Skynet Skynet - Router Firewall & Security Enhancements

[andresmorago]

hi
this might be a long shot but i would like to ask for your advice.

i have a 24/7 windows server with access to a router running asus merlin and skynet. what would be a good way to visualize the skynet logs from skynet on my server in real time but with the ability to filter per ip, dates, ports? like a gui that could take the date from skynet and show it on a friendlier way

thanks so much

 

[andresmorago]

hi guys. another help request
im having trouble trying to ban an specific IP (104.28.26.45). After banning it, im still able to access the ip from any of my devices.

what am i doing wrong?

Router Model; RT-AC3100
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (eth0 @ 10.0.0.1)
ipset v6.32, protocol version: 6
IP Address; (181.50.201.119)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sda1/skynet (11.6G / 14.7G Space Available)
SWAP File; /tmp/mnt/sda1/myswap.swp (2.0G)
Banned Countries; in cn kp kr th ir iq my

86617 IPs (+0) -- 13624 Ranges Banned (+0) || 13 Inbound -- 9 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban

[1-15]: 2

What Type Of Input Would You Like To Ban:
[1]  --> IP

[1-4]: 1

Input IP To Ban:

[IP]: 104.28.26.45

Input Comment For Ban:

[Comment]: torrent

[$] /jffs/scripts/firewall ban ip 104.28.26.45 torrent


=============================================================================================================


[i] Banning 104.28.26.45
[i] Saving Changes


=============================================================================================================

andresmorago@RT-AC3100-0548:/tmp/home/root# ping 104.28.26.45
PING 104.28.26.45 (104.28.26.45): 56 data bytes
64 bytes from 104.28.26.45: seq=0 ttl=54 time=79.117 ms
64 bytes from 104.28.26.45: seq=1 ttl=54 time=79.594 ms
^C
--- 104.28.26.45 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 79.117/79.355/79.594 ms

andresmorago@RT-AC3100-0548:/tmp/home/root# firewall stats search ip 104.28.26.45
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 11/08/2019 -                  Asus Firewall Addition By Adamm v6.8.6                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 9.8M
[i] Monitoring From Aug 27 13:00:03 To Sep 1 18:14:45
[i] 37755 Block Events Detected
[i] 7417 Unique IPs
[i] 1 Manual Bans Issued

104.28.26.45 is in set Skynet-Whitelist.
104.28.26.45 is in set Skynet-Blacklist.
104.28.26.45 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
--*
Blacklist Reason;
 "ManualBan: torrent"


Associated Domain(s);
tracker.bt4g.com
bt4g.com

--*
[i] IP Location - Canada (Cloudflare, Inc. / AS13335)

[i] 104.28.26.45 First Tracked On
[i] 104.28.26.45 Last Tracked On
[i] 0 Blocks Total

Event Log Entries From 104.28.26.45;

First Block Tracked From 104.28.26.45;
--*
10 Most Recent Blocks From 104.28.26.45;
-*-
--*
Top 10 Targeted Ports From 104.28.26.45 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

--*

Top 10 Sourced Ports From 104.28.26.45 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

*--


=============================================================================================================


[#] 86642 IPs (+0) -- 13624 Ranges Banned (+0) || 84 Inbound -- 19 Outbound Connections Blocked! [stats] [55s]

 

[dave14305]

hi guys. another help request
im having trouble trying to ban an specific IP (104.28.26.45). After banning it, im still able to access the ip from any of my devices.

what am i doing wrong?

Router Model; RT-AC3100
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (eth0 @ 10.0.0.1)
ipset v6.32, protocol version: 6
IP Address; (181.50.201.119)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sda1/skynet (11.6G / 14.7G Space Available)
SWAP File; /tmp/mnt/sda1/myswap.swp (2.0G)
Banned Countries; in cn kp kr th ir iq my

86617 IPs (+0) -- 13624 Ranges Banned (+0) || 13 Inbound -- 9 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban

[1-15]: 2

What Type Of Input Would You Like To Ban:
[1]  --> IP

[1-4]: 1

Input IP To Ban:

[IP]: 104.28.26.45

Input Comment For Ban:

[Comment]: torrent

[$] /jffs/scripts/firewall ban ip 104.28.26.45 torrent


=============================================================================================================


[i] Banning 104.28.26.45
[i] Saving Changes


=============================================================================================================

andresmorago@RT-AC3100-0548:/tmp/home/root# ping 104.28.26.45
PING 104.28.26.45 (104.28.26.45): 56 data bytes
64 bytes from 104.28.26.45: seq=0 ttl=54 time=79.117 ms
64 bytes from 104.28.26.45: seq=1 ttl=54 time=79.594 ms
^C
--- 104.28.26.45 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 79.117/79.355/79.594 ms

andresmorago@RT-AC3100-0548:/tmp/home/root# firewall stats search ip 104.28.26.45
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 11/08/2019 -                  Asus Firewall Addition By Adamm v6.8.6                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 9.8M
[i] Monitoring From Aug 27 13:00:03 To Sep 1 18:14:45
[i] 37755 Block Events Detected
[i] 7417 Unique IPs
[i] 1 Manual Bans Issued

