Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Thanks. Ah yes it appears the Unban list was overwritten by my latest entry (ports 5010 & 5060). So you have to retype all ports each time you update the list?


However that doesn't explain why Google DNS was blocked when I put it in the whitelist..??

Your config shows only the ports 5010,5060 are allowed, the blocked packets previously were coming from port 53.

 

[Treadler]

Hi Adamm,

Skynet appears to be blocking ‘ravelry.com’.
This is causing protest from the more creative member of the household
I have spent considerable time testing/whitelisting, & appear unable to fix.

Disabling Skynet does the job, but is hardly an ideal solution....

 

[Adamm]

Hi Adamm,

Skynet appears to be blocking ‘ravelry.com’.
This is causing protest from the more creative member of the household
I have spent considerable time testing/whitelisting, & appear unable to fix.

Disabling Skynet does the job, but is hardly an ideal solution....

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode

sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

As per the guide, the IP in question is "151.139.128.10"

skynet@RT-AX88U-DC28:/tmp/home/root# sh /jffs/scripts/firewall stats search ip 151.139.128.10
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 24/05/2019 -           Asus Firewall Addition By Adamm v6.8.5                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 6.7M
[i] Monitoring From Jul 25 17:24:33 To Aug 3 18:01:15
[i] 29538 Block Events Detected
[i] 4015 Unique IPs
[i] 0 Manual Bans Issued

151.139.128.10 is NOT in set Skynet-Whitelist.
151.139.128.10 is in set Skynet-Blacklist.
151.139.128.10 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: firehol_level3.netset"


Associated Domain(s);
w4t7i8d6.stackpathcdn.com
g2s2z8r3.stackpathcdn.com

 

[Treadler]

As per the guide, the IP in question is "151.139.128.10"

skynet@RT-AX88U-DC28:/tmp/home/root# sh /jffs/scripts/firewall stats search ip 151.139.128.10
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 24/05/2019 -           Asus Firewall Addition By Adamm v6.8.5                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 6.7M
[i] Monitoring From Jul 25 17:24:33 To Aug 3 18:01:15
[i] 29538 Block Events Detected
[i] 4015 Unique IPs
[i] 0 Manual Bans Issued

151.139.128.10 is NOT in set Skynet-Whitelist.
151.139.128.10 is in set Skynet-Blacklist.
151.139.128.10 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: firehol_level3.netset"


Associated Domain(s);
w4t7i8d6.stackpathcdn.com
g2s2z8r3.stackpathcdn.com

Many many thanks!
Your attention much appreciated.

 

[Ubimo]

I don't have an internet connection and cannot access the skynet menu due to "Skynet: Waiting for NTP to sync".
Since I have no internet connection, I cannot access the menu. *sigh*

How can I access the menu?
Or how can I uninstall skynet from putty command line?

 

[Jack Yaz]

I don't have an internet connection and cannot access the skynet menu due to "Skynet: Waiting for NTP to sync".
Since I have no internet connection, I cannot access the menu. *sigh*

How can I access the menu?
Or how can I uninstall skynet from putty command line?

It's not Skynet - NTP hasn't synced. Skynet won't have even started (hence the message)

 

[Ubimo]

It's not Skynet - NTP hasn't synced. Skynet won't have even started (hence the message)

ok, but how can I access the skynet menu?

 

[QuikSilver]

ok, but how can I access the skynet menu?

I think what @Jack Yaz is saying is you need to figure out why your NTP hasn't synced since thats the error it is given. What settings do you have for NTP?

 

[Makaveli]

ok, but how can I access the skynet menu?

I would try turning on merlin's built in NTP leave that running for a min.

Then turn it off and restart skynet.

 

[Ubimo]

I think what @Jack Yaz is saying is you need to figure out why your NTP hasn't synced since thats the error it is given. What settings do you have for NTP?

The router doesn't have an internet connection, hence NTP cannot sync, hence I cannot access skynet menu.

@Makaveli
I tried that, skynet still says "Skynet: Waiting for NTP to sync"...

@Adamm
Is there no possibility to access skynet menu, when the router has no internet connection?

 

[Adamm]

The router doesn't have an internet connection, hence NTP cannot sync, hence I cannot access skynet menu.

@Makaveli
I tried that, skynet still says "Skynet: Waiting for NTP to sync"...

@Adamm
Is there no possibility to access skynet menu, when the router has no internet connection?

Skynet relies on accurate logging so it won't startup or work unless NTP has sync'd. The issue is with your NTP configuration.

 

[cmkelley]

The router doesn't have an internet connection, hence NTP cannot sync, hence I cannot access skynet menu.

@Makaveli
I tried that, skynet still says "Skynet: Waiting for NTP to sync"...

@Adamm
Is there no possibility to access skynet menu, when the router has no internet connection?

