Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Thanks Adam. So no-one would have any valid reason to disable it?

I can't think of any. But for the sake of user configurability its there anyway.

 

[TonyK132]

Hi Adamm - I'm trying to enable Ban AiProtect, but I get this message:

This Feature Requires Entware - Exiting

But Entware is there at location:

/mnt/entware

What do I need to do for Skynet to recognize that location?

 

[Adamm]

But Entware is there at location:

/mnt/entware

What do I need to do for Skynet to recognize that location?

Sounds like something is wrong or non standard with your entware install. Skynet checks for the opkg binary located at /opt/bin/opkg

 

[TonyK132]

Sounds like something is wrong or non standard with your entware install. Skynet checks for the opkg binary located at /opt/bin/opkg

Can I set an alias so that Skynet looks in the right location?

 

[Adamm]

Can I set an alias so that Skynet looks in the right location?

Your free todo whatever you like to get it working, but I only support standard installations officially. I highly suggest converting your entware installation to prevent any other further issues.

 

[TonyK132]

OK, I just reran the Entware install per the instructions at
https://github.com/RMerl/asuswrt-merlin/wiki/Entware

After completion, I reran your Ban AiProtect option, and this time it worked. I have no idea why the Entware installation was not right from when I initially installed it.

 

[L&LD]

OK, I just reran the Entware install per the instructions at
https://github.com/RMerl/asuswrt-merlin/wiki/Entware

After completion, I reran your Ban AiProtect option, and this time it worked. I have no idea why the Entware installation was not right from when I initially installed it.

Do you have any other scripts running beside Skynet? I'm thinking amtm/Diversion/etc.?

 

[peart504]

I am looking to block all traffic from inbound OpenVPN clients terminating on my Asus router, except traffic to one internal IP/port. Is this something I can do w/ Skynet? If so, how?

If there is a better way to accomplish this, let me know.

 

[Zonkd]

I currently use skynet to block outbound connections to many countries. Is it possible to also block incoming connections to specific ports? I ask because I want to open a few ports on my router. It would be great if I could explicitly allow incoming connections from IP ranges inside my own country and block all other countries. How might I do this with with skynet or iptables?

 

[Adamm]

I currently use skynet to block outbound connections to many countries. Is it possible to also block incoming connections to specific ports? I ask because I want to open a few ports on my router. It would be great if I could explicitly allow incoming connections from IP ranges inside my own country and block all other countries. How might I do this with with skynet or iptables?

Skynet blocks either inbound/outbound/all your traffic, its not based on a per port basis.

 

[sbsnb]

I've been using Skynet for a while without issue, but the last week or so I'd say about 1 in every 5 sites I try to visit is blocked. It's enough that it's becoming tedious figuring out which IP it is and whitelisting it. I've had to do it to about 9 sites in the last 3 days. Did Skynet start using a new source of IPs or something? I'm gonna have to disable it altogether, but I really don't want to.

 

[skeal]

I've been using Skynet for a while without issue, but the last week or so I'd say about 1 in every 5 sites I try to visit is blocked. It's enough that it's becoming tedious figuring out which IP it is and whitelisting it. I've had to do it to about 9 sites in the last 3 days. Did Skynet start using a new source of IPs or something? I'm gonna have to disable it altogether, but I really don't want to.

What blocking lists are you using? Try standard it works very well. Whoops wrong thread...LOL

 

[EmeraldDeer]

I've been using Skynet for a while without issue, but the last week or so I'd say about 1 in every 5 sites I try to visit is blocked. It's enough that it's becoming tedious figuring out which IP it is and whitelisting it. I've had to do it to about 9 sites in the last 3 days. Did Skynet start using a new source of IPs or something? I'm gonna have to disable it altogether, but I really don't want to.

The only IP addresses that I have had to whitelist in Skynet are for ext-cust.squarespace.com

[1]  --> Autoupdate            | [Enabled]
[2]  --> Banmalware            | [daily]
[3]  --> Debug Mode            | [Enabled]
[4]  --> Filter Traffic        | [all]
[5]  --> Unban PrivateIP       | [Enabled]
[6]  --> Log Invalid Packets   | [Enabled]
[7]  --> Ban AiProtect         | [Enabled]
[8]  --> Secure Mode           | [Enabled]
[9]  --> Fast Switch           | [Disabled]
[10] --> Syslog Location       | [Default]
[11] --> IOT Blocking          | [Disabled]
[12] --> Stats Country Lookup  | [Enabled]

 

[EmeraldDeer]

This appears to be the "banmalwareupdate" list:

https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/bambenek_c2.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/bi_sshd_2_30d.ipset
https://iplists.firehol.org/files/blocklist_net_ua.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset
https://iplists.firehol.org/files/coinbl_ips.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/taichung.ipset
https://iplists.firehol.org/files/urandomusto_ssh.ipset
https://iplists.firehol.org/files/urandomusto_telnet.ipset
https://iplists.firehol.org/files/urlvir.ipset
https://iplists.firehol.org/files/uscert_hidden_cobra.ipset

The Skynet menu has a provision under Banmalware to exclude from this list

 

[sbsnb]

I'm using whatever is default. I have never changed anything. How do I determine which list is the source of the IP I'm currently having trouble with? Today's irritation is hosted on Squarespace's 198.185.159.0/24 block.

 

[Butterfly Bones]

I'm using whatever is default. I have never changed anything. How do I determine which list is the source of the IP I'm currently having trouble with? Today's irritation is hosted on Squarespace's 198.185.159.0/24 block.

See post #2
https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

This second part of that post:
Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

 

[sbsnb]

I don't see where post #2 shows me how to locate the list containing a specific IP. Did I miss it?

NM - Found it

 

[Butterfly Bones]

I don't see where post #2 shows me how to locate the list containing a specific IP. Did I miss it?

NM - Found it

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode
Code:
sh /jffs/scripts/firewall settings debugmode enable
2.) Open the blocked application/website and use the command;

Code:
sh /jffs/scripts/firewall debug watch
Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;
Code:
DST=175.115.37.52
4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/
5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[EmeraldDeer]

I'm using whatever is default. I have never changed anything. How do I determine which list is the source of the IP I'm currently having trouble with? Today's irritation is hosted on Squarespace's 198.185.159.0/24 block.

Unfortunately (or fortunately) Skynet does not leave its downloads for us to grep. So you would either download in your browser and search each one or write a wget loop script through the list and grep from there.

In the case of squarespace, I found it easier to give Skynet the DNS name ext-cust.squarespace.com and it would whitelist all four of the IP addresses.

From what I could gather from pi-hole tickets was that Squarespace hosts dozens or perhaps hundreds of customers on these IP addresses. One bad actor caused the lot to be banned. At least two local businesses which are not hacked or hosting malware use ext-cust.squarespace.com

 

[sbsnb]

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Thank you, but I've already been whitelisting and getting tired of doing it several times a day. That's why I was looking to find the source of the ban to see if it's one list in particular. It looks like https://iplists.firehol.org/files/bambenek_c2.ipset is the one giving me trouble, so I can just eliminate that list from my Skynet.