Skynet Skynet - Router Firewall & Security Enhancements

[nakti]

Yes.

If you don't want to see them, run Skynet, select 11 (settings), then 3 (debug mode). This will stop the blocked messages, at the expense of Skynet not being able to collect statistics.

Or, install scribe ... (https://www.snbforums.com/threads/scribe-syslog-ng-and-logrotate-installer.55853/) which will shuffle them off to their own file for Skynet to use for statistics.

Wow nice thank you

 

[YGator]

I am getting the following error when doing iot list: grep: /var/lib/misc/dnsmasq.leases: No such file or directory
It seems to be doing this to lookup the name from the ip. I do not use dhcp on the router as my NAS does this. Looking at firewall.sh I see it does this in 5 different places.

I would still like the functionality. Would I be able to create this file myself or would it break something on the router?

Thanls

 

[Jumpstarter]

what does this securemode do inside skynet?

 

[Butterfly Bones]

what does this securemode do inside skynet?

Here is the explanation when it was added.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-135#post-408577

 

[Jumpstarter]

Here is the explanation when it was added.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-135#post-408577

Thanks --- much appreciated.

 

[Adamm]

I would still like the functionality. Would I be able to create this file myself or would it break something on the router?

I guess you could as we only read it to identify devices, keep in mind you would have to generate the file after every reboot and format it correctly.

 

[CaptainSTX]

While I am waiting for my AC86 to go through the RMA process I had to put my trusty old N66 back on duty. It runs the 380.70 version of Merlin's firmware.

Is there a version of Skynet that will run on this router? I have AMTM running, Entware is also running but using AMTM to install Skynet generates this error message. Not a big deal but after having the added protection of Skynet on a router that's firware is outdated would be reassuring.

Skynet install failed,
IPSet version on router not supported:

ipset v4.5, protocol version 4.
Kernel module protocol version 4.

 

[Adamm]

While I am waiting for my AC86 to go through the RMA process I had to put my trusty old N66 back on duty. It runs the 380.70 version of Merlin's firmware.

Is there a version of Skynet that will run on this router? I have AMTM running, Entware is also running but using AMTM to install Skynet generates this error message. Not a big deal but after having the added protection of Skynet on a router that's firware is outdated would be reassuring.

Skynet install failed,
IPSet version on router not supported:

ipset v4.5, protocol version 4.
Kernel module protocol version 4.

Unfortunately the kernel is too old on the N66U to support the required version of IPSet (not to mention comment support which was added around July 2017).

 

[CaptainSTX]

Unfortunately the kernel is too old on the N66U to support the required version of IPSet (not to mention comment support which was added around July 2017).

Thanks for confirming this. Will await the return of my AC86.

 

[Timmons]

What iblocklists does skynet have included? I have this newly installed and its complaining about the iblocklist-loader script i have too. https://github.com/RMerl/asuswrt-me...t-installation-instructions#iblocklist-loader.

 

[Adamm]

What iblocklists does skynet have included? I have this newly installed and its complaining about the iblocklist-loader script i have too. https://github.com/RMerl/asuswrt-me...t-installation-instructions#iblocklist-loader.

No, Skynet sources much more updated / better maintained lists from a range of reputable providers.

I also suggest against using iBlocklist lists as they are quite outdated, not to mention listing stolen paid content from other providers without permission.

 

[InkyRag]

Can anyone please help me. I installed on my AC3200 last firmware with diversion, skynet and stubby and keep getting :
[BLOCKED - OUTBOUND] IN=br0 OUT and [BLOCKED - INBOUND] IN=eth0 OUT
Is my router hacked? but how as i did not connected any device yet and did not visited any websites other than my router and speedtest, is like skynet is trying to connect SSH and is blocking by itself as I have no other explanation why I get these.
Re-formated USB again, flashed firmware and re-installed skynet but as soon it starts these messages pop in ever few seconds in my General Log from my router:

