Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

As of v4.5.8 Skynet now supports Manual Ban logging/statistics.

I figured this was a pretty obvious missing functionality, now every time you manually ban an ip/range/domain the event will be logged and Skynet will be able to process this when using the stat commands.

This information will appear in the regular "firewall stats" command, and more in-depth detail provided in the new "firewall stats search manualbans" command;

sh /jffs/scripts/firewall stats search manualbans

Debug Data Detected in /jffs/skynet.log - 874.7K
Monitoring From May 29 20:33:47 To May 31 16:54:07
3292 Total Events Detected
1087 Unique IP Connections
103 Autobans Issued
6 Manual Bans Issued

First Manual Ban Issued On May 31 16:35:40
Last Manual Ban Issued On May 31 16:54:07

First Manual Ban Issued;
May 31 16:35:40 Skynet: [Manual Ban] TYPE=Domain SRC=77.104.158.168 Host=adzeba.in

10 Most Recent Manual Bans;
May 31 16:35:40 Skynet: [Manual Ban] TYPE=Domain SRC=77.104.158.168 Host=adzeba.in
May 31 16:35:45 Skynet: [Manual Ban] TYPE=Domain SRC=37.60.243.149 Host=scan-av.in
May 31 16:35:51 Skynet: [Manual Ban] TYPE=Domain SRC=212.224.124.112 Host=undbnu.pro
May 31 16:36:10 Skynet: [Manual Ban] TYPE=Domain SRC=199.101.135.115 Host=daily-chance.info
May 31 16:53:48 Skynet: [Manual Ban] TYPE=Single SRC=192.166.3.2
May 31 16:54:07 Skynet: [Manual Ban] TYPE=Range SRC=192.166.5.2/24

 

[HardCat]

@Adamm it looks as though the latest commit for "Use aggregated country lists" was not picked up by last night's auto update. Suspect that is because the version number did not change. Or, am I getting ahead of myself here?

 

[Adamm]

@Adamm it looks as though the latest commit for "Use aggregated country lists" was not picked up by last night's auto update. Suspect that is because the version number did not change. Or, am I getting ahead of myself here?

Correct, only updates with a version number change are picked up (unless you manually use the "update -f" command). Most updates I change the version, but for smaller changes or when I'm planning on pushing multiple in a short period I hold off.

 

[drg]

Hello @Adamm

There is a way to transform this script to make it compatible with ipset 4 ? I recently bought an AC66U with ipset 4.
I found your script the most complete, including manually adding new malicious IPs into the list.

Thank you

 

[Adamm]

Hello @Adamm

There is a way to transform this script to make it compatible with ipset 4 ? I recently bought an AC66U with ipset 4.
I found your script the most complete, including manually adding new malicious IPs into the list.

Thank you

Technically yes, but I don't plan to support IPSet v4 in the near future. Unfortunately older versions of IPSet don't support the "maxelems" argument, meaning each "IPSet" is limited to 65535 entries. To get this to work it would require me to continuously calculate and distribute entries throughout the script and have dynamically generated IPTables rules. Given that only the N66U and AC66U are the only two routers using this version due to an ancient kernel, I just don't think its worth the effort and added complexity. Sorry about that.

 

[drg]

Technically yes, but I don't plan to support IPSet v4 in the near future. Unfortunately older versions of IPSet don't support the "maxelems" argument, meaning each "IPSet" is limited to 65535 entries. To get this to work it would require me to continuously calculate and distribute entries throughout the script and have dynamically generated IPTables rules. Given that only the N66U and AC66U are the only two routers using this version due to an ancient kernel, I just don't think its worth the effort and added complexity. Sorry about that.

Thank you for the reply. It's no problem, I didn't knew about the V4 limitation, I thought there was a much simple solution.

Actually I wanted a script with which I could manually ban malicious IPs seen in syslog, with just a simple command argument + as a bonus, to have an already big list of already suspicious IPs to spare my manual entry.

I will check other firewall filter scripts over the forum.

