Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I like how this supports IPv6 connections.

One issue I see though is that the last two characters of the IPv6 address are truncated.
For example, an address ending with "62b7:552d" in "ip neighbor" shows as "62:b7:55: |"

I can identify my devices with two additional screens:
Another PuTTY session with the output of "ip neighbor" to map IPv6 address to MAC address
Fing to map MAC address back to device

Can you please take a screenshot of the issue so I can get a better idea (my ISP doesn't support IPv6 until later this year).

 

[TonyK132]

I just looked at my whitelist, and I have 1234 entries of IP ranges. Is that normal?

 

[Adamm]

I just looked at my whitelist, and I have 1234 entries of IP ranges. Is that normal?

Yes, Skynet whitelists a few major CDN's by default to cut down on false positives. You can view all manually added entries via the appropriate commands and menu items.

 

[EmeraldDeer]

Can you please take a screenshot of the issue so I can get a better idea (my ISP doesn't support IPv6 until later this year).

I increased the PuTTY font size to huge, confirmed it was viewable yet it shows up tiny when I attach it here. Perhaps there is a trick to legible screenshot posting.

 

[Adamm]

View attachment 15861

Well, for the time being I have to truncate these down to a generic "IPv6" placeholder (a better alternative then not displaying them at all). With the limited screen real-estate my hands are somewhat tied. No version change

 

[EmeraldDeer]

Well, for the time being I have to truncate these down to a generic "IPv6" placeholder (a better alternative then not displaying them at all). With the limited screen real-estate my hands are somewhat tied. No version change

Perhaps IPv6 addresses could be displayed with colons after four characters rather than two characters.

 

[Adamm]

View attachment 15862
Perhaps IPv6 addresses could be displayed with colons after four characters rather than two characters.

The problem is more based on consistency. The IP fields currently have room for 18 characters, and as you know IPv6 addresses alone can have up to 40 characters. This is still a new feature, I'll see if there's any other formatting alternatives in the future. Thanks for pointing this out.

 

[elorimer]

@Adamm

I have syslog-ng running with entware to sort my syslog into different buckets (including one for skynet), with the unsorted messages going to /opt/var/log/messages. As part of that I kill syslogd. To allow those messages to show up in the webui I put a symlink to that file as /tmp/syslog.log. My problem is that that symlink is regularly destroyed and replaced by an actual file, which has a weirdly persistent content.

I think this may be because skynet regularly operates on syslog.log using "sed -i", which I think destroys the symlink and replaces it with this file. Because I have killed syslogd and started syslog-ng, nothing further gets written to that syslog.log, and /opt/var/log/messages continues to get updated. But the webui isn't useful.

Would it be possible to replace the sed -i process with a non-destructive method that followed the symlink? This isn't a big deal and I imagine there are other ways of doing this, but at the moment skynet and syslog-ng are at odds. At least I think so.

 

[dave14305]

https://linux.die.net/man/1/sed

-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied). The default operation mode is to break symbolic and hard links. This can be changed with --follow-symlinks and --copy.

 

[cmkelley]

Question: Does debug mode do anything to warrant leaving it on all the time? Because I get tons of [BLOCKED - INBOUND] entries in syslog if I leave it on and while I appreciate that Skynet is doing its thing, I probably don't need reminders every 30 seconds or so in my log to tell me that.

 

[skeal]

Question: Does debug mode do anything to warrant leaving it on all the time? Because I get tons of [BLOCKED - INBOUND] entries in syslog if I leave it on and while I appreciate that Skynet is doing its thing, I probably don't need reminders every 30 seconds or so in my log to tell me that.

The log entries have to stay to gather stats. So you can search and display blocked or allowed stuff.

 

[skeal]

No log entries no accumulated stats.

 

[dave14305]

Question: Does debug mode do anything to warrant leaving it on all the time? Because I get tons of [BLOCKED - INBOUND] entries in syslog if I leave it on and while I appreciate that Skynet is doing its thing, I probably don't need reminders every 30 seconds or so in my log to tell me that.

