Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

It happened to me as well.

I removed the USB Drive, put it back and Skynet came back.

That error only happens if your install directory goes missing (perhaps it was remounted as a different device) or you change the device label.

Why is a USB drive required? I have not found an answer to this. I am sure the answer is quite simple as there is not enough storage on the router in the JFFS area but I have not seen this question asked or an explanation provided.

To cater for the swap file. While Skynet doesn't use a large amount of ram, a recent broadcom SDK update led to some devices spitting fork() errors when running additional processes. The only way to fix this error was to use a swap file

 

[TripleRipple]

Thanks for the reply Adamm

 

[alexandro]

Adamm, why info about Astrill removed from Readme.md? Astrill not compatible with the Skynet or it's another reason?
PIA hasn't router plugin like Astrill.
PIA acquired by London Trust Media, and CTO of London Trust Media is former CEO of Mt. Gox. PIA is USA-based. Sounds bad...

 

[Adamm]

Adamm, why info about Astrill removed from Readme.md? Astrill not compatible with the Skynet or it's another reason?
PIA hasn't router plugin like Astrill.
PIA acquired by London Trust Media, and CTO of London Trust Media is former CEO of Mt. Gox. PIA is USA-based. Sounds bad...

Astrill have no intent to update their OpenVPN implementation going forward and want to switch completely to Wireguard. PIA on the other hand are focused on OpenVPN and have a much more updated implementation.

 

[EmeraldDeer]

Hardware or Software Instability? Actually no, Internet port scan denial of service
There have been a handful of instances with my new router where I lose connectivity and then what appears to me to be a hardware reset of the LAN switch and syslog messages about a WAN outage.

Feb  8 23:05:54 WAN_Connection: WAN was exceptionally disconnected.
Feb  8 23:05:54 DualWAN: skip single wan wan_led_control - WANRED off
Feb  8 23:06:06 WAN_Connection: WAN was restored.

When connectivity comes back I seem to have lost the syslog entries before and perhaps during the event except for WAN.

I am now using Skynet. Optionally I have chosen to log INVALID blocked connections in addition to INBOUND blocked connections. Other users have not been fans of the Skynet syslog entries.

I am also using Cygwin 64 syslog-ng on a Windows computer as a central, remote syslog for three network devices including the router. I am OK with all of the Skynet entries that do not get cleaned up hourly as they do on the router.

The connectivity outage has happened again, but this time I have the logs on my remote syslog server to know what it is caused by. Over the course of a few minutes, I receive at least a thousand INVALID SYN packets to various TCP ports. The time gaps in the log suggest a lot more packets are involved.

I submitted an abuse web form to the ISP of the source IP in Germany.

Without the logs I would have been suspecting problems with the hardware or the firmware. I do have DoS protection enabled even though this situation is beyond the help of rate limiting.

Top 10 Blocks (Invalid);


--------   | --------------   | --------------                                          | ----------------------
| Hits |   | | IP Address |   | | AlienVault |                                          | | Associated Domains |
--------   | --------------   | --------------                                          | ----------------------

1628x      | 88.99.37.190     | https://otx.alienvault.com/indicator/ip/88.99.37.190    |

Update: I was poking around in the Fing app. There is a feature which you cannot disable called Network Vulnerability Test. Apparently it performs a port scan from the Internet from time to time. Since I had recently enabled incoming IPSEC VPN, I was curious whether Fing could tell. The history showed nothing. So I decided to run it ad hoc.

Guess what, the Fing network vulnerability test has been the cause of the outages from IP address 88.99.37.190. It blasts your router with so many SYN packets in a couple of minutes that it takes you offline. And the history coincided with the outage from Friday night.

I am f***ing done with Fing. I had been on the fence with regard to the overall value of Fing compared to the breadth of data they were extracting and storing in the cloud. I deleted the networks from the app, deactivated and disconnected the Fing device on my network and deleted the Fing apps. Wow.