Apr 26 20:44:09 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=13248 PROTO=TCP SPT=47569 DPT=10940 SEQ=1315582516 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:44:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=107.170.201.70 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=45984 DPT=27019 SEQ=266757155 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 26 20:45:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=36968 PROTO=TCP SPT=47569 DPT=11324 SEQ=1608881948 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:46:29 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=52608 PROTO=TCP SPT=47569 DPT=6415 SEQ=2185166791 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:46:52 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=198.108.67.59 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=38 ID=2141 PROTO=TCP SPT=34593 DPT=2382 SEQ=1309689697 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:49:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54565 DPT=443 SEQ=3218075528 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B728720000000004020000)
Apr 26 20:50:04 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B78E170000000004020000)
Apr 26 20:50:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B791FF0000000004020000)
Apr 26 20:50:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B795EA0000000004020000)
Apr 26 20:50:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B79DBD0000000004020000)
Apr 26 20:52:36 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=46.232.112.20 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=61559 PROTO=TCP SPT=48083 DPT=13944 SEQ=1382935879 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:52:40 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=92.118.37.86 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=19484 PROTO=TCP SPT=41116 DPT=36981 SEQ=3391878945 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:52:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=81.22.45.185 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=21379 PROTO=TCP SPT=40466 DPT=2350 SEQ=3612504549 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:53:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=139.162.126.103 DST=80.193.42.71 LEN=57 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=UDP SPT=53538 DPT=53 LEN=37
Apr 26 20:53:36 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=24649 PROTO=TCP SPT=47569 DPT=8401 SEQ=671574992 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:53:39 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=139.59.154.219 DST=80.193.42.71 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=49223 PROTO=TCP SPT=34153 DPT=22 SEQ=1739069709 ACK=1615319642 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Apr 26 20:54:15 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=185.176.27.6 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=18739 PROTO=TCP SPT=50797 DPT=1026 SEQ=27223673 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 21:00:08 Skynet: [#] 137219 IPs (+0) -- 1581 Ranges Banned (+0) || 392 Inbound -- 313 Outbound Connections Blocked! [save] [8s]

I've got hundreds of these [BLOCKED - INBOUND] entries one every 20 seconds or so that has been going on for days. Will these clowns eventually give up and go away? Is this normal?

 

[Adamm]

I've got hundreds of these [BLOCKED - OUTBOUND] entries one every 20 seconds or so that has been going on for days. Will these clowns eventually give up and go away? Is this normal?

Outbound indicates one of your local devices are trying to connect to a blocked IP. You can use the various stat commands to get a better indication of what exactly is being blocked.

 

[InkyRag]

Outbound indicates one of your local devices are trying to connect to a blocked IP. You can use the various stat commands to get a better indication of what exactly is being blocked.

Sorry, I cut and pasted the wrong term and have corrected my post above. I meant to say [BLOCKED - INBOUND]. I don't have any outbound blocks.

 

[Adamm]

Sorry, I cut and pasted the wrong term and have corrected my post above. I meant to say [BLOCKED - INBOUND]

Ah makes sense. Those hits are just the reality of the modern internet, bots are constantly scanning for vulnerabilities. I get around 50k hits per week on average.

 

[InkyRag]

Ah makes sense. Those hits are just the reality of the modern internet, bots are constantly scanning for vulnerabilities. I get around 50k hits per week on average.

Thanks for the reply Adamm. The fact that you get around 50k hits per week gives me some comfort that you have a lot of data points for keeping the blacklist up to date.

 

[sbsnb]

There is a standardized method for swap management for the scriptwriters of this community to simplify support requests and interaction between scripts.

swapon "$(grep -E "^swapon " /jffs/scripts/post-mount | awk '{print $2}')" 2>/dev/null

I highly suggest you leave swap management to these scripts as it works flawlessly, otherwise it's up to you to make your own implementation work. As you can see the regex specifically looks for "^swapon" to prevent false positives on incorrect entries.

The issue is that Skynet is taking my swapon out of the loop that makes sure it only executes if Entware is the mounted volume. I can edit Skynet to stop doing that, but I presume every automatic update will override my change.

 

[cmkelley]

The issue is that Skynet is taking my swapon out of the loop that makes sure it only executes if Entware is the mounted volume. I can edit Skynet to stop doing that, but I presume every automatic update will override my change.

if your swapon statement is indented, unindent it.

This will get removed/replaced

if $entware_drive; then
    swapon $myswap
fi

This (should) not get removed/replaced

if $entware_drive; then
swapon $myswap
fi

At least that works for me.

 

[sbsnb]

Thanks. Looks like /jffs/firewall just needs a minor adjustment from grep -E "^swapon" to grep -E "^\W*swapon".

 

[Bogey]

I just found out that Diversion is blocking Google searches
How is that even possible?
When I go through the stats and look up the culprit, I see it’s whitelisted: https://otx.alienvault.com/indicator/ip/172.217.168.228
How can it get blocked by my router? And more important how can I fix this?

Edit: it should be “I just found out that Skynet is blocking Google searches”