Skynet Skynet - Router Firewall & Security Enhancements

[Xentrk]

@Adamm, I apologize in advance for the really noob question...how/where can I find instructions how to use OpenVPN to access my home network remotely? I'm currently have RT-AC86U. Thanks!

Better late than never

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

Some of the fields on the screen have changed since I wrote the instructions. I promise to get it updated when I return from my road trip in approximately two weeks. But you should be able to work thru the differences.

 

[Zonkd]

Noob questions

I just disabled the built-in AI protection on my Asus router in favour of installing and using Skynet.
Skynet installed without any issues via AMTM. (I used all the default recommendations during the install)
How do I know that it is actually working? Is there anything else I need to set/tweak?
I should also add that I had Diversion and Stubby installed prior to Skynet. Are there any needed adjustments to any of those services now that Skynet is installed?

Thanks in advance.

No tweaks necessary, I use Skynet defaults. I did ban some countries but that is optional.

I don’t use AiProtect either for same reasons and Skynet still does a great job all on its own.

 

[Zonkd]

What is the purpose of blocking countries manually? Would not any harm coming from those countries be blocked by Skynet already? I'm not being critical of the feature, I'm just trying to understand it.

thanks, Bj

If you’re happy letting your devices connect to any country then the feature is useless to you. It’s a personal choice. There’s nothing much else to say.

 

[Zonkd]

Do you have any suggestions for baning Google smart speakers from calling home? I have been messing around with Ban devices however all I end up with is an unuseable blocked device.

thanks, Bj

For what purpose do you wish to block internet access for a smart speaker? Do you not use internet features? Music streaming? Google search? Without internet the device would be unusable for its primary functions... you may as well have purchased a dumber speaker. I know some Sonos models can be kept offline and still usable for playback from LAN UPnP media servers. After a while they demand internet back for reactivation.

 

[JaimeZX]

What is the purpose of blocking countries manually? Would not any harm coming from those countries be blocked by Skynet already? I'm not being critical of the feature, I'm just trying to understand it.

I block the "big four;" China, Iran, Russia, North Korea. All pretty renown for their hacking. Of course any skilled hacker worth their salt will VPN somewhere else, but no sense in making it easier for them. Plus a lot of my IoT things use AWS for C2, but still "call back" to China for reasons unbeknownst to me... blocking China solves THAT problem. Of course, I have to un-block it whenever my in-laws come over because they use WeChat for everything.

The reason I disabled it is because I just read that it sends all sort of info from your network (i.e. email, web browsing, etc) to TrendMicro which I find terribly invasive This is even included in the agreement they make you consent to upon activating that feature.

TrendMicro uses participating routers as "sensors" on the internet, so they can see what traffic is going on. DDoS, intrusion techniques, & etc. I'm sure the "email" part is scanning for malicious attachments or "call back" activity. I'm also sure they use this data to provide more customized services to paying customers, but I'm not particularly worried about them trying to exploit my personal information by being inside my encryption like VPNFilter or something.

 

[cmkelley]

I block the "big four;" China, Iran, Russia, North Korea. All pretty renown for their hacking. Of course any skilled hacker worth their salt will VPN somewhere else, but no sense in making it easier for them. Plus a lot of my IoT things use AWS for C2, but still "call back" to China for reasons unbeknownst to me... blocking China solves THAT problem. Of course, I have to un-block it whenever my in-laws come over because they use WeChat for everything.

TrendMicro uses participating routers as "sensors" on the internet, so they can see what traffic is going on. DDoS, intrusion techniques, & etc. I'm sure the "email" part is scanning for malicious attachments or "call back" activity. I'm also sure they use this data to provide more customized services to paying customers, but I'm not particularly worried about them trying to exploit my personal information by being inside my encryption like VPNFilter or something.

It's a bit of a catch-22, everyone wants up to date threat information, but no-one wants to send the data to the people who are playing whack-a-mole with the black hats. All of the personal routers sending threat information back to the white hats help them identify new attacks quickly, and maybe even have a better idea of where they're coming from. If everyone kept their routers from sending data back to Trend, then Trend's ability to fight new attacks would be severely hampered.

 

[skeal]

TrendMicro uses participating routers as "sensors" on the internet, so they can see what traffic is going on. DDoS, intrusion techniques, & etc. I'm sure the "email" part is scanning for malicious attachments or "call back" activity. I'm also sure they use this data to provide more customized services to paying customers, but I'm not particularly worried about them trying to exploit my personal information by being inside my encryption like VPNFilter or something.

It's a bit of a catch-22, everyone wants up to date threat information, but no-one wants to send the data to the people who are playing whack-a-mole with the black hats. All of the personal routers sending threat information back to the white hats help them identify new attacks quickly, and maybe even have a better idea of where they're coming from. If everyone kept their routers from sending data back to Trend, then Trend's ability to fight new attacks would be severely hampered.