104.28.26.45 is in set Skynet-Whitelist.
104.28.26.45 is in set Skynet-Blacklist.
104.28.26.45 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
--*
Blacklist Reason;
 "ManualBan: torrent"


Associated Domain(s);
tracker.bt4g.com
bt4g.com

--*
[i] IP Location - Canada (Cloudflare, Inc. / AS13335)

[i] 104.28.26.45 First Tracked On
[i] 104.28.26.45 Last Tracked On
[i] 0 Blocks Total

Event Log Entries From 104.28.26.45;

First Block Tracked From 104.28.26.45;
--*
10 Most Recent Blocks From 104.28.26.45;
-*-
--*
Top 10 Targeted Ports From 104.28.26.45 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

--*

Top 10 Sourced Ports From 104.28.26.45 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

*--


=============================================================================================================


[#] 86642 IPs (+0) -- 13624 Ranges Banned (+0) || 84 Inbound -- 19 Outbound Connections Blocked! [stats] [55s]

It shows it is in both the whitelist and the blacklist.

 

[andresmorago]

It shows it is in both the whitelist and the blacklist.

this is what i get when trying to remove it from whitelist

=============================================================================================================


Router Model; RT-AC3100
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (eth0 @ 10.0.0.1)
ipset v6.32, protocol version: 6
IP Address; (181.50.201.119)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sda1/skynet (11.6G / 14.7G Space Available)
SWAP File; /tmp/mnt/sda1/myswap.swp (2.0G)
Banned Countries; in cn kp kr th ir iq my

86642 IPs (+0) -- 13624 Ranges Banned (+0) || 31 Inbound -- 7 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[1-15]: 4

Select Whitelist Option:
[1]  --> IP/Range
[2]  --> Domain
[3]  --> Refresh VPN Whitelist
[4]  --> Remove Entries

[1-7]: 4

Remove From Whitelist:
[1]  --> All Non-Default Entries
[2]  --> IP/Range
[3]  --> Entries Matching Comment

[1-3]: 2

Input IP Or Range To Remove:

[IP/Range]: 104.28.26.45

[$] /opt/bin/firewall whitelist remove entry 104.28.26.45


=============================================================================================================


[i] Removing 104.28.26.45 From Whitelist
ipset v6.32: Element cannot be deleted from the set: it's not added
[i] Saving Changes


=============================================================================================================


[#] 86672 IPs (+30) -- 13624 Ranges Banned (+0) || 31 Inbound -- 7 Outbound Connections Blocked! [whitelist] [6s]



[i] Press Enter To Continue...

 

[dave14305]

this is what i get when trying to remove it from whitelist

=============================================================================================================


Router Model; RT-AC3100
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (eth0 @ 10.0.0.1)
ipset v6.32, protocol version: 6
IP Address; (181.50.201.119)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sda1/skynet (11.6G / 14.7G Space Available)
SWAP File; /tmp/mnt/sda1/myswap.swp (2.0G)
Banned Countries; in cn kp kr th ir iq my

86642 IPs (+0) -- 13624 Ranges Banned (+0) || 31 Inbound -- 7 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[1-15]: 4

Select Whitelist Option:
[1]  --> IP/Range
[2]  --> Domain
[3]  --> Refresh VPN Whitelist
[4]  --> Remove Entries

[1-7]: 4

Remove From Whitelist:
[1]  --> All Non-Default Entries
[2]  --> IP/Range
[3]  --> Entries Matching Comment

[1-3]: 2

Input IP Or Range To Remove:

[IP/Range]: 104.28.26.45

[$] /opt/bin/firewall whitelist remove entry 104.28.26.45


=============================================================================================================


[i] Removing 104.28.26.45 From Whitelist
ipset v6.32: Element cannot be deleted from the set: it's not added
[i] Saving Changes


=============================================================================================================


[#] 86672 IPs (+30) -- 13624 Ranges Banned (+0) || 31 Inbound -- 7 Outbound Connections Blocked! [whitelist] [6s]



[i] Press Enter To Continue...

This is the CDN whitelist for Cloudflare.

104.16.0.0/12 comment "CDN-Whitelist: CloudFlare "

 

[andresmorago]

@dave14305 Thanks for clarifying that.
In this case, Shouldn’t the blacklist have higher priority than whitelist since I’m trying to block a specific ip?

