Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I whitelisted these 4

discordapp.com
gateway.discord.gg
status.discordapp.com
sydney95.discord.gg

I'm assuming this fixed your issue?

 

[a_lunatic]

I'm assuming this fixed your issue?

It did but it seems that the gateway domain IP changes after restarting discord a few times it was blocked again.

 

[Adamm]

It did but it seems that the gateway domain IP changes after restarting discord a few times it was blocked again.

That's very odd seeing I can't get discord ban me at all. Can you post me a snippet of where its being blocked in the syslog.

 

[eclp]

I installed the script. Now comes the following output in syslog:

Skynet: [IP Banning Started] ... ... ...
/jffs/scripts/firewall: line 685: can't open /jffs/scripts/ipset.txt: no such file
cat: can't open '/tmp/syslog.log-1': No such file or directory
Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

Help would be nice!

 

[Adamm]

I installed the script. Now comes the following output in syslog:

Skynet: [IP Banning Started] ... ... ...
/jffs/scripts/firewall: line 685: can't open /jffs/scripts/ipset.txt: no such file
cat: can't open '/tmp/syslog.log-1': No such file or directory
Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

Help would be nice!

You can ignore both errors, I forgot to silence them and will update the script shortly. It just means those files didn't exist when it tried to edit them (which they shouldn't on a new install). Thanks for pointing that out. Beyond that it looks like your install worked perfectly (EDIT; Fix is out)

Also for everyone else, I just updated the installer to include support for automated weekly malwarelist updating. If you're using this feature probably a good idea to enable this.

 

[TheUntouchable]

Just got my new RT-AC88U and the second thing I installed (sorry, latest merlin was the first one ) was your script!

Sadly it seems that it wont survive a reboot:

May 17 22:35:47 rc_service: waitting "start_firewall" via  ...
May 17 22:35:47 kernel: DROP IN=eth0 OUT= MAC=34:97:f6:23:dd:f0:00:14:f1:e5:8d:31:08:00 SRC=158.85.224.180 DST=XXX.XXX.XXX.XXX LEN=93 TOS=0x00 PREC=0x00 TTL=50 ID=1962 DF PROTO=TCP SPT=443 DPT=64181 SEQ=1670933539 ACK=1401438864 WINDOW=5 RES=0x00 ACK PSH URGP=0
May 17 22:35:47 custom script: Running /jffs/scripts/firewall-start (args: eth0)
May 17 22:35:48 iTunes: daemon is stopped
May 17 22:35:48 FTP Server: daemon is stopped
May 17 22:35:49 kernel: DROP IN=eth0 OUT= MAC=34:97:f6:23:dd:f0:00:14:f1:e5:8d:31:08:00 SRC=31.13.81.13 DST=XXX.XXX.XXX.XXX LEN=104 TOS=0x00 PREC=0x00 TTL=87 ID=8531 DF PROTO=TCP SPT=443 DPT=64213 SEQ=601451224 ACK=1332006562 WINDOW=144 RES=0x00 ACK URGP=0
May 17 22:35:49 kernel: scsi 1:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
May 17 22:35:49 kernel: scsi 2:0:0:0: Direct-Access     HUAWEI   TF CARD Storage  2.31 PQ: 0 ANSI: 2
May 17 22:35:49 kernel: scsi 1:0:0:0: Attached scsi generic sg0 type 5
May 17 22:35:49 kernel: sd 2:0:0:0: Attached scsi generic sg1 type 0
May 17 22:35:49 kernel: sd 2:0:0:0: [sda] Attached SCSI removable disk
May 17 22:35:51 kernel: DROP IN=eth0 OUT= MAC=34:97:f6:23:dd:f0:00:14:f1:e5:8d:31:08:00 SRC=162.125.18.133 DST=XXX.XXX.XXX.XXX LEN=104 TOS=0x00 PREC=0x00 TTL=50 ID=18086 DF PROTO=TCP SPT=443 DPT=63932 SEQ=373692672 ACK=4119266003 WINDOW=125 RES=0x00 ACK URGP=0
May 17 22:35:51 Samba Server: smb daemon is stopped
May 17 22:35:51 kernel: gro disabled
May 17 22:35:51 Timemachine: daemon is stopped
May 17 22:35:51 kernel: gro enabled with interval 2
May 17 22:35:52 Samba Server: daemon is started
May 17 22:35:53 kernel: DROP IN=eth0 OUT= MAC=34:97:f6:23:dd:f0:00:14:f1:e5:8d:31:08:00 SRC=176.9.52.115 DST=XXX.XXX.XXX.XXX LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=53910 DF PROTO=TCP SPT=443 DPT=56736 SEQ=3485426528 ACK=962249559 WINDOW=6720 RES=0x00 ACK URGP=0 OPT (0101080A31F02600045CE42F)

cat firewall-start

sh /jffs/scripts/firewall start # Skynet Firewall Addition

I nerver get the statusmessage that skynet is running

 sh firewall debug info

Router Model: RT-AC88U-DDF0
Skynet Version: v4.1.2 (18/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_2
Startup Entry Detected
Cronjob Not Detected
Autobanning Disabled
Whitelist IPTable Not Detected
BlockedRanges IPTable Not Detected
Blacklist IPTable Not Detected
Whitelist IPSet Not Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Not Detected
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Skynet: [Complete] -7 IPs / -7 Ranges banned. -7 New IPs / -7 New Ranges Banned.  IP /  Range Connections Blocked! [1s]

Installed it like that:

wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
chmod +x /jffs/scripts/firewall
sh /jffs/scripts/firewall install
1
Vanilla Selected
sed: /jffs/scripts/firewall-start: No such file or directory
Restarting Firewall To Apply Changes

Done.