What I think you're saying is, the router is physically not connected to the internet, perhaps you don't have a cable plugged into the WAN port, and you want to remove skynet? *IF* that is what you mean then;

1. Use the 'date' command to set the router date and time to something reasonably close (within a minute or so) to prevent other issues (see https://linux.die.net/man/1/date for format)
2. Tell the router that ntp has synced.

So, when logged into the router via ssh, type something like;

date 0805140019
nvram set ntp_ready=1
nvram commit

would set the system time to August 5th, 2019 at 14:00. This will allow you to get into Skynet to uninstall it. Using this to trick the router into believing it has NTP access though will almost certainly leave your router in an unstable state, so you should reboot your router after removing Skynet.

If your router is physically connected to the internet and you just don't have connectivity, please solve that problem first. Skynet is definitely not the problem, it doesn't start until NTP is synced, which in turn requires connectivity, so Skynet cannot possibly be the problem.

 

[sbsnb]

What is the proper way to block an IP that is in the default whitelist? I can manually remove the IP from the whitelist, but will it come back when Skynet updates itself?

Maybe I'm going about it the wrong way and the proper question is, "How do I stop built-in default whitelists from overriding manual bans?"

 

[Adamm]

What is the proper way to block an IP that is in the default whitelist? I can manually remove the IP from the whitelist, but will it come back when Skynet updates itself?

The default whitelist consists of a few major CDN's (Apple AS714 | Akamai AS12222 AS16625 | HighWinds AS33438 | Fastly AS54113), this list is regenerated every time banmalware is run.

There's currently no way to disable this due to the fact websites etc using these services will have rotating IP's therefore I didn't see a need at the time. I could probably add a toggle for it if the demand is there

 

[sbsnb]

I'm sure the demand to be able to block IPs inside CDN space is very small. I encounter the need occasionally. Sometimes an AWS host is doing malicious stuff before Amazon boots them. In this case I am trying to ban the entire Cloudfare IP space (I know it will block my access to this site).

EDIT - I did confirm that manually removing 104.16.0.0/12 from the whitelist blocks this site and updating skynet returns it to operation. Unless other people want it too I wouldn't waste your time customizing for my needs. I can set up a cron do de-whitelist the Cloudfare ip space after Skynet updates.

 

[timbo69]

Having just updated my RT-AC68U with firmware 384.13 I thought I would install Skynet having installed amtm. I seem to be getting an issue with Skynet (v6.8.5) if I run sh /jffs/scripts/firewall I get the below error:
Router Model;
Skynet Version; (05/07/2019) (1b0d481af8d2da574015a3de5548ed51)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (xx.xx.xx.xx)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/usb1/skynet (28.1G / 30.8G Space Available)

/jffs/scripts/firewall: line 39: arithmetic syntax error

Having looked through some of the earlier posts I saw someone was advised to run with the restart command. having done this the menu starts up with the following comment in it:

[*] Lock File Detected (start skynetloc=/tmp/mnt/usb1/skynet) (pid=6316)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

IPTables Rules | [Failed]

If I exit the application again and run the firewall script I get ./firewall: line 1: arithmetic syntax error

Any ideas?

thanks

 

[QuikSilver]

Having just updated my RT-AC68U with firmware 384.13 I thought I would install Skynet having installed amtm. I seem to be getting an issue with Skynet (v6.8.5) if I run sh /jffs/scripts/firewall I get the below error:
Router Model;
Skynet Version; (05/07/2019) (1b0d481af8d2da574015a3de5548ed51)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (xx.xx.xx.xx)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/usb1/skynet (28.1G / 30.8G Space Available)

/jffs/scripts/firewall: line 39: arithmetic syntax error

Having looked through some of the earlier posts I saw someone was advised to run with the restart command. having done this the menu starts up with the following comment in it:

[*] Lock File Detected (start skynetloc=/tmp/mnt/usb1/skynet) (pid=6316)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

IPTables Rules | [Failed]

If I exit the application again and run the firewall script I get ./firewall: line 1: arithmetic syntax error

Any ideas?

thanks

Mine started doing that as well. I reinstalled it using the first page command.

 

[randomName]

Thinking about installing Skynet. I'm on an RT-86U 384.13 using FreshJR Adaptive QoS, Trend Micro AiProtection is turned OFF. Will it work with how I have my router set up?

 

[dave14305]

Thinking about installing Skynet. I'm on an RT-86U 384.13 using FreshJR Adaptive QoS, Trend Micro AiProtection is turned OFF. Will it work with how I have my router set up?

It will work based on what you’ve told us.

 

[randomName]

It will work based on what you’ve told us.

I did a little searching. Will this be able to ban incoming IPs, Ports, and things like that? Or am I asking something totally wrong?