Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Also separating UDP and TCP bans would help!

This change is now live as of 4.3.2, by default all bans (TCP/UDP/ICMP) will be shown, but it can be specified in the command by doing so;

sh /jffs/scripts/firewall stats tcp

OR

sh /jffs/scripts/firewall stats 20 tcp

But it would be clearer if you see what was blocked every hour with the corresponding dns if available

This may take a little longer for me to think of a good solution, I would add it to stat reporting but it would require a very long (ugly) line of code. I'll see what I can do.

 

[yk101]

Thanks for your immediate reaction!

 

[Adamm]

But it would be clearer if you see what was blocked every hour with the corresponding dns if available

This change is now live as of 4.3.3. To use it do the following;

sh /jffs/scripts/firewall stats search autobans

OR

sh /jffs/scripts/firewall stats search autobans 20

 

[TheUntouchable]

Thanks a lot, will test it when I am back from work

 

[yk101]

Hi @Adamm, one more request - can you please add range option to whitelist operation? This would make it consistent with ban/unban.

Help shows:

Add Entry To Whitelist (IP/Range/Domain/Remove)

But then looking at the code:

        whitelist)
                Purge_Logs
                if [ -z "$2" ]; then
                        echo "For Automated IP Whitelisting Use; \"sh $0 whitelist IP\""
                        echo "For Automated Domain Whitelisting Use; \"sh $0 whitelist domain URL\""
                        echo "Input IP To Whitelist"
                        read whitelistip
                        logger -st Skynet "[Adding $whitelistip To Whitelist] ... ... ..."
                        ipset -A Whitelist $whitelistip
                        ipset -D Blacklist $whitelistip
                        sed -i /$whitelistip/d /jffs/skynet.log
                elif [ -n "$2" ] && [ "$2" != "domain" ] && [ "$2" != "port" ] && [ "$2" != "remove" ]; then
                        logger -st Skynet "[Adding $2 To Whitelist] ... ... ..."
                        ipset -A Whitelist $2
                        ipset -D Blacklist $2
                        sed -i /$2/d /jffs/skynet.log
                elif [ "$2" = "domain" ] && [ -z "$3" ];then
                        echo "Input Domain To Whitelist"
                        read whitelistdomain
                        logger -st Skynet "[Adding $whitelistdomain To Whitelist] ... ... ..."
                        for ip in $(Domain_Lookup $whitelistdomain)
                                do
                                ipset -A Whitelist $ip
                                ipset -D Blacklist $ip
                                sed -i /$ip/d /jffs/skynet.log
                        done
                elif [ "$2" = "domain" ] && [ -n "$3" ]; then
                logger -st Skynet "[Adding $3 To Whitelist] ... ... ..."
                for ip in $(Domain_Lookup $3)
                        do
                        ipset -A Whitelist $ip
                        ipset -D Blacklist $ip
                        sed -i /$ip/d /jffs/skynet.log
                done
                elif [ "$2" = "port" ] && [ -n "$3" ]; then
                logger -st Skynet "[Adding $3 To Whitelist] ... ... ..."
                for ip in $(Domain_Lookup $3)
                        do
                        ipset -A Whitelist $ip
                        ipset -D Blacklist $ip
                        sed -i /$ip/d /jffs/skynet.log
                done
                elif [ "$2" = "port" ] && [ -n "$3" ]; then
                        logger -st Skynet "[Whitelisting Autobans Issued On Traffic From Port $3] ... ... ..."
                        for ip in $(grep NEW /jffs/skynet.log | grep "DPT=$3 " | grep -oE 'SRC=[0-9,\.]* ' | cut -c 5- )
                                do
                                echo "Whitelisting $ip"
                                ipset -A Whitelist $ip
                                ipset -D Blacklist $ip
                                sed -i /$ip/d /jffs/skynet.log
                        done
                elif [ "$2" = "remove" ]; then
                        echo "Removing All Non-Default Whitelist Entries"
                        ipset --flush Whitelist
                        ipset --save > /jffs/scripts/ipset.txt
                        echo "Restarting Firewall"
                        service restart_firewall
                        exit
                else
                        echo "Command Not Recognised, Please Try Again"
                        exit
                fi
                ipset --save > /jffs/scripts/ipset.txt
                ;;

Obviously Range was in the plans, but fell off the table at some time?

 

[Adamm]

Obviously Range was in the plans, but fell off the table at some time?

This can already be done using;

sh /jffs/scripts/firewall whitelist 8.8.8.8/32

Although you did help me realise a bug just now in how I remove related logs during the process as the sed command doesn't like slashes. I'll put out a fix for that shortly but for the most part the functionality still works

 

[TheUntouchable]

This change is now live as of 4.3.3. To use it do the following;

sh /jffs/scripts/firewall stats search autobans

OR

sh /jffs/scripts/firewall stats search autobans 20

Thats really cool, thank you!

