Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

None manually

Okay please run the unban all command now we have debug mode enabled so we can properly track this from the beginning.

sh /jffs/scripts/firewall unban all

 

[darkony]

Here new log after unban

Watching Logs For Debug Entries (ctrl +c) To Stop

Jun  3 19:51:16 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=2043 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643035 ACK=1080016831 WINDOW=65535 RES=0x00 ACK SYN URGP=0 OPT (020405B40103030001010402)
Jun  3 19:51:18 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=61 TOS=0x00 PREC=0x00 TTL=51 ID=2339 PROTO=UDP SPT=64225 DPT=25871 LEN=41
Jun  3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=2461 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643035 ACK=1080016831 WINDOW=65535 RES=0x00 ACK SYN URGP=0 OPT (020405B40103030001010402)
Jun  3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=2463 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643036 ACK=1080016831 WINDOW=65535 RES=0x00 ACK URGP=0
Jun  3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=2464 PROTO=UDP SPT=64225 DPT=25871 LEN=28 MARK=0x81850003
Jun  3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=58 TOS=0x00 PREC=0x00 TTL=51 ID=2530 PROTO=UDP SPT=64225 DPT=25871 LEN=38
Jun  3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=3038 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643035 ACK=1080016831 WINDOW=65535 RES=0x00 ACK SYN URGP=0 OPT (020405B40103030001010402)
Jun  3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=3063 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643036 ACK=1080016831 WINDOW=65535 RES=0x00 ACK URGP=0
Jun  3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=3084 PROTO=UDP SPT=64225 DPT=25871 LEN=28
Jun  3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=58 TOS=0x00 PREC=0x00 TTL=51 ID=3155 PROTO=UDP SPT=64225 DPT=25871 LEN=38 MARK=0x4193005e
^C

 

[darkony]

None of them are asuswebstorage all are my provider IPs, but app not working.

 

[yk101]

If you have been running asustore when you captured the log above, the I would try un-banning 210.65.113.218. It does come from Taiwan, which is the proper country for asus, and it looks [to me] as if it is responding to the port 443 request. Don't whitelist it just yet - just un-ban it and try connecting again.

 

[Adamm]

None of them are asuswebstorage all are my provader IPs, but app not working.

You're going to have to run the script in "noauto" mode from the installer for the time being if you wish to use asuswebstorage (then run unban all again). I'll have to investigate when I have some free time as clearly it doesn't play nice with the SPI firewall.

 

[returntrip]

Does this script block ms telemetry, shodan, etc, in a s similar way to https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/?

 

[darkony]

Thanks all for helping, but will use noauto mode. Also it should't block my ISP provider.

 

[Adamm]

Does this script block ms telemetry, shodan, etc, in a s similar way to https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/?

It doesn't specifically block the list he compiled but this can be done fairly easily (I'll improve the import command tomorrow to make it even easier but for the time being use this).

Make a script with the following contents and execute it;

/usr/sbin/wget https://raw.githubusercontent.com/shounak-de/misc-scripts/master/telemetry_and_scanners.txt -qO- | grep -E '^[0-9,\.]*$' | while IFS= read -r ip
    do
    ipset -q -A Blacklist $ip
done

 

[Adamm]

The import/deport commands have now been simplified. They will now extract all IP's from a URL specified and ban/unban them accordingly.

sh /jffs/scripts/firewall import URL

sh /jffs/scripts/firewall deport URL

This should work with most third party lists.

 

[faria]

Hi guys, Thanks Adamm for all your work, long time user here of your old one,
im having anissue with the update script, all my new bans are populated with 0.0.0.0 ip as the source, as such:
Jun 4 16:26:37 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:7f:f3:f3:c6:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=144 TOS=0x00 PREC=0x00 TTL=255 ID=24208 PROTO=UDP SPT=514 DPT=4944 LEN=124

Anyone knows whats going on?
thanks.

rt-ac87u
merlin 380.66_4

 

[Adamm]

Hi guys, Thanks Adamm for all your work, long time user here of your old one,
im having anissue with the update script, all my new bans are populated with 0.0.0.0 ip as the source, as such:
Jun 4 16:26:37 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:7f:f3:f3:c6:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=144 TOS=0x00 PREC=0x00 TTL=255 ID=24208 PROTO=UDP SPT=514 DPT=4944 LEN=124

Anyone knows whats going on?
thanks.

rt-ac87u
merlin 380.66_4

Thanks. Hard to say exactly whats causing it without further debugging, but with an IP like that you should be safe to whitelist 0.0.0.0

sh /jffs/scripts/firewall whitelist 0.0.0.0

 

[dandle]

Hi Adamm.