Have a nice day and really appreciate the support

 

[yk101]

Hmm... What am I doing wrong here?

admin@RT-AC88U:/jffs/scripts# ./firewall ban country "cn br ir ua ar iq tw th lv ru ro"

#!/bin/sh

#############################################################################################################
#                  _____ _                     _           _  _                       #
#                  / ____| |                   | |         | || |                    #
#                | (___ | | ___   _ _ __   ___| |_  __   _| || |_                    #
#                  \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /__   _|                    #
#                  ____) |   <| |_| | | | |  __/ |_   \ V /   | |                    #
#                |_____/|_|\_\\__, |_| |_|\___|\__|   \_(_)  |_|                     #
#                              __/ |                                                 #
#                               |___/                                                   #
#                                                        #
## - 02/06/2017 -          Asus Firewall Addition By Adamm v4.6.2                    #
##                  https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


##############################
###      Commands      ###
##############################
#      "unban"        # <-- Remove Entry From Blacklist (IP/Range/Domain/Port/Country/Malware/All/Nomanual)
#      "save"        # <-- Save Blacklists To /jffs/scripts/ipset.txt
#      "ban"            # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)
#      "banmalware"        # <-- Bans Various Malware Domains
#      "whitelist"        # <-- Add Entry To Whitelist (IP/Range/Domain/Port/Remove)
#      "import"        # <-- Import And Merge IPSet Save To Firewall
#      "deport"        # <-- Remove All IPs From IPSet Save From Firewall
#      "disable"        # <-- Disable Firewall
#      "debug"        # <-- Specific Debug Features (Restart/Disable/Watch/Info)
#      "update"        # <-- Update Script To Latest Version (check github for changes)
#      "start"        # <-- Initiate Firewall
#      "stats"        # <-- Print/Search Stats Of Recently Banned IPs (Requires debugging enabled)
#      "install"          # <-- Install Script (Or Change Boot Args)
#      "uninstall"        # <-- Uninstall All Traces Of Scent
##############################

Banning country
ipset v6.29: Syntax error: cannot parse country: resolving to IPv4 address failed
Saving Changes
Skynet: [Complete] 125340 IPs / 5303 Ranges banned. 0 New IPs / 0 New Ranges Banned. 130 IP / 156 Range Connections Blocked! [4s]
admin@RT-AC88U:/jffs/scripts#

I see the code in the script to do country bans, but for some reason my call is not getting there!

 

[Adamm]

I see the code in the script to do country bans, but for some reason my call is not getting there!

This was my mistake, when I added the "Is_IP ()" function I had a small typo in the regex which caused all input to be recognised as an IP address, I noticed this earlier by coincidence and pushed a fix. Sorry about that, two extra characters make all the difference

 

[yk101]

As always, thanks @Adamm!
New update works!

Removing Previous Country Bans
Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro cl
Downloading Lists
Filtering IPv4 Ranges
Applying Blacklists
Saving Changes
Skynet: [Complete] 125343 IPs / 5303 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 2 Range Connections Blocked! [11s]
admin@RT-AC88U:/jffs/scripts#

 

[Adamm]

As always, thanks @Adamm!
New update works!

Removing Previous Country Bans
Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro cl
Downloading Lists
Filtering IPv4 Ranges
Applying Blacklists
Saving Changes
Skynet: [Complete] 125343 IPs / 5303 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 2 Range Connections Blocked! [11s]
admin@RT-AC88U:/jffs/scripts#

I noticed your counter didn't change, that list of countries should be 22600 entries long. Maybe it was a counter error or there could be a bug specific to your setup, mind running the same command again to see if it changes?

Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro
Downloading Lists
Filtering IPv4 Ranges
Applying Blacklists
Saving Changes
Skynet: [Complete] 118518 IPs / 27704 Ranges banned. 0 New IPs / 22600 New Ranges Banned. 121 IP / 64 Range Connections Blocked! [21s]

 

[yk101]

I noticed your counter didn't change, that list of countries should be 22600 entries long. Maybe it was a counter error or there could be a bug specific to your setup, mind running the same command again to see if it changes?

There is nothing special about my setup at the moment.

admin@RT-AC88U:/jffs/scripts# ./firewall ban country "cn br ir ua ar iq tw th lv ru ro cl"
#!/bin/sh
#############################################################################################################
#                  _____ _                     _           _  _                       #
#                  / ____| |                   | |         | || |                    #
#                | (___ | | ___   _ _ __   ___| |_  __   _| || |_                    #
#                  \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /__   _|                    #
#                  ____) |   <| |_| | | | |  __/ |_   \ V /   | |                    #
#                |_____/|_|\_\\__, |_| |_|\___|\__|   \_(_)  |_|                     #
#                              __/ |                                                 #
#                               |___/                                                   #
#                                                        #
## - 03/06/2017 -          Asus Firewall Addition By Adamm v4.6.3                    #
##                  https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


##############################
###      Commands      ###
##############################

