Skynet Skynet - Router Firewall & Security Enhancements

[dugaduga]

With skynet enabled, opennic.org wont load, but www.opennic.org will load. With skynet disabled, it loads as expected. I suspect this may be the source of many other connectivity issues I've been experiencing on my network for quite some time, with websites failing to load on pcs and mobile devices. Is there anything you recommend I do to fix this?

 

[dugaduga]

Video available of the bug here, will be up shortly

 

[Adamm]

I don't understand this unless the RT-86 is phoning home.

When I country-banned CN, I immediated started seeing a lot of these as OUTBOUND banned.
There's only 2 devices...my computer and the router AC86. Skynet says the top blocked device with 2545 hits is the RT-86U.

619x | 47.99.165.31 (CN) | https://otx.alienvault.com/indicator/ip/47.99.165.31 |
504x | 118.24.208.197 (CN) | https://otx.alienvault.com/indicator/ip/118.24.208.197 |
452x | 47.101.136.37 (CN) | https://otx.alienvault.com/indicator/ip/47.101.136.37 |
428x | 114.115.240.175 (CN) | https://otx.alienvault.com/indicator/ip/114.115.240.175 |
384x | 119.29.107.85 (CN) | https://otx.alienvault.com/indicator/ip/119.29.107.85 |
158x | 115.159.154.226 (CN) | https://otx.alienvault.com/indicator/ip/115.159.154.226 |
143x | 106.48.13.103 (CN) | https://otx.alienvault.com/indicator/ip/106.48.13.103 | may.day-p.nlb.e.chinacache.com.cn
126x | 106.48.15.24 (CN) | https://otx.alienvault.com/indicator/ip/106.48.15.24 | may.day-p.nlb.e.chinacache.com.cn
122x | 203.205.191.21 (CN) | https://otx.alienvault.com/indicator/ip/203.205.191.21 | tencentintlcdn.cedexis-test.com.jstoversea.sched.apcdns
119x | 106.48.13.102 (CN) | https://otx.alienvault.com/indicator/ip/106.48.13.102 | may.day-p.nlb.e.chinacache.com.cn

Comments? Thanks!

Thats just an overview of your stats, you can look up information for individual IP's via;

( sh /jffs/scripts/firewall stats search ip 8.8.8.8 ) Search All Debug Data For Entries On 8.8.8.8
( sh /jffs/scripts/firewall stats search ip 8.8.8.8 20 ) Search All Debug Data For Entries On 8.8.8.8 With Customizable Top20 Output
( sh /jffs/scripts/firewall stats search malware 8.8.8.8 ) Search Malwarelists For Specified IP

 

[dugaduga]

OK so I just found that opennic.org is on a different ip than www.opennic.org, and one of the ips is on a blocklist, im not sure how that got there; does Skynet have an intrusion detection system that auto-bans things like round-robin? or is it a blacklist / whitelist only model?

EDIT i notice skynet has banned multiple opennic.org ips, i whitelisted one and yet it still was blocked at another IP; what are the odds? why is this happening?

EDIT:
167.99.4.63 & 104.198.14.52

EDIT: make that 3 so far: 142.93.122.177

 

[gattaca]

Thats just an overview of your stats, you can look up information for individual IP's via;

( sh /jffs/scripts/firewall stats search ip 8.8.8.8 ) Search All Debug Data For Entries On 8.8.8.8
( sh /jffs/scripts/firewall stats search ip 8.8.8.8 20 ) Search All Debug Data For Entries On 8.8.8.8 With Customizable Top20 Output
( sh /jffs/scripts/firewall stats search malware 8.8.8.8 ) Search Malwarelists For Specified IP

Thanks. I guess I was not on the ball in my ?. What I am wondering is WTH is the RT-AC86U router backdooring something in CN? For instance, I looked up the first IP in the banned CN listing. I also ran last night with JUST the router online, no other connections and traffic, and I reset the stats and everything in the listing was pegged to the router this AM.

So what and why is the RT-AC86 + Merlin + all the utilities diversion, skynet, dnssec reaching out to some DNS in CHINA? --> uw-dns.rubyfish.cn
plus all those other CN IPs? I'm very glad I turned on skynet b/c I had no idea this was happening.
So is this expected router behavior?

Personally, I don't want anything backdooring to CN, let alone a DNS.

So my gut says ASUS has something hardcoded in the firmware which is beyond the reach of Merlin's code to detect and fix... This sure feels like the Samsung phone home TVs people have been ranting about... These guys are hardcoding IPs into the code and without something like skynet to detect and block it, we are hozed..

Am I the only one a bit freaked out about this? Thanks!