First I'd like to say this is an awesome script. Thanks a lot for working on this. Just a small thing, is there a way to change the location of where the ipset.txt and malwarelist.txt are located? They're currently sitting in /jffs/scripts and are taking up 7MB and 3MB respectively of storage. If possible I'd like to move it to a USB location.

 

[Adamm]

Hi Adamm.

First I'd like to say this is an awesome script. Thanks a lot for working on this. Just a small thing, is there a way to change the location of where the ipset.txt and malwarelist.txt are located? They're currently sitting in /jffs/scripts and are taking up 7MB and 3MB respectively of storage. If possible I'd like to move it to a USB location.

At the moment without manual edits you can't, but I'll work on adding USB support tonight.

 

[faria]

Thanks. Hard to say exactly whats causing it without further debugging, but with an IP like that you should be safe to whitelist 0.0.0.0

sh /jffs/scripts/firewall whitelist 0.0.0.0

Hi Adamm, i have tracked down the issue.
It was cause by my Draytek 150 dsl modem, what gave it away was that when i rebooted the modem the log got flooded with above log entries, then after some research i came across this here

"PPPoE and log messages 0.0.0.0 => 255.255.255.255 Port 4944
MARCH 9, 2017 WERNER MAIER COMMENT ON
For some installations, the WatchGuard displays the following log messages (Deny) on the external interface in conjunction with PPPoE modems:

Source: 0.0.0.0
Destination: 255.255.255.255
Port 4944
Protocol: udp

Cause: These are management broadcasts from the modem to the router behind it. If the modem has "too much intelligence" and wants to inform the router (here: WatchGuard) by broadcasting the status of the DSL line, this package will occur.

Last seen in connection with a Draytek Vigor 130 as a PPPoE modem on a VDSL-100/40 line.

Remedy: The management broadcast can often be switched off in the router. The Draytek under:

System Maintenance => Management => Device Management => [] Broadband DSL to LAN in LAN

Many thanks.

 

[Adamm]

Hi Adamm, i have tracked down the issue.
It was cause by my Draytek 150 dsl modem, what gave it away was that when i rebooted the modem the log got flooded with above log entries, then after some research i came across this here



Many thanks.

Nice find, in any case the script now whitelists entries like this upon first detection which should prevent you seeing it in future.

 

[Adamm]

Hi Adamm.

First I'd like to say this is an awesome script. Thanks a lot for working on this. Just a small thing, is there a way to change the location of where the ipset.txt and malwarelist.txt are located? They're currently sitting in /jffs/scripts and are taking up 7MB and 3MB respectively of storage. If possible I'd like to move it to a USB location.

As of v4.7.0 Skynet now supports full USB installation. To switch over, update and run the installer again. This will preserve your current installation (and you can move back to JFFS the same way).

 

[returntrip]

As of v4.7.0 Skynet now supports full USB installation. To switch over, update and run the installer again. This will preserve your current installation (and you can move back to JFFS the same way).

Updated and I can see the "skynet" folder being created in the USB stick. Thanks!

Sent from my Nexus 6P using Tapatalk

 

[dandle]

As of v4.7.0 Skynet now supports full USB installation. To switch over, update and run the installer again. This will preserve your current installation (and you can move back to JFFS the same way).

Hey, thanks alot for this! Small problem. After selecting option 1 for USB install this is the returning message

"USB Installation Selected
USB Mode Selected But sda1 Not Found - Exiting Installation"

Strange as Sda1 is active. It's how I have my absolutions installed.

 

[Adamm]

Hey, thanks alot for this! Small problem. After selecting option 1 for USB install this is the returning message

"USB Installation Selected
USB Mode Selected But sda1 Not Found - Exiting Installation"

Strange as Sda1 is active. It's how I have my absolutions installed.

Please post the output of the following commands;

ls /tmp/mnt

nvram get usb_path_sda1_label

 

[MarCoMLXXV]

Quick question to @Adamm: I had your script uninstalled for two days, as I messed something up and decided to start from scratch. As usually, the script had evolved rapidly and I was pleasantly surprised when during installation the following showed up:

Would You Like To Install Skynet To USB? (sda1)
Skynet By Default Is Installed To JFFS

1. Yes
2. No
Please Select Option (Number)

Unfortunately I had no other option then to select 2 (No), as /dev/sda1 is my swap partition. Any chance you could implement something like AB-Solution, where the installer lists the available devices and asks which one you want to use to install Skynet?