What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Isn’t brute force protection only for WAN access (1)?
Double duh on my part:oops:....I assumed is was Off, LAN, LAN+WAN (0,1,2)....not Off, LAN+WAN,LAN....

Bit I did see that a closed source module does something with sshd_enable
release/src/router/cfg_mnt/prebuild/RT-AC68U/cfg_server matches

@rromeroa
Did you ever actually double check the nvram values?
 
Bit I did see that a closed source module does something with sshd_enable
release/src/router/cfg_mnt/prebuild/RT-AC68U/cfg_server matches

That module is responsible for config sharing between AiMesh nodes.
 
Double duh on my part:oops:....I assumed is was Off, LAN, LAN+WAN (0,1,2)....not Off, LAN+WAN,LAN....

Actually, it probably would be a good idea to enable it for both WAN and LAN, in case of a hostile client trying to brute force into your router (like a compromised IoT device).
 
service restart_firewall
iptables -S
post the output of the iptables command

thanks @john9527, here is the outputs

from nvram show | grep "sshd_":
Code:
sshd_bfp=1
sshd_pass=0
sshd_forwarding=0
sshd_port=22
sshd_enable=1

from iptables -S
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-N other2wan
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -i vlan2 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -i vlan3 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -d 224.0.0.0/4 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/255.255.15.0 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/255.255.15.0 -i vlan2 -j ACCEPT
-A INPUT -s X.X.X.X/32 -i vlan3 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j logdrop
-A FORWARD -d 224.0.0.0/4 -p udp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o vlan6 -j other2wan
-A FORWARD ! -i br0 -o vlan2 -j other2wan
-A FORWARD ! -i br0 -o vlan3 -j other2wan
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -i vlan2 -j SECURITY
-A FORWARD -i vlan3 -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FUPNP -d 192.168.1.4/32 -p udp -m udp --dport 9308 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A OVPN -i tun21 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop
 
@rromeroa
I may be on to something.....are you using the option to restrict router access to certain IPs? If you are, give it a try with that turned off.
 
@rromeroa

OK....my next try....

Do you have either Dual Wan in load balance mode or IPTV Movistar enabled? Both of these do not support BFP
 
Bravo @john9527, I have IPTV Movistar enabled, didn't know that limitation...
That makes two of us :D
I didn't know of either of the two I listed until I went through the code. Learn something new every day.

Now, I don't know what @Adamm will need to do with this info.

EDIT: Thanks for providing all data we asked for....the 'iptables -S' output helped me to track it down.
 
That makes two of us :D
I didn't know of either of the two I listed until I went through the code. Learn something new every day.

Now, I don't know what @Adamm will need to do with this info.

EDIT: Thanks for providing all data we asked for....the 'iptables -S' output helped me to track it down.

Well that would probably have been the only setting I couldn't test :rolleyes:

Nice work tracking it down, is there a nvram value for when its enabled?
 
ok, i am new to this, gonna update to merlin to test it out, but can some1 point me to the right direction?
as an example
i have forwarded my port 5000 to my internal lan, so i can assess my synology system
but i see in my DSM logs, that there are other ip from other countries block after x retries
so i want to setup that only access is granted to port 5000 from a specific country

how can i do this?
 
ok, i am new to this, gonna update to merlin to test it out, but can some1 point me to the right direction?
as an example
i have forwarded my port 5000 to my internal lan, so i can assess my synology system
but i see in my DSM logs, that there are other ip from other countries block after x retries
so i want to setup that only access is granted to port 5000 from a specific country

how can i do this?
You want iptables. This script does not control port options.
 
RESOLVED-Re-installed and all is well.
Hey @Adamm I have a new problem I'm not sure how to fix. Skynet fails to start on a reboot. The last two log entries are:
Code:
Nov 26 14:23:03 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/EXT2/skynet )
Nov 26 14:23:15 Skynet: [*] Connection Error Detected - Exiting
The only thing I altered was adding this line to dnsmasq.conf.add:
Code:
server=/pool.ntp.org/1.1.1.1
I can start Skynet by launching:
Code:
/jffs/scripts/firewall-start
If @Adamm is busy anyone with a clue please reply! Thanks in advance you all!
100% Resolved :):)
This issue was likely caused by me not bouncing dnsmasq before the reboot after I made the addition to the dnsmasq.conf.add.
 
Last edited:
RESOLVED-Re-installed and all is well.
Hey @Adamm I have a new problem I'm not sure how to fix. Skynet fails to start on a reboot. The last two log entries are:
Code:
Nov 26 14:23:03 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/EXT2/skynet )
Nov 26 14:23:15 Skynet: [*] Connection Error Detected - Exiting
The only thing I altered was adding this line to dnsmasq.conf.add:
Code:
server=/pool.ntp.org/1.1.1.1
I can start Skynet by launching:
Code:
/jffs/scripts/firewall-start
If @Adamm is busy anyone with a clue please reply! Thanks in advance you all!
100% Resolved :):)
This issue was likely caused by me not bouncing dnsmasq before the reboot after I made the addition to the dnsmasq.conf.add.
Not sure how bouncing before a reboot would help since dnsmasq.conf will be wiped and freshly created on boot, but the error means that skynet could not ping google.com or github.com after 4 tries.
 
Bravo @john9527, I have IPTV Movistar enabled, didn't know that limitation...

I pushed a fix for movistar users (aka you :p)

ok, i am new to this, gonna update to merlin to test it out, but can some1 point me to the right direction?
as an example
i have forwarded my port 5000 to my internal lan, so i can assess my synology system
but i see in my DSM logs, that there are other ip from other countries block after x retries
so i want to setup that only access is granted to port 5000 from a specific country

how can i do this?

Unfortunately Skynet wasn't designed for that particular scenario. But you can read all about the dozens of other features Skynet offers.

Not sure how bouncing before a reboot would help since dnsmasq.conf will be wiped and freshly created on boot, but the error means that skynet could not ping google.com or github.com after 4 tries.

IIRC his issue is Stubby/DNSCrypt related, so an entry for your ntp server is required in a dnsmasq custom config file.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top