 

[Adamm]

Thanks. I guess I was not on the ball in my ?. What I am wondering is WTH is the RT-AC86U router backdooring something in CN? For instance, I looked up the first IP in the banned CN listing. I also ran last night with JUST the router online, no other connections and traffic, and I reset the stats and everything in the listing was pegged to the router this AM.

So what and why is the RT-AC86 + Merlin + all the utilities diversion, skynet, dnssec reaching out to some DNS in CHINA? --> uw-dns.rubyfish.cn
plus all those other CN IPs? I'm very glad I turned on skynet b/c I had no idea this was happening.
So is this expected router behavior?

Personally, I don't want anything backdooring to CN, let alone a DNS.

So my gut says ASUS has something hardcoded in the firmware which is beyond the reach of Merlin's code to detect and fix... This sure feels like the Samsung phone home TVs people have been ranting about... These guys are hardcoding IPs into the code and without something like skynet to detect and block it, we are hozed..

Am I the only one a bit freaked out about this? Thanks!

Hard to tell you whats going on without a snippet of the logs.

 

[ScottW]

Using Skynet v6.7.8, I'm seeing a formatting problem in the "Top 10 Blocked Devices (Outbound)" list, apparently caused by this line:

localname="$(grep -F "$ipaddr" /var/lib/misc/dnsmasq.leases | awk '{print $4}')"​

When (for example) IP 192.168.1.2 is blocked outbound, the above grep returns a list of all leases whose IP contains 192.168.1.2 -- including, for example, .21, .22, .201, .202, and so forth. That results in an output like this (the correct device for .2 is "pc-asusz170"; all others have .2x or .2xx addresses):

Top 10 Blocked Devices (Outbound);

--------   | ------------     | ---------------                                            
| Hits |   | | Local IP |     | | Device Name |                                            
--------   | ------------     | ---------------                                            

6x         | 192.168.1.2        | C3-KITCHEN-IP3M
HS210
C2-SOUTH-IP3M
C1-EAST-IP3M
C4-WEST-IP3M
Net-AC88U-AP
C5-NORTH-IP3M
C6-OFFICE-IP3M
PC-AsusZ170
DELL-I17-5770
airport1
C7-GARAGE-IP3M


=============================================================================================================

Not sure if this is the best fix, but changing "$ipaddr" to "$ipaddr " (with trailing space) fixed it for me.

 

[gattaca]

Hard to tell you whats going on without a snippet of the logs.

These logs?

Mar 3 12:45:18 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=192.168.100.6 DST=47.99.165.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35421 DF PROTO=TCP SPT=58115 DPT=443 SEQ=2892933742 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A036722FB0000000001030306)
Mar 3 12:45:18 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=192.168.100.6 DST=47.99.165.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18409 DF PROTO=TCP SPT=58109 DPT=443 SEQ=614426568 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A036722FE0000000001030306)

 

[Butterfly Bones]

These logs?

Mar 3 12:45:18 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=192.168.100.6 DST=47.99.165.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35421 DF PROTO=TCP SPT=58115 DPT=443 SEQ=2892933742 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A036722FB0000000001030306)
Mar 3 12:45:18 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=192.168.100.6 DST=47.99.165.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18409 DF PROTO=TCP SPT=58109 DPT=443 SEQ=614426568 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A036722FE0000000001030306)

This device on your networks, with IP SRC=192.168.100.6 is trying to contact this IP 47.99.165.31 which is (according to Alien Vault) AS37963 Hangzhou Alibaba Advertising Co.,Ltd. in China.
https://otx.alienvault.com/indicator/ip/47.99.165.31

It is using port 443, which is https
https://www.grc.com/port_443.htm

What device on your network is assigned the IP of 192.168.100.6 ?

I have a few Google devices on my network, phones, smart speakers, trying to contact Google in China, but I block the entire CN country code in Skynet, so they continually fail. I see no problems on those devices and they do all the things I want.

 

[gattaca]

This device on your networks, with IP SRC=192.168.100.6 is trying to contact this IP 47.99.165.31 which is (according to Alien Vault) AS37963 Hangzhou Alibaba Advertising Co.,Ltd. in China.
https://otx.alienvault.com/indicator/ip/47.99.165.31

It is using port 443, which is https
https://www.grc.com/port_443.htm

What device on your network is assigned the IP of 192.168.100.6 ?

I have a few Google devices on my network, phones, smart speakers, trying to contact Google in China, but I block the entire CN country code in Skynet, so they continually fail. I see no problems on those devices and they do all the things I want.

Hi, That's what troubling - there is no device assigned to -> 192.168.100.6 on THIS router.
This RT-AC86U's IP is --> 192.168.111.7
The starting ip range is --> 192.168.111.3 - 192.168.111.254 (to allow for pixelserv @ 192.168.111.2)
Pixelserv is working on 192.168.111.2/servstats
The system-log/leases shows just 1 address 192.168.111.54 which happens to be my laptop watching this router.

