Skynet Skynet - Router Firewall & Security Enhancements

[Skeptical.me]

No it does not block AiProtection on the contrary it blacklists all the ips that AI-P finds. Yes IoT blocking can be used to block WAN access to devices.

Thanks for your reply. Thanks for clearing that up.

I'm trying to learn everything about Skynet. Loving it so far.

 

[Zonkd]

This wiki page has me wondering if there is an easy way to block tor nodes using Skynet? Has anybody been successful doing this?

 

[Adamm]

Banmalware is just Skynet's IP address lists rather than Diversion's hostname lists.

I changed the cron time of Skynet banmalware from 2:25 AM to 3:25 AM and duration went from 171 seconds to 43 seconds.

Are there enough Eastern USA Skynet users all firing off at 2:25 AM EDT to slow the downloads? Who knows.

Jan 28 02:27:51 router Skynet: [#] 151871 IPs (+1568) -- 1490 Ranges Banned (-131) || 94 Inbound -- 0 Outbound Connections Blocked! [banmalware] [171s]
Jan 28 10:16:17 router Skynet: [#] 154012 IPs (+2141) -- 1657 Ranges Banned (+167) || 1101 Inbound -- 0 Outbound Connections Blocked! [banmalware] [14s]
Jan 28 13:51:25 router Skynet: [#] 153138 IPs (-874) -- 1667 Ranges Banned (+10) || 1495 Inbound -- 0 Outbound Connections Blocked! [banmalware] [20s]
Jan 29 03:25:43 router Skynet: [#] 155142 IPs (+2004) -- 1686 Ranges Banned (+19) || 3005 Inbound -- 0 Outbound Connections Blocked! [banmalware] [43s]

Thats... interesting. I'll look at adding a random hour value for the cronjob in a future update

This wiki page has me wondering if there is an easy way to block tor nodes using Skynet? Has anybody been successful doing this?

IIRC people in the past who wanted to block TOR exit nodes used this list. Most of the scripts on the wiki are no longer maintained.

 

[Adamm]

ok, thanks for teaching me new tricks - just posting this in case it's not fast enough

For a non HND device that time looks accurate

 

[Zonkd]

IIRC people in the past who wanted to block TOR exit nodes used this list. Most of the scripts on the wiki are no longer maintained.

Thanks for answering.

 

[Skeptical.me]

This wiki page has me wondering if there is an easy way to block tor nodes using Skynet? Has anybody been successful doing this?

It would be great to be able to block TOR nodes.


Sent from my iPhone using Tapatalk Pro

 

[martinr]

In another thread, https://www.snbforums.com/threads/dnsmasq.54783/
a new forum member, who doesn’t use Skynet, is trying to do the following:


“I am trying to set this:
address=/www.bing.com/204.79.197.220
to force www.bing.com to restricted mode.”

I doubt it but I wonder, is there, in Skynet, a very simple way to achieve this ie point a domain either to a different domain or to an IP address?

 

[dazedv3]

I've pushed v6.7.0

This version focuses on IOT security. Recently I acquired an Annke DW81KE CCTV System (support SNBForums and use their Amazon link ) which gave me a great opportunity to test and implement IOT rules to prevent devices from calling home and not having to rely on the built in remote access features. As it stands, the current implementation will prevent devices from accessing WAN with two exceptions;

1) Most IOT devices directly connect to NTP servers to set the clock, so NTP traffic is allowed.
2) Remote access via the routers OpenVPN server.

What this means is you can lock down any IOT device that you don't want accessing WAN, but still have the ability to access it via LAN devices or remotely via VPN. This should significantly enhance security of more... obscure devices such as DVR systems, cameras, printers and anything else IOT related without losing any functionality.

To configure your "IOT Blacklist" you can use the following commands (or the respective menu options);

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8 ) Unban|Ban Single IOT Device (or CIDR) From Accessing WAN
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban Multiple IOT Device(s) (or CIDR) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

Stats for blocked packets will also show up in the appropriate section.

I'd also like to give Annke a shout out as their support team was a pleasure to work with and I can happily report in the last week on monitoring my devices traffic, there was not a single rogue packet. If you are in the market for an affordable CCTV system they have some great hardware.


Note; While this feature has been extensively tested, I only had a limited number of devices to test with (thanks @ItsJarrett for being a beta tester). I am sure there will be devices with other requirements (SMTP etc) and I will look at adding more features down the road based on user feedback.

I would also like to add VLAN support in the future but as it currently stands this is completely undocumented and uncharted territory on HND devices due to the lack of the robocfg utility. So if anyone makes some headway there, feel free to reach out to me.

This is a great addition, I was linked to this via another thread and it is almost exactly what I need however I was wondering if the ability to allow gmail smtp could be added as I would like my NVR to be able to email me with alerts.

Thanks.

 

[Adamm]

This is a great addition, I was linked to this via another thread and it is almost exactly what I need however I was wondering if the ability to allow gmail smtp could be added as I would like my NVR to be able to email me with alerts.

Thanks.

I’ll be looking into specifying custom allowed ports in the very near future, was Australia Day long weekend here so I didn’t have time to implement it yet.

 

[dazedv3]

I’ll be looking into specifying custom allowed ports in the very near future, was Australia Day long weekend here so I didn’t have time to implement it yet.

Oh cool, I'm in AUS too happy 'Straya day mate

 

[consorts]

minor question; is there any way to stop or limit such skynet notices from being system/general logged;

Jan 30 04:35:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=* SRC=* DST=* LEN=* TOS=* PREC=* TTL=* ID=* DF PROTO=* SPT=* DPT=* LEN=*

i really don't want to have to reduce my log levels from "notice" to "warning" just to avoid seeing this in gui.

under 11.settings, 6.log invalid packets is disabled, so i don't know what else i can do to get rid of these.