+1

 

[RMerlin]

I block the "big four;" China, Iran, Russia, North Korea. All pretty renown for their hacking.

You might want to block the US as well, since it's the country from which the largest amount of DDoS trafic is coming from:

https://www.statista.com/statistics/440582/ddos-attack-traffic-by-originating-country/

Just saying...

 

[skeal]

You might want to block the US as well, since it's the country from which the largest amount of DDoS trafic is coming from:

https://www.statista.com/statistics/440582/ddos-attack-traffic-by-originating-country/

Just saying...

+1
The country block thing may have been a security strategy 20 years ago but we have way more granular control now, such broad spectrum blocking is no longer necessary. We have solutions like Skynet that allow the option of blocking ips and ip ranges. Way more control than a country block.
Jus saying...

 

[JaimeZX]

You might want to block the US as well, since it's the country from which the largest amount of DDoS trafic is coming from:
https://www.statista.com/statistics/440582/ddos-attack-traffic-by-originating-country/
Just saying...

Agree entirely, but the cost-benefit isn't there for websites-I-use-regularly-vs-inconvenience.

+1
The country block thing may have been a security strategy 20 years ago but we have way more granular control now, such broad spectrum blocking is no longer necessary. We have solutions like Skynet that allow the option of blocking ips and ip ranges. Way more control than a country block.
Jus saying...

Sure! But for a Chinese or Russian or Country service, it's probably easier to just whitelist a few IPs/domains; you still have to figure out what those are. For example, I'd be glad to whitelist *.wechat IPs, but then the in-laws do a lot of internet browsing through the WeChat app, so then I have to figure out what sites they're looking at... easier to just block China when they're not around and unblock when they come back.

Edit: this is getting away from the main topic of this thread. Point being, different people might have different reasons for country bans.

 

[keef]

JamieZX

Did you say something about blocking in-laws at your home?

Bj

 

[L&LD]

JamieZX

Did you say something about blocking in-laws at your home?

Bj

He will have to set a donate button if he gets that piece of code working reliably!

 

[Poseidon]

Can someone help me out with this question please. I had BOTH Skynet and Diversion installed but I decided to uninstall Diversion and I'm not sure which one made you change the IP POOL STARTING ADDRESS under LAN- DHCP Server settings in Asus (was it Skynet or Diversion).

Thanks in advance.

 

[Adamm]

Can someone help me out with this question please. I had BOTH Skynet and Diversion installed but I decided to uninstall Diversion and I'm not sure which one made you change the IP POOL STARTING ADDRESS under LAN- DHCP Server settings in Asus (was it Skynet or Diversion).

Thanks in advance.

You are referring to Diversion which reserves an IP for pixelserv

 

[Poseidon]

You are referring to Diversion which reserves an IP for pixelserv

Great. Thank you! I changed the IP Pool Starting Address back to default then since I removed Diversion.

Another thing...with Skynet installed + AiProtection enabled, is it necessary/recommended to have "DoS Protection" enabled under Firewall settings or is it best to disable it?

 

[Adamm]

Great. Thank you! I changed the IP Pool Starting Address back to default then since I removed Diversion.

Another thing...with Skynet installed + AiProtection enabled, is it necessary/recommended to have "DoS Protection" enabled under Firewall settings or is it best to disable it?

DOS protection is just a fancy term for rate limiting with IPTables, I don't have use for it but there is probably some specific use case where people would actually need to use it.

 

[JaimeZX]

Can someone help me out with this question please. I had BOTH Skynet and Diversion installed but I decided to uninstall Diversion and I'm not sure which one made you change the IP POOL STARTING ADDRESS under LAN- DHCP Server settings in Asus (was it Skynet or Diversion).

Thanks in advance.

Possibly better for the Diversion thread, but why did you uninstall that script?

 

[Poseidon]

Possibly better for the Diversion thread, but why did you uninstall that script?

I thought it might have been overkill since I was using a browser adblocker extension.

I ended up re-installing Diversion again to go along w/ Skynet. Premature decision to remove it on my part I guess.

 

[cmkelley]

I thought it might have been overkill since I was using a browser adblocker extension.

I ended up re-installing Diversion again to go along w/ Skynet. Premature decision to remove it on my part I guess.

Heh, I still use Adblock Plus on my browser, even with Skynet and Diversion installed. A few still manage to sneak their way through and get caught by ABP.

 

[#TY]

I was a big fan of browser extensions for blocking ads and trackers until I met Diversion. In my experience so far, it's a much cleaner and more efficient approach to addressing the problem. Working with Diversion is very easy and I am no Terminal guru by any stretch

A huge thank you to the fascinating brains behind such art