://192.168.1.1/Main_IPTStatus_Content.asp

Traffic being blocked inbound without upnp or port forwarding will typically show the wan interface ip address, not an internal rfc1918 device.

Now I'm confused LOL

 

[agilani]

Well, port forwarding doesn't show anything, so that is good news. Now look at the skynet log file and see what outbound traffic was actually blocked with a SourceIP of your NAS.

it should include information such as

Source IP
Destination IP
Source Port
Destination Port
Protocol

Here is an exmample of my traffic being dropped.

Oct 16 18:11:57 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:08:62:66:3a:f2:b4:08:00 SRC=192.168.1.248 DST=191.239.66.254 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=17144 PROTO=UDP SPT=62294 DPT=3075 LEN=108
Oct 16 18:11:57 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:08:62:66:3a:f2:b4:08:00 SRC=192.168.1.248 DST=191.239.160.97 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=7457 PROTO=UDP SPT=62294 DPT=3075 LEN=108
Oct 16 18:12:05 kernel: [BLOCKED - OUTBOUND]

that src address belongs to my xbox and its most likely the xbox trying to reach microsoft services in brazil which i am country blocking.

 

[Skeptical.me]

Well, port forwarding doesn't show anything, so that is good news. Now look at the skynet log file and see what outbound traffic was actually blocked with a SourceIP of your NAS.

it should include information such as

Source IP
Destination IP
Source Port
Destination Port
Protocol

Here is an exmample of my traffic being dropped.

Oct 16 18:11:57 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:08:62:66:3a:f2:b4:08:00 SRC=192.168.1.248 DST=191.239.66.254 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=17144 PROTO=UDP SPT=62294 DPT=3075 LEN=108
Oct 16 18:11:57 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:08:62:66:3a:f2:b4:08:00 SRC=192.168.1.248 DST=191.239.160.97 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=7457 PROTO=UDP SPT=62294 DPT=3075 LEN=108
Oct 16 18:12:05 kernel: [BLOCKED - OUTBOUND]

that src address belongs to my xbox and its most likely the xbox trying to reach microsoft services in brazil which i am country blocking.

I'll definitely take a look through the logs for that.

However, something odd is occurring in my Skynet.

I just had a look at the Stats and I won't post the mountain of data here but this is the last line:

Last 10 Unique Connections Blocked (Outbound);
/jffs/scripts/firewall: line 3847: can't fork

Notice how its not IP Addresses, or URL's. Plus there is a mountain of URL's being blocked, but they're all services I use like apple, and amazon, my VPN's address from the VPN profile ... it looks like this ...

https://otx.alienvault.com/indicator/ip/176.119.7.34 - [dns.msftncsi.com e15361.b.akamaiedge.net .... and on and on it goes

Strange.

 

[Skeptical.me]

I'll take a look through the logs from around the time I posted the IP's being blocked from the NAS IP. Now I'm off to sleep, 24 hours without sleep is always fun lol

Thank you very much for your help.


Sent from my iPhone using Tapatalk Pro

 

[bitmonster]

Have you tried disabling all country blocking?

RapidGator broke for me when I banned Russia.

Sent from my SM-G965F using Tapatalk

 

[Adamm]

On another related topic derived from Merlin's threads - constantly reading/writing to the jffs partition - your view please.

Your router has a better chance of other hardware failure then burning through the write cycles on the flash memory. These chips are designed to be tortured.

I've encountered an issue that I'm not sure what to do about. In SkyNet stats I don't just see URL's and IP addresses:

I'm going to take a wild guess and say your router can't allocate memory . This indicates somethings up with your swap file, I suggest checking and/or reinstalling it.

Just to followup after a day of blocking and updates. Back to 20 seconds!

Got to love issues that magically resolve themselves with no indication what initially caused it

 

[Torson]

Torson says 'thank you" for your input on hardware components failure probability

 

[Skeptical.me]

I'm going to take a wild guess and say your router can't allocate memory . This indicates somethings up with your swap file, I suggest checking and/or reinstalling it.

Yes! I thought it may have been related. I created a swap file on a USB Drive named RT-AC68U (it previously had Diversion and Skynet on it) ... my new USB Drive is named RT-AC86U. When I attempt to delete the old Swap File the output returns 'No file Exists' so I'm stuck. In Diversion where the Swap File section is the old path is there and colored red. I can't get rid of the damn thing.