 

[Adamm]

minor question; is there any way to stop or limit such skynet notices from being system/general logged;

Jan 30 04:35:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=* SRC=* DST=* LEN=* TOS=* PREC=* TTL=* ID=* DF PROTO=* SPT=* DPT=* LEN=*

i really don't want to have to reduce my log levels from "notice" to "warning" just to avoid seeing this in gui.

under 11.settings, 6.log invalid packets is disabled, so i don't know what else i can do to get rid of these.

Disable debug mode. In doing so you will also disable stat reporting, so make your decision accordingly.

 

[Adamm]

This is a great addition, I was linked to this via another thread and it is almost exactly what I need however I was wondering if the ability to allow gmail smtp could be added as I would like my NVR to be able to email me with alerts.

Thanks.

This feature is now live with v6.7.1

( sh /jffs/scripts/firewall settings iot ports 123,124,125 ) Allow Port(s) To Access WAN (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot ports reset ) Reset Allowed Port List To Default

 

[Jack Yaz]

This feature is now live with v6.7.1

( sh /jffs/scripts/firewall settings iot ports 123,124,125 ) Allow Port(s) To Access WAN (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot ports reset ) Reset Allowed Port List To Default

UDP only?

 

[Twiglets]

In another thread, https://www.snbforums.com/threads/dnsmasq.54783/
a new forum member, who doesn’t use Skynet, is trying to do the following:


“I am trying to set this:
address=/www.bing.com/204.79.197.220
to force www.bing.com to restricted mode.”

I doubt it but I wonder, is there, in Skynet, a very simple way to achieve this ie point a domain either to a different domain or to an IP address?

If you use dnscrypt-proxy* you can do this via the cloaking rules file. (Sample file copied below)

################################
#        Cloaking rules        #
################################

# The following example rules force "safe" (without adult content) search
# results from Google, Bing and YouTube.
#
# This has to be enabled with the `cloaking_rules` parameter in the main
# configuration file


www.google.*             forcesafesearch.google.com

www.bing.com             strict.bing.com

www.youtube.com          restrictmoderate.youtube.com
m.youtube.com            restrictmoderate.youtube.com
youtubei.googleapis.com  restrictmoderate.youtube.com
youtube.googleapis.com   restrictmoderate.youtube.com
www.youtube-nocookie.com restrictmoderate.youtube.com

localhost                127.0.0.1

* See https://github.com/jedisct1/dnscrypt-proxy

 

[QuikSilver]

minor question; is there any way to stop or limit such skynet notices from being system/general logged;

Jan 30 04:35:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=* SRC=* DST=* LEN=* TOS=* PREC=* TTL=* ID=* DF PROTO=* SPT=* DPT=* LEN=*

i really don't want to have to reduce my log levels from "notice" to "warning" just to avoid seeing this in gui.

under 11.settings, 6.log invalid packets is disabled, so i don't know what else i can do to get rid of these.

Thinking of doing the same thing. Seeing a lot of blocked traffic with one being a RDP honeypot. Annoying as all get out!

 

[QuikSilver]

Disable debug mode. In doing so you will also disable stat reporting, so make your decision accordingly.

Am I overlooking that option? I assume its option 1?

Edit...Its not option 1.

Select Debug Option:
[1]  --> Show Debug Entries As They Appear
[2]  --> Print Debug Info
[3]  --> Cleanup Syslog Entries
[4]  --> SWAP File Management
[5]  --> Backup Skynet Files
[6]  --> Restore Skynet Files

 

[dave14305]

Am I overlooking that option? I assume its option 1?

Select Debug Option:
[1]  --> Show Debug Entries As They Appear
[2]  --> Print Debug Info
[3]  --> Cleanup Syslog Entries
[4]  --> SWAP File Management
[5]  --> Backup Skynet Files
[6]  --> Restore Skynet Files

It's in Settings instead of Debug.
or

sh /jffs/scripts/firewall settings debugmode disable

I made a pitch to only enable outbound debug logging, but it wasn't widely accepted.

 

[consorts]

adam,
whatever skynet is doing hourly,
can i set it to do it daily instead?
and what is that setting called.

Jan 30 21:00:06 Skynet: [#] 156138 IPs (+0) -- 1671 Ranges Banned (+0) || 46955 Inbound -- 18 Outbound Connections Blocked! [save] [6s]
Jan 30 22:00:07 Skynet: [#] 156138 IPs (+0) -- 1671 Ranges Banned (+0) || 47061 Inbound -- 18 Outbound Connections Blocked! [save] [7s]
Jan 30 23:00:06 Skynet: [#] 156138 IPs (+0) -- 1671 Ranges Banned (+0) || 47167 Inbound -- 18 Outbound Connections Blocked! [save] [6s]

 

[Adamm]

adam,
whatever skynet is doing hourly,
can i set it to do it daily instead?
and what is that setting called.

Jan 30 21:00:06 Skynet: [#] 156138 IPs (+0) -- 1671 Ranges Banned (+0) || 46955 Inbound -- 18 Outbound Connections Blocked! [save] [6s]
Jan 30 22:00:07 Skynet: [#] 156138 IPs (+0) -- 1671 Ranges Banned (+0) || 47061 Inbound -- 18 Outbound Connections Blocked! [save] [7s]
Jan 30 23:00:06 Skynet: [#] 156138 IPs (+0) -- 1671 Ranges Banned (+0) || 47167 Inbound -- 18 Outbound Connections Blocked! [save] [6s]

The save command dumps the IPSets from the ram to a hard copy in your installation directory, it also purges the logs of all the BLOCKED messages. Assuming securemode is enabled it will also run various security checks to ensure your device is as safe as possible.