#      "unban"        # <-- Remove Entry From Blacklist (IP/Range/Domain/Port/Country/Malware/All/Nomanual)
#      "save"        # <-- Save Blacklists To /jffs/scripts/ipset.txt
#      "ban"            # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)
#      "banmalware"        # <-- Bans Various Malware Domains
#      "whitelist"        # <-- Add Entry To Whitelist (IP/Range/Domain/Port/Remove)
#      "import"        # <-- Import And Merge IPSet Save To Firewall
#      "deport"        # <-- Remove All IPs From IPSet Save From Firewall
#      "disable"        # <-- Disable Firewall
#      "debug"        # <-- Specific Debug Features (Restart/Disable/Watch/Info)
#      "update"        # <-- Update Script To Latest Version (check github for changes)
#      "start"        # <-- Initiate Firewall
#      "stats"        # <-- Print/Search Stats Of Recently Banned IPs (Requires debugging enabled)
#      "install"          # <-- Install Script (Or Change Boot Args)
#      "uninstall"        # <-- Uninstall All Traces Of Skynet
##############################

Removing Previous Country Bans
Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro cl
Downloading Lists
Filtering IPv4 Ranges
Applying Blacklists
Saving Changes
Skynet: [Complete] 125343 IPs / 5303 Ranges banned. 0 New IPs / 0 New Ranges Banned. 166 IP / 29 Range Connections Blocked! [13s]
admin@RT-AC88U:/jffs/scripts#

 

[Adamm]

There is nothing special about my setup at the moment.

I'm sure its something silly causing this, I'm thinking wget

Can you please update to v4.6.4 which I just pushed and post the output of the following command;

sh -x /jffs/scripts/firewall ban country "cn br ir ua ar iq tw th lv ru ro cl"

 

[yk101]

+ date +%s
+ start_time=1496499850
+ export LC_ALL=C
+ Purge_Logs
+ du /jffs/skynet.log
+ awk {print $1}
+ [ 6550 -ge 7000 ]
+ sed -i /Aug  1 1/d /tmp/syslog.log-1
+ sed -i /Aug  1 1/d /tmp/syslog.log
+ sed /BLOCKED -/!d /tmp/syslog.log-1
+ sed -i /BLOCKED -/d /tmp/syslog.log-1
+ sed /BLOCKED -/!d /tmp/syslog.log
+ sed -i /BLOCKED -/d /tmp/syslog.log
+ [ -z country ]
+ echo country
+ Is_IP
+ grep -qE ^[0-9,\.]*$
+ [ country = range ]
+ [ country = domain ]
+ [ country = domain ]
+ [ country = country ]
+ [ -n cn br ir ua ar iq tw th lv ru ro cl ]
+ [ -f /jffs/scripts/countrylist.txt ]
+ echo Removing Previous Country Bans
Removing Previous Country Bans
+ sed s/add/del/g /jffs/scripts/countrylist.txt
+ ipset -q -R -!
+ echo Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro cl
Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro cl
+ echo Downloading Lists
Downloading Lists
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/br-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/ua-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/ar-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/iq-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/tw-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/th-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/lv-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/ro-aggregated.zone -qO-
+ /usr/sbin/wget http://ipdeny.com/ipblocks/data/aggregated/cl-aggregated.zone -qO-
+ wc -l /tmp/countrylist.txt
+ awk {print $1}
+ echo 23091 Entries Collected
23091 Entries Collected
+ echo Filtering IPv4 Ranges
Filtering IPv4 Ranges
+ sed -n s/\r//;/^$/d;/^[0-9,\.,\/]*$/s/^/add BlockedRanges /p /tmp/countrylist.txt
+ grep -F /
+ awk !x[$0]++
+ echo Applying Blacklists
Applying Blacklists
+ ipset -q -R -!
+ rm -rf /tmp/countrylist.txt
+ echo Saving Changes
Saving Changes
+ ipset --save
+ Logging
+ nvram get Blacklist
+ OLDIPS=125343
+ nvram get BlockedRanges
+ OLDRANGES=5303
+ grep -Foc d Black /jffs/scripts/ipset.txt
+ nvram set Blacklist=125343
+ grep -Foc d Block /jffs/scripts/ipset.txt
+ nvram set BlockedRanges=5303
+ nvram get Blacklist
+ NEWIPS=125343
+ nvram get BlockedRanges
+ NEWRANGES=5303
+ nvram commit
+ iptables -vL -nt raw
+ grep -F Blacklist src
+ grep -Fv LOG
+ awk {print $1}
+ HITS1=1
+ iptables -vL -nt raw
+ grep -F BlockedRanges src
+ awk {print $1}
+ grep -Fv LOG
+ HITS2=0
+ date +%s
+ start_time=11
+ logger -st Skynet [Complete] 125343 IPs / 5303 Ranges banned. 0 New IPs / 0 New Ranges Banned. 1 IP / 0 Range Connections Blocked! [11s]
Skynet: [Complete] 125343 IPs / 5303 Ranges banned. 0 New IPs / 0 New Ranges Banned. 1 IP / 0 Range Connections Blocked! [11s]
admin@RT-AC88U:/jffs/scripts#