 

[cmkelley]

If you're bothered by the large number of iptables log entries (i.e. "kernel: [BLOCKED - " messages), and you're adventurous enough to try syslog-ng, please head on over to: Configuring syslog-ng with merlin firmware and give it a test to see if it works for you. No guarantees, looking for feedback.

 

[cmkelley]

@Adamm, does Skynet use any messages besides the "[BLOCKED - ..." messages for statistics? Syslog-ng is doing some weird things, but if the BLOCKED messages are all it uses, I can ignore it and simplify my filter a bit.

 

[Adamm]

@Adamm, does Skynet use any messages besides the "[BLOCKED - ..." messages for statistics? Syslog-ng is doing some weird things, but if the BLOCKED messages are all it uses, I can ignore it and simplify my filter a bit.

Theres also the log messages (which Skynet also purges).

Feb 10 15:30:31 Skynet: [#] 147242 IPs (+0) -- 1670 Ranges Banned (+0) || 173 Inbound -- 30 Outbound Connections Blocked! [stats] [4s]

 

[cmkelley]

Theres also the log messages (which Skynet also purges).

Feb 10 15:30:31 Skynet: [#] 147242 IPs (+0) -- 1670 Ranges Banned (+0) || 173 Inbound -- 30 Outbound Connections Blocked! [stats] [4s]

Okay, thanks. I'll make sure those are going into the file Skynet is scraping.

 

[Adamm]

I've pushed v6.7.3

This version now generates the CDN whitelist dynamically rather then pull a static file from the Git repo.

 

[skeal]

I've pushed v6.7.3

This version now generates the CDN whitelist dynamically rather then pull a static file from the Git repo.

Excellent work @Adamm !! Thank you!

 

[DonnyJohnny]

I've pushed v6.7.3

This version now generates the CDN whitelist dynamically rather then pull a static file from the Git repo.

Don’t know which list is blocking ipinfo.io, causing banmalware update to hang during refreshing whitelist.
Lol.
Whitelist it already....

 

[Adamm]

Don’t know which list is blocking ipinfo.io, causing banmalware update to hang during refreshing whitelist.
Lol.
Whitelist it already....

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

 

[elorimer]

I'm curious about the two logs that are in the skynetloc directory: skynet.log and event.log. What are they used for? Also, they seem to be purged periodically. Do they have a use separate from the syslog logging?

 

[Adamm]

I'm curious about the two logs that are in the skynetloc directory: skynet.log and event.log. What are they used for? Also, they seem to be purged periodically. Do they have a use separate from the syslog logging?

Thats where Skynet moves the pruned entries from the syslog for stat collection.

 

[Adamm]

I've pushed v6.7.4

• Various whitelist optimizations
• Show custom syslog location in debug info

 

[Milan]

i just installed Skynet on my AC3200 and it seems that your install script is not aware of the usage of the swap partition. can you add the option to use a swap partition instead of creating of additional swap file?

 

[duceyaj]

i just installed Skynet on my AC3200 and it seems that your install script is not aware of the usage of the swap partition. can you add the option to use a swap partition instead of creating of additional swap file?

I created my swap partition with AMTM and skynet was able to see it during install.

Sent from my SM-G965U1 using Tapatalk

 

[jsbeddow]

I created my swap partition with AMTM and skynet was able to see it during install.

Sent from my SM-G965U1 using Tapatalk

AMTM creates a swap file, not a swap partition. This has been discussed before in the forums, and the conclusion was that a swap file is what is needed, NOT a swap partition.

 

[consorts]

just reporting in case others with diversion+skynet see similar;
i woke up this morning with my ac3100 cpu with one thread at 100% while everyone was still sleeping, soft reboot didn't work, so i power cycled and that got my cpu util% back to normal. i noticed this seems to happen when one of you push out an update and seems to fall out of list sync i donno, that's just my primitive diagnosis.