Skynet Skynet - Router Firewall & Security Enhancements

[dave14305]

@Adamm @RMerlin

Duh...staring us in the face...

if (nvram_get_int("sshd_enable") == 1)

With the tristate change, this should be '== 2'

Isn’t brute force protection only for WAN access (1)?

 

[john9527]

Isn’t brute force protection only for WAN access (1)?

Double duh on my part....I assumed is was Off, LAN, LAN+WAN (0,1,2)....not Off, LAN+WAN,LAN....

Bit I did see that a closed source module does something with sshd_enable
release/src/router/cfg_mnt/prebuild/RT-AC68U/cfg_server matches

@rromeroa
Did you ever actually double check the nvram values?

 

[rromeroa]

Did you ever actually double check the nvram values?

yes, both values were 1

sshd_bfp=1
sshd_pass=0
sshd_forwarding=0
sshd_port=22
sshd_enable=1

 

[john9527]

@rromeroa
Let's try this logged into the router

service restart_firewall
iptables -S

post the output of the iptables command

 

[RMerlin]

Bit I did see that a closed source module does something with sshd_enable
release/src/router/cfg_mnt/prebuild/RT-AC68U/cfg_server matches

That module is responsible for config sharing between AiMesh nodes.

 

[RMerlin]

Double duh on my part....I assumed is was Off, LAN, LAN+WAN (0,1,2)....not Off, LAN+WAN,LAN....

Actually, it probably would be a good idea to enable it for both WAN and LAN, in case of a hostile client trying to brute force into your router (like a compromised IoT device).

 

[rromeroa]

service restart_firewall
iptables -S
post the output of the iptables command

thanks @john9527, here is the outputs

from nvram show | grep "sshd_":

sshd_bfp=1
sshd_pass=0
sshd_forwarding=0
sshd_port=22
sshd_enable=1

from iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-N other2wan
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -i vlan2 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -i vlan3 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -d 224.0.0.0/4 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/255.255.15.0 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/255.255.15.0 -i vlan2 -j ACCEPT
-A INPUT -s X.X.X.X/32 -i vlan3 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j logdrop
-A FORWARD -d 224.0.0.0/4 -p udp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o vlan6 -j other2wan
-A FORWARD ! -i br0 -o vlan2 -j other2wan
-A FORWARD ! -i br0 -o vlan3 -j other2wan
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -i vlan2 -j SECURITY
-A FORWARD -i vlan3 -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FUPNP -d 192.168.1.4/32 -p udp -m udp --dport 9308 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A OVPN -i tun21 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop

 

[john9527]

@rromeroa
I may be on to something.....are you using the option to restrict router access to certain IPs? If you are, give it a try with that turned off.

 

[rromeroa]

@rromeroa
I may be on to something.....are you using the option to restrict router access to certain IPs? If you are, give it a try with that turned off.

As far as I know, the only restriction I have comes from skynet...

 

[john9527]

@rromeroa

OK....my next try....

Do you have either Dual Wan in load balance mode or IPTV Movistar enabled? Both of these do not support BFP

 

[rromeroa]

Bravo @john9527, I have IPTV Movistar enabled, didn't know that limitation...

 

[john9527]

Bravo @john9527, I have IPTV Movistar enabled, didn't know that limitation...

That makes two of us
I didn't know of either of the two I listed until I went through the code. Learn something new every day.

Now, I don't know what @Adamm will need to do with this info.

EDIT: Thanks for providing all data we asked for....the 'iptables -S' output helped me to track it down.

 

[Adamm]

That makes two of us
I didn't know of either of the two I listed until I went through the code. Learn something new every day.

Now, I don't know what @Adamm will need to do with this info.

EDIT: Thanks for providing all data we asked for....the 'iptables -S' output helped me to track it down.

Well that would probably have been the only setting I couldn't test

Nice work tracking it down, is there a nvram value for when its enabled?

 

[john9527]

Nice work tracking it down, is there a nvram value for when its enabled?

if ((nvram_get_int("switch_stb_x") > 6 &&
    nvram_match("switch_wantag", "movistar")))

 

[Pergola Fabio]

ok, i am new to this, gonna update to merlin to test it out, but can some1 point me to the right direction?
as an example
i have forwarded my port 5000 to my internal lan, so i can assess my synology system
but i see in my DSM logs, that there are other ip from other countries block after x retries
so i want to setup that only access is granted to port 5000 from a specific country

how can i do this?

 

[skeal]

ok, i am new to this, gonna update to merlin to test it out, but can some1 point me to the right direction?
as an example
i have forwarded my port 5000 to my internal lan, so i can assess my synology system
but i see in my DSM logs, that there are other ip from other countries block after x retries
so i want to setup that only access is granted to port 5000 from a specific country

how can i do this?

You want iptables. This script does not control port options.

 

[skeal]

RESOLVED-Re-installed and all is well.
Hey @Adamm I have a new problem I'm not sure how to fix. Skynet fails to start on a reboot. The last two log entries are:

Nov 26 14:23:03 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/EXT2/skynet )
Nov 26 14:23:15 Skynet: [*] Connection Error Detected - Exiting

The only thing I altered was adding this line to dnsmasq.conf.add:

server=/pool.ntp.org/1.1.1.1

I can start Skynet by launching:

/jffs/scripts/firewall-start

If @Adamm is busy anyone with a clue please reply! Thanks in advance you all!
100% Resolved
This issue was likely caused by me not bouncing dnsmasq before the reboot after I made the addition to the dnsmasq.conf.add.

 

[dave14305]

RESOLVED-Re-installed and all is well.
Hey @Adamm I have a new problem I'm not sure how to fix. Skynet fails to start on a reboot. The last two log entries are:

Nov 26 14:23:03 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/EXT2/skynet )
Nov 26 14:23:15 Skynet: [*] Connection Error Detected - Exiting

The only thing I altered was adding this line to dnsmasq.conf.add:

server=/pool.ntp.org/1.1.1.1

I can start Skynet by launching:

/jffs/scripts/firewall-start

If @Adamm is busy anyone with a clue please reply! Thanks in advance you all!
100% Resolved
This issue was likely caused by me not bouncing dnsmasq before the reboot after I made the addition to the dnsmasq.conf.add.

Not sure how bouncing before a reboot would help since dnsmasq.conf will be wiped and freshly created on boot, but the error means that skynet could not ping google.com or github.com after 4 tries.

 

[Adamm]

Bravo @john9527, I have IPTV Movistar enabled, didn't know that limitation...

I pushed a fix for movistar users (aka you )

ok, i am new to this, gonna update to merlin to test it out, but can some1 point me to the right direction?
as an example
i have forwarded my port 5000 to my internal lan, so i can assess my synology system
but i see in my DSM logs, that there are other ip from other countries block after x retries
so i want to setup that only access is granted to port 5000 from a specific country

how can i do this?

Unfortunately Skynet wasn't designed for that particular scenario. But you can read all about the dozens of other features Skynet offers.

Not sure how bouncing before a reboot would help since dnsmasq.conf will be wiped and freshly created on boot, but the error means that skynet could not ping google.com or github.com after 4 tries.

IIRC his issue is Stubby/DNSCrypt related, so an entry for your ntp server is required in a dnsmasq custom config file.

 

[rromeroa]

I pushed a fix for movistar users (aka you )

It's all right, thank you @Adamm... I'm sure there are more spanish users who will appreciate it