After running

sh /jffs/scripts/firewall start

Skynet: [IP Banning Started] ... ... ...
firewall: line 704: can't open /jffs/scripts/ipset.txt: no such file
cat: can't open '/tmp/syslog.log-1': No such file or directory
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Skynet: [Complete] 0 IPs / 0 Ranges banned. 7 New IPs / 7 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [2s]

 sh firewall debug info

Router Model: RT-AC88U-DDF0
Skynet Version: v4.1.2 (18/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_2
Startup Entry Detected
Cronjob Detected
Autobanning Enabled
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 1 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

After a reboot it starts all over again


EDIT:

Bye the way, just uninstalled everything and tried to install latest version again, there is still one output that sould be hiddn

Installing Skynet v4.1.3
This Will Remove Any Old Install Arguements And Can Be Run Multiple Times
Please Select Installation Mode (Number)
1. Vanilla -           Default Installation
2. NoAuto -            Default Installation Without Autobanning
3. Debug -             Default Installation With Debug Print For Extended Stat Reporting
4. NoAuto & Debug -    Default Installation With No Autobanning And Debug Print

1
Vanilla Selected

Would You Like To Enable Weekly Malwarelist Updating
1. Yes
2. No
Please Select Option (Number)
2
Malware List Updating Disabled
sed: /jffs/scripts/firewall-start: No such file or directory

Restarting Firewall To Apply Changes

Done.

After that installation it looks like that:

Router Model: RT-AC88U-DDF0
Skynet Version: v4.1.3 (18/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_2
Startup Entry Detected
Cronjob Not Detected
Autobanning Disabled
Whitelist IPTable Not Detected
BlockedRanges IPTable Not Detected
Blacklist IPTable Not Detected
Whitelist IPSet Not Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Not Detected
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Skynet: [Complete] -7 IPs / -7 Ranges banned. -7 New IPs / -7 New Ranges Banned.  IP /  Range Connections Blocked! [1s]

 

[Adamm]

Just got my new RT-AC88U and the second thing I installed (sorry, latest merlin was the first one ) was your script!

Thanks, really appreciate it!

Back to business, I found the bug, the firewall-start doesn't have correct permissions when its generated by the install script (oops). I've pushed a fix for this, thanks for pointing it out.

Please run the following;

sh /jffs/scripts/firewall update
sh /jffs/scripts/firewall install

Edit;

Found another part of the issue, I need to detect and insert a shebang, give me a minute to write up a fix.

 

[TheUntouchable]

Thanks for the really fast fix! Sadly the script seems to still not work as desired after the update:

--> sh /jffs/scripts/firewall update

Skynet: [New Version Detected - Updating To v4.1.4]... ... ...
Skynet: [Skynet Sucessfully Updated - Restarting Firewall]

Done.

--> sh /jffs/scripts/firewall install

Installing Skynet v4.1.4
This Will Remove Any Old Install Arguements And Can Be Run Multiple Times
Please Select Installation Mode (Number)
1. Vanilla -           Default Installation
2. NoAuto -            Default Installation Without Autobanning
3. Debug -             Default Installation With Debug Print For Extended Stat Reporting
4. NoAuto & Debug -    Default Installation With No Autobanning And Debug Print

1
Vanilla Selected

Would You Like To Enable Weekly Malwarelist Updating
1. Yes
2. No
Please Select Option (Number)
2
Malware List Updating Disabled

Restarting Firewall To Apply Changes

Done.

--> sh /jffs/scripts/firewall debug info

Router Model: RT-AC88U-DDF0
Skynet Version: v4.1.4 (18/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_2
Startup Entry Detected
Cronjob Not Detected
Autobanning Disabled
Whitelist IPTable Not Detected
BlockedRanges IPTable Not Detected
Blacklist IPTable Not Detected
Whitelist IPSet Not Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Not Detected
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Skynet: [Complete] -7 IPs / -7 Ranges banned. 0 New IPs / 0 New Ranges Banned.  IP /  Range Connections Blocked! [1s]

EDIT: Okay, sorry, I was to fast

 

[Adamm]

I forgot to insert a shebang in the newly generated firewall-start file for new installs. I've also fixed this with quick patch.

rm -rf /jffs/scripts/firewall-start
sh /jffs/scripts/firewall update
sh /jffs/scripts/firewall install

Thanks again for pointing this out, about the only scenario I didn't test

 

[yk101]

@Adamm, you probably don't want to delete firewall-start - it may have other stuff in it...