24 hours without sleep I get 1 hour and I'm back on SNB. Living the dream ;-)


Sent from my iPhone using Tapatalk Pro

 

[Adamm]

Yes! I thought it may have been related. I created a swap file on a USB Drive named RT-AC68U (it previously had Diversion and Skynet on it) ... my new USB Drive is named RT-AC86U. When I attempt to delete the old Swap File the output returns 'No file Exists' so I'm stuck. In Diversion where the Swap File section is the old path is there and colored red. I can't get rid of the damn thing.

24 hours without sleep I get 1 hour and I'm back on SNB. Living the dream ;-)


Sent from my iPhone using Tapatalk Pro

Try using the swap utilities built into Skynet, it _should_ be smart enough to figure it out. If not report back here with the output.

 

[SMS786]

I'm having USB stick related issues and am about to reformat my drive. I made a backup of my settings (I see I have a skynet-backup.tar.gz file in the skynet folder, which I made a local backup of). How do I import these settings back after I reinstall skynet?

 

[Adamm]

I'm having USB stick related issues and am about to reformat my drive. I made a backup of my settings (I see I have a skynet-backup.tar.gz file in the skynet folder, which I made a local backup of). How do I import these settings back after I reinstall skynet?

After formatting, reinstall Skynet as per the usual command. After installing Skynet run the restore command, Skynet will first look for the backup in its install directory, if not found it will ask you to manually specify the path.

 

[jsbeddow]

@Adamm , If we also have Diversion installed, and they are "linked" by sharing the whitelists, I presume this Skynet restore feature will also restore all the previous whitelist entries into Diversion as well, right?

Edit: Or, is it better to use the backup function in Diversion to do this? I ask because I know that Diversion also backs up the Ca.crt and Ca.key files, but the restore process is more "manual", not automated the way Skynet does this.

 

[Adamm]

@Adamm , If we also have Diversion installed, and they are "linked" by sharing the whitelists, I presume this Skynet restore feature will also restore all the previous whitelist entries into Diversion as well, right?

Any domain whitelisted using Skynet will be "regenerated" into the shared whitelist file "/jffs/shared-Skynet2-whitelist" upon restoring your old backup. Then Diversion will eventually pick up these changes like normal and whitelist them also.

Short answer, yes.

 

[Ubimo]

Why are these malware-blocklists in /jffs/shared-Skynet-whitelist?

https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/feodo.ipset
https://iplists.firehol.org/files/bambenek_c2.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/malwaredomainlist.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/et_botcc.ipset
https://iplists.firehol.org/files/blocklist_de_bots.ipset
https://iplists.firehol.org/files/blocklist_de_ssh.ipset
https://iplists.firehol.org/files/blocklist_de_strongips.ipset
https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/uscert_hidden_cobra.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/taichung.ipset
https://iplists.firehol.org/files/urandomusto_telnet.ipset
https://iplists.firehol.org/files/urandomusto_ssh.ipset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/coinbl_ips.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset

Shouldn't they be in a black/blocklist?
As far as I know a whitelist is excluding IPs, isn't it?

 

[Adamm]

Why are these malware-blocklists in /jffs/shared-Skynet-whitelist?

https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/feodo.ipset
https://iplists.firehol.org/files/bambenek_c2.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/malwaredomainlist.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/et_botcc.ipset
https://iplists.firehol.org/files/blocklist_de_bots.ipset
https://iplists.firehol.org/files/blocklist_de_ssh.ipset
https://iplists.firehol.org/files/blocklist_de_strongips.ipset
https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/uscert_hidden_cobra.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/taichung.ipset
https://iplists.firehol.org/files/urandomusto_telnet.ipset
https://iplists.firehol.org/files/urandomusto_ssh.ipset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/coinbl_ips.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset

Shouldn't they be in a black/blocklist?
As far as I know a whitelist is excluding IPs, isn't it?

That is a copy of your current filter file, which is also used for whitelisting the list sources so you have no connectivity issues during banmalware updates etc. During processing this file (and all other shared-*-Whitelist files) are stripped, in this case the result would be "iplists.firehol.org".

Strip_Domain () {
        sed 's~http[s]*://~~;s~/.*~~;s~www\.~~g'
}