Same result. :-(

 

[Adamm]

Same result. :-(

Thanks, I think I found the issue. Please update to v4.6.5 and run;

rm -rf /jffs/scripts/countrylist.txt

Before the normal ban command.

 

[yk101]

OK, this time we got more ranges!

Banning Known IP Ranges For cn br ir ua ar iq tw th lv ru ro cl
Downloading Lists
23091 Entries Collected
Filtering IPv4 Ranges
Applying Blacklists
Saving Changes
Skynet: [Complete] 125343 IPs / 28301 Ranges banned. 0 New IPs / 22998 New Ranges Banned. 0 IP / 1 Range Connections Blocked! [14s]
admin@RT-AC88U:/jffs/scripts#

 

[Adamm]

OK, this time we got more ranges!

Awesome, again one misplaced character caused all the fuss, sorry about that!
It should work as normal in future without any extra commands needed.

Also, I noticed your stat log file is around 6.5Mb. Just out of curiosity how long does the "firewall stats" command take to execute on your AC88U with a log file that size?

 

[yk101]

Awesome, again one misplaced character caused all the fuss, sorry about that!
It should work as normal in future without any extra commands needed.

Also, I noticed your stat log file is around 6.5Mb. Just out of curiosity how long does the "firewall stats" command take to execute on your AC88U with a log file that size?

Not long at all:

Skynet: [Complete] 125343 IPs / 28301 Ranges banned. 0 New IPs / 0 New Ranges Banned. 4 IP / 434 Range Connections Blocked! [5s]

    Command being timed: "firewall stats 3"
    User time (seconds): 3.50
    System time (seconds): 2.13
    Percent of CPU this job got: 117%
    Elapsed (wall clock) time (h:mm:ss or m:ss): 0m 4.79s
    Average shared text size (kbytes): 0
    Average unshared data size (kbytes): 0
    Average stack size (kbytes): 0
    Average total size (kbytes): 0
    Maximum resident set size (kbytes): 6416
    Average resident set size (kbytes): 0
    Major (requiring I/O) page faults: 10
    Minor (reclaiming a frame) page faults: 30304
    Voluntary context switches: 10419
    Involuntary context switches: 10471
    Swaps: 0
    File system inputs: 0
    File system outputs: 0
    Socket messages sent: 0
    Socket messages received: 0
    Signals delivered: 0
    Page size (bytes): 4096
    Exit status: 0
admin@RT-AC88U:/jffs/scripts#

 

[Adamm]

Not long at all:

Good to know, thanks. Definitely an acceptable timer considering all the data its gathering/commands executing.

 

[darkony]

Hi can you help me since I have a problem with aplication "asuswebstorage"not connecting since install this script, I tried to debug while opening and logging in but no ip is shown.Also I get this error when starting debug 1st time the 2nd time I start it it is running but no ip as I said up there.

sed: /tmp/syslog.log: No such file or directory
sed: /tmp/syslog.log: No such file or directory
sed: /tmp/syslog.log: No such file or directory
Watching Logs For Debug Entries (ctrl +c) To Stop

tail: can't open '/tmp/syslog.log': No such file or directory
tail: no files

 

[yk101]

Hi can you help me since I have a problem with aplication "asuswebstorage"not connecting since install this script, I tried to debug while opening and logging in but no ip is shown.Also I get this error when starting debug 1st time the 2nd time I start it it is running but no ip as I said up there.

sed: /tmp/syslog.log: No such file or directory
sed: /tmp/syslog.log: No such file or directory
sed: /tmp/syslog.log: No such file or directory
Watching Logs For Debug Entries (ctrl +c) To Stop

tail: can't open '/tmp/syslog.log': No such file or directory
tail: no files

What do you get if you run ls -la /tmp ?