I made a similar appeal earlier for an outbound-only debug mode, but it went over like a lead balloon. I had taken to commenting out the relevant iptables commands in the script, but recently decided to let it go since Adamm releases frequent updates and was tired of doing it the hard way.
Skynet - Asus Firewall Addition

 

[cmkelley]

No log entries no accumulated stats.

Hrmmm. Seems like an appropriately clever person could use something like syslog-ng to redirect the debug entries elsewhere, then hack on the script to use that file instead of syslog. Of course this would be much easier if iptables supported logging to somewhere other than syslog. Could be a fun challenge, now that we seem to have sorted my troubles with Stubby.

 

[elorimer]

https://linux.die.net/man/1/sed

--follow-symlinks is an unrecognized option here. Otherwise it would be nifty.

 

[dave14305]

--follow-symlinks is an unrecognized option here. Otherwise it would be nifty.

The entware version of sed supports it, but obviously not applicable to the entire installed base of Skynet.

 

[kowra]

The functional you are referring to actually enhances AiProtect by adding IP's flagged for being malicious to Skynet's blacklist.

so let me get this straight. No need to have both enabled, just skynet, right?

 

[JaimeZX]

@Adamm - just a gee-whiz request. How complicated would it be for Skynet to do a breakdown of the blocked IPs per list?

So where it says:

153763 IPs (+0) -- 18569 Ranges Banned (+0) || 36303 Inbound -- 97257 Outbound Connections Blocked!

Instead something like:
153763 IPs (+0) -- 18569 Ranges Banned (+0) || 36303 Inbound -- 97257 Outbound Connections Blocked!
* Malware list: 24427 IPs
* Country ban: CN: 67018 IPs
* Country ban: IR: 28611 IPs
(etc.)

No biggie, would just be kind of fun to see.

 

[JaimeZX]

so let me get this straight. No need to have both enabled, just skynet, right?

AIProtect takes advantage of TrendMicro's installations around the world that gather signatures of malicious software and send them back for analysis and subsequent distro to devices like ours. Skynet can be set to automatically ban IP ID'd by AIProtect as suspect, but I believe you would need AIProtect running to take advantage of that feature. Skynet on its own is a very robust solution, though. But you are correct - AIProtect does not have to be running to run Skynet.

 

[Adamm]

@Adamm

I have syslog-ng running with entware to sort my syslog into different buckets (including one for skynet), with the unsorted messages going to /opt/var/log/messages. As part of that I kill syslogd. To allow those messages to show up in the webui I put a symlink to that file as /tmp/syslog.log. My problem is that that symlink is regularly destroyed and replaced by an actual file, which has a weirdly persistent content.

I think this may be because skynet regularly operates on syslog.log using "sed -i", which I think destroys the symlink and replaces it with this file. Because I have killed syslogd and started syslog-ng, nothing further gets written to that syslog.log, and /opt/var/log/messages continues to get updated. But the webui isn't useful.

Would it be possible to replace the sed -i process with a non-destructive method that followed the symlink? This isn't a big deal and I imagine there are other ways of doing this, but at the moment skynet and syslog-ng are at odds. At least I think so.

As pointed out, unfortunately we are stuck with limited stock binaries so options like "--follow-symlinks" are unavailable for sed, along with additional configuration for syslog. So there is no way for Skynet to avoid this issue.

so let me get this straight. No need to have both enabled, just skynet, right?

Both products work independently of each-other. Skynet just taps into AiProtect for additional features if enabled. I highly recommend keeping both enabled.

@Adamm - just a gee-whiz request. How complicated would it be for Skynet to do a breakdown of the blocked IPs per list?

So where it says:

153763 IPs (+0) -- 18569 Ranges Banned (+0) || 36303 Inbound -- 97257 Outbound Connections Blocked!

Instead something like:
153763 IPs (+0) -- 18569 Ranges Banned (+0) || 36303 Inbound -- 97257 Outbound Connections Blocked!
* Malware list: 24427 IPs
* Country ban: CN: 67018 IPs
* Country ban: IR: 28611 IPs
(etc.)

No biggie, would just be kind of fun to see.

Seems reasonable enough, I'll see if/where it makes sense to add in the near future.