But in my mind (please don't get me wrong! ) it looked like this (just an example):

May 23 14:00:00 Skynet: [Complete] 2 IPs / 0 Ranges banned. 2 New IPs / 0 New Ranges Banned. 10 IP /0 Range Connection Blocked! [0s]
May 23 14:00:00 Skynet: New Auto Banned IPs:
May 23 14:00:00 Skynet: 8.8.8.8 (google-public-dns-a.google.com)
May 23 14:00:00 Skynet: 1.1.1.1 (No DNS available)

Perhaps thats possible too?

 

[Adamm]

Perhaps thats possible too?

It's possible yes, but there is two reasons I went against going down this path. First of all I don't want my script to be "spamming" the syslog printing 2+ messages per hour, one is a lot already. Secondly now that HTTP connections are excluded from autobans, it's mostly portscanning bots getting banned, so there would be no cases for DNS lookup.

 

[TheUntouchable]

I completely understand you opinion about that! Anyway, that should have been something optional, not everyone needs that kind of information

I check everytime I see a new ban which DNS and WHOIS is behind that IP to be sure (had a problem with my mailing provider and my bandwidth measuring appliance the last days), so dns resolving would make my life a little easier, but I see that this is also not demanded by everyone

Thanks a lot anyway for that nice little script

 

[Adamm]

Pushed a pretty important update for anyone not using auto-update. The way I was previously detecting the logfile age was inaccurate and means the logfile would never be cleared. This is now based on size of the logfile and will be deleted whenever it reaches 7MB (depending on usage this could be weeks). I suggest everyone update accordingly. Also been working on speed improvements over the past few days trying to speed up some slower functions where-ever possible.

 

[skilledone]

Is there a way to start graphing these blocks via a WebGUI using something like ELK? I see folks do Pfsense and have ELK working w/ it showing IPs blocked by country. I'd love to monitor output that way via GUI vs doing an alias to query my iptables for stats. I'm using an ASUS AC88U. Any insight on how to start graphing this data would be sweet.

 

[Adamm]

Is there a way to start graphing these blocks via a WebGUI using something like ELK? I see folks do Pfsense and have ELK working w/ it showing IPs blocked by country. I'd love to monitor output that way via GUI vs doing an alias to query my iptables for stats. I'm using an ASUS AC88U. Any insight on how to start graphing this data would be sweet.

All data is stored in /jffs/skynet.log in its raw form (until the log reaches a certain size), so technically this is very possible. That being said I haven't personally worked with ELK or similar solutions so I'm not sure if this is something I'd be personally taking on, but being open source if anyone were so commit something of this nature I'd happily include it in the main project.

 

[TheUntouchable]

Just had to reboot my router because of an firmware update and after that, the banning started Can you perhaps add a timeout after a reboot of the router which nothing is added to the banlist?

 

[Adamm]

Just had to reboot my router because of an firmware update and after that, the banning started Can you perhaps add a timeout after a reboot of the router which nothing is added to the banlist?

My thought is we want to implement banning as soon as possible so there is no "window" so to speak of allowing potentially malicious connections. Is there any particular reason for a timeout period upon restart?

 

[Adamm]

For anyone using the "banmalware" feature, when debugging for another user I found myself with no easy way to tell which list in particular an IP was from. So I created the following command to help with this;

sh /jffs/scripts/firewall stats search malware 120.28.42.254

With this new command, it will scan every malwarelist and let you know which it was sourced from, which will give you a further indication of why its blacklisted in the first place given the nature of each list.

For example, the IP above was in hphosts_mmt.ipset, which you can tell by the description is for misleading marketing (fake update popups etc). Pretty minor but handy for when you want to track something down.

 

[TheUntouchable]

My thought is we want to implement banning as soon as possible so there is no "window" so to speak of allowing potentially malicious connections. Is there any particular reason for a timeout period upon restart?

The problem is, if I reboot my router and connections from my devices are opened, the router don't know anything of them after a reboot and is banning all incoming connection afterwarts But youre right, banning as soon as possible would be the securest.

 

[a_lunatic]

Just tried to check for an update and it gone firewall-start is still there but nothing else.

sh: can't open '/jffs/scripts/firewall'

 

[Adamm]

Just tried to check for an update and it gone firewall-start is still there but nothing else.

sh: can't open '/jffs/scripts/firewall'

That's pretty strange, the only code that messes with the core file is the uninstall function. Looks like you will need to redownload it, I'll scan the code for any errors but that's odd.

EDIT; The only situation I can see this happening if the github file 404's, in which case the file would be replaced by a blank file. I'll fix this as a safety measure but beyond that not sure how this occured

 

[Wish]

Just tried to check for an update and it gone firewall-start is still there but nothing else.

sh: can't open '/jffs/scripts/firewall'

I am getting the same error

 

[Adamm]

I am getting the same error

Redownload the file using the following commands;

wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
chmod +x /jffs/scripts/firewall

I guess github had some downtime which caused this to happen. Today I added some simple 404/timeout checks on the update function, this should not be a problem in future.