However, it just hit me, 192.168.100.6 is this RT-AC86U's WAN IP address that it's using on it's WAN port. That port is connected to the 192.168.100.x main router. I'm using it this way to test the setups before swapping it in or the family would kill me.

I'm slightly more confused now.

 

[Butterfly Bones]

Hi, That's what troubling - there is no device assigned to -> 192.168.100.6!!
The router IP is --> 192.168.111.7
The starting ip range is --> 192.168.111.3 - 192.168.111.254 (to allow for pixelserv @ 192.168.111.2)
Pixelserv is 192.168.111.2/servstats (yes it works)
The system-log/leases shows just 1 address 192.168.111.54 which happens to be my laptop watching this router.
IDK what is using 192.168.100.6... but it sure has me wondering..

One last thought, did you look at the DHCP leases tab on the System Log page? Other than that, it is really odd, I have no idea at this point.

 

[cmkelley]

As a data point, I have "bg br cn ir kp ro rs ru tr ua" banned in Skynet on my AC86U, and I don't have any blocked outbound connections from the router itself.

 

[gattaca]

One last thought, did you look at the DHCP leases tab on the System Log page? Other than that, it is really odd, I have no idea at this point.

^^ Thanks for confirming... you are not seeing blocks. This is indeed odd and I'm at a loss to explain why skynet is reporting what it is reporting.

Yes.. 192.168.111.54 is the IP of the laptop..

192.168.100.6 is the WAN IP on the RT-AC86U.

 

[gattaca]

Thanks for all the help! I understand that skynet is reporting the IP traffic on the RT-AC86U's WAN IP (192.168.100.6) as foreign events. So now, I've got to dig on the main setup to see what's talking to CN! Growl..some of my kids stuff I'm sure. Again, TY!

 

[Adamm]

Using Skynet v6.7.8, I'm seeing a formatting problem in the "Top 10 Blocked Devices (Outbound)" list, apparently caused by this line:

localname="$(grep -F "$ipaddr" /var/lib/misc/dnsmasq.leases | awk '{print $4}')"​

When (for example) IP 192.168.1.2 is blocked outbound, the above grep returns a list of all leases whose IP contains 192.168.1.2 -- including, for example, .21, .22, .201, .202, and so forth. That results in an output like this (the correct device for .2 is "pc-asusz170"; all others have .2x or .2xx addresses):

Top 10 Blocked Devices (Outbound);

--------   | ------------     | ---------------                                           
| Hits |   | | Local IP |     | | Device Name |                                           
--------   | ------------     | ---------------                                           

6x         | 192.168.1.2        | C3-KITCHEN-IP3M
HS210
C2-SOUTH-IP3M
C1-EAST-IP3M
C4-WEST-IP3M
Net-AC88U-AP
C5-NORTH-IP3M
C6-OFFICE-IP3M
PC-AsusZ170
DELL-I17-5770
airport1
C7-GARAGE-IP3M


=============================================================================================================

Not sure if this is the best fix, but changing "$ipaddr" to "$ipaddr " (with trailing space) fixed it for me.

Thanks, pushed a hotfix

 

[ScottW]

Thanks, pushed a hotfix

Outstanding... Keeps getting better, love the new country lookups in stats - saves me looking them all up myself. Appreciate all the hard work, continued expansion / refinement, and attention to detail. THANK YOU!

 

[gattaca]

Outstanding... Keeps getting better, love the new country lookups in stats - saves me looking them all up myself. Appreciate all the hard work, continued expansion / refinement, and attention to detail. THANK YOU!

Ditto!!!!
What would help more people is if there is a really good FAQ (in laymen's terms) for recommendations to use with skynet? For instance, if you are in the US, then say these 3 block lists by country are recommended in increasing order? Or we recommend using option A but not B option? Thanks! This is an awesome tool!

 

[vdemarco]

i just installed this and it seems to be working great.

a question should i just turn of the aiprotect stuff from trend micro?

the trend micro code really has never blocked anything interesting

 

[visortgw]

i just installed this and it seems to be working great.

a question should i just turn of the aiprotect stuff from trend micro?

the trend micro code really has never blocked anything interesting

Not necessarily since they peacefully coexist! There is actually a setting that you can enable in Skynet to automatically block anything flagged by AIProrect.

 

[martinr]

Leave the AIProtection stuff on, I do. They complement each other, and there’s a setting you’ll find in Skynet called Ban AIProtect which takes cognisance of any nasties AIProtect discovers and adds it to the blacklist. Definitely, keep AIProtection’s security layer no matter how thin it might appear. It used to give me quite a few alerts, but now, with Skynet and Diversion, I get far fewer, but I still get the odd one or 2. Keep it.