 

[Adamm]

@Adamm, you probably don't want to delete firewall-start - it may have other stuff in it...

Just for this user to get a clean start as the installer wont insert the shebang if the file exists, I don't delete this file in the installer (his firewall-start was incorrectly generated by me).

 

[yk101]

Ok, I'm sorry then!

 

[TheUntouchable]

Seems to work now, will test the reboot! Thanks a lot

EDIT: I can confirm that everything is starting now like it should, thank you again for the great work!

 

[eclp]

Does the script work properly? Apparently, little is blocked ..?

May 17 23:09:33 Skynet: [Skynet Up To Date - v4.1.3]
May 17 23:09:34 kernel: xt_set: Unknown symbol ip_set_test (err 0)
May 17 23:09:34 kernel: xt_set: Unknown symbol ip_set_del (err 0)
May 17 23:09:34 kernel: xt_set: Unknown symbol ip_set_nfnl_put (err 0)
May 17 23:09:34 kernel: xt_set: Unknown symbol ip_set_nfnl_get_byindex (err 0)
May 17 23:09:39 kernel: * Make sure sizeof(struct sw_struct)=160 is consistent
May 17 23:09:40 kernel: sizeof forward param = 160
May 17 23:09:40 Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned.  IP /  Range Connections Blocked! [15s]
May 17 23:11:25 Skynet: [Skynet Up To Date - v4.1.3]
May 17 23:11:26 Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [3s]
May 17 23:18:05 Skynet: [New Version Detected - Updating To ]... ... ...
May 17 23:18:05 Skynet: [Skynet Sucessfully Updated - Restarting Firewall]
May 17 23:18:09 Skynet: [Skynet Up To Date - v4.1.5]
May 17 23:18:30 Skynet: [Skynet Up To Date - v4.1.5]
May 17 23:18:31 Skynet: [Complete] 6 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [2s]
May 17 23:20:05 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=14:dd:a9:cb:0d:f0:04:02:1f:f7:b5:16:08:00 SRC=17.252.44.83 DST=192.168.2.100 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=44837 DF PROTO=TCP SPT=443 DPT=57750 SEQ=2341401344 ACK=50450437 WINDOW=293 RES=0x00 ACK FIN URGP=0 OPT (0101080A6C169377276449BA)

 

[Adamm]

Does the script work properly? Apparently, little is blocked ..?

Output looks fine, but please run the installer again as I pushed a third fix to insert a shebang for pre-existing files that don't have one without having to wipe the file completely.

sh /jffs/scripts/firewall update
sh /jffs/scripts/firewall install

 

[Adamm]

Did some work on tracking down some slower code today, most functions run about twice as fast now. If anyone has feature requests let me know, idea's starting to run low

 

[MarCoMLXXV]

Ehm... auto-update as optional feature? I'm suffering from repetitive strain injuries because of your pace of updating this project

 

[dvohwinkel]

How does your program decide if something should be banned? I have to keep disabling it because too many things are being caught and are false positives and I can't wait an hour for it to double check them. Today it is causing reddit.com and i.redd.it to be unable to be viewed. I did whitelist it and the issue went away, but I'd rather not have to whitelist everything I use by hand. So I was hoping you might have a discussion on the logic the program uses?

 

[Adamm]

Ehm... auto-update as optional feature? I'm suffering from repetitive strain injuries because of your pace of updating this project

As per request, auto updating can now be enabled during install. I'll slow down eventually

How does your program decide if something should be banned

Every time Unban_HTTP() is called, a scan will initiate. This function is called at the end of the hour during the save cronjob. Its also called when you run the commands (start/disable/save/stats/debug disable/debug filter).

Now what exactly does this function do? It will scan /jffs/skynet.log for any new bans based on traffic from ports 80 and 443 (HTTP and HTTPS). It then unbans anything meeting this criteria and marks it in the log. If the IP is ever banned a second time the same way during the next 2 weeks, the following scan it will whitelist the IP automatically.

So in a sense the script "learns", after a day or two you will most likely never run into any accidental blockage again as the whitelist is never wiped (unless forced by the user ofcoarse). I've just now added a new IPTables rule which should still handle invalid packets but only DROP (not ban) ones sent on TCP ports 80,443. So lets see if this works how we want it to, I've kept the old functionality for the time being as a fail-over. So as usual an update will be required to v4.2.1

 

[MarCoMLXXV]

As per request, auto updating can now be enabled during install. I'll slow down eventually

'Eventually'... Yeah, right You're unstoppable apparently . But thanks for implementing it so fast!

A suggestion and a question:

It might be useful to update the first post, so it reflects the current status and the new parameters.

And as for the question:

Do I need to keep running...

sh /jffs/scripts/firewall update
sh /jffs/scripts/firewall install

... everytime I (manually) would like to update, or would...

sh /jffs/scripts/firewall update

....suffice, when the both commands where run once, to clean up firewall-start?