 

[Adamm]

i have a 24/7 windows server with access to a router running asus merlin and skynet. what would be a good way to visualize the skynet logs from skynet on my server in real time but with the ability to filter per ip, dates, ports? like a gui that could take the date from skynet and show it on a friendlier way

Use the various stat commands and menu options to organize the data.

@dave14305 Thanks for clarifying that.
In this case, Shouldn’t the blacklist have higher priority than whitelist since I’m trying to block a specific ip?

In Skynet's case the Whitelist always takes priority over the blacklist to prevent the user locking themselves out or any other mishaps.

 

[Mutzli]

How come you added the AS20446 Highwinds Network Group to CDN whitelist? Or why was this blocked in the first place?

 

[Adamm]

How come you added the AS20446 Highwinds Network Group to CDN whitelist? Or why was this blocked in the first place?

Their other ranges were already previously whitelisted, this one I missed the first time around because it was listed under the StackPath name (they bought out HighWinds a few years ago).

 

[^Tripper^]

Adamm, is Skynet compatible with dual WAN? I ask as I'm running a dual WAN setup and I've noticed something strange. When I'm on my primary WAN, everything is great, Skynet works as expected. But the moment I switch to secondary, it seems that Skynet doesn't switch over to the new interface and sticks to the primary WAN and it's now 0.0.0.0 IP address. I've attached the (boot? Login? Startup?) screen below.

Router Model; RT-AC86U
Skynet Version; v6.8.6 (13/09/2019) (ee28cdb7c394bea16b2e215ed9f11d51)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (0.0.0.0)
FW Version; 384.13_0 (Jul 31 2019) (4.1.27)
Install Dir; /tmp/mnt/ASUSTHUMB/skynet (12.6G / 14.0G Space Available)
SWAP File; /tmp/mnt/ASUSTHUMB/myswap.swp (512.0M)
Uptime; 0 days, 0 hours, 29 minutes.
Ram Available; (66M / 430M)

I've found this to be repeatable; primary WAN, Skynet is fine. Switch over to secondary WAN, the primary WAN's IP changes to 0.0.0.0 and Skynet is the same IP at 0.0.0.0. Turn primary WAN back on, Skynet acquires that same IP and kicks butt.

Is this by design?

 

[dave14305]

Adamm, is Skynet compatible with dual WAN? I ask as I'm running a dual WAN setup and I've noticed something strange. When I'm on my primary WAN, everything is great, Skynet works as expected. But the moment I switch to secondary, it seems that Skynet doesn't switch over to the new interface and sticks to the primary WAN and it's now 0.0.0.0 IP address.

I've found this to be repeatable; primary WAN, Skynet is fine. Switch over to secondary WAN, the primary WAN's IP changes to 0.0.0.0 and Skynet is the same IP at 0.0.0.0. Turn primary WAN back on, Skynet acquires that same IP and kicks butt.

Is this by design?

Skynet ignores the WAN interface name passed to the firewall-start script and instead takes the interface name from wan0_ifname in nvram. Probably a good reason for it at the time, but it sounds like that's why it won't work on the secondary WAN interface.

If you look in the syslog for the firewall-start lines (e.g. custom_script: Running /jffs/scripts/firewall-start (args: eth0)), do you see the args change as fail from primary to secondary?

 

[^Tripper^]

I do see the args change;

Sep 26 04:20:20 WAN(1)_Connection: WAN was restored.
Sep 26 04:20:20 nat: apply nat rules (/tmp/nat_rules_eth4_eth4)
Sep 26 04:20:20 custom_script: Running /jffs/scripts/firewall-start (args: eth4)
Sep 26 04:20:21 Skynet: [*] Lock File Detected (start skynetloc=/tmp/mnt/ASUSTHUMB/skynet) (pid=4692) - Exiting (cpid=5937)

It was previously args:eth0 . Not sure what that means, result is skynet is still bound to the primary and showing 0.0.0.0.

Skynet ignores the WAN interface name passed to the firewall-start script and instead takes the interface name from wan0_ifname in nvram. Probably a good reason for it at the time, but it sounds like that's why it won't work on the secondary WAN interface.

If you look in the syslog for the firewall-start lines (e.g. custom_script: Running /jffs/scripts/firewall-start (args: eth0)), do you see the args change as fail from primary to secondary?

 

[Adamm]

I do see the args change;

Sep 26 04:20:20 WAN(1)_Connection: WAN was restored.
Sep 26 04:20:20 nat: apply nat rules (/tmp/nat_rules_eth4_eth4)
Sep 26 04:20:20 custom_script: Running /jffs/scripts/firewall-start (args: eth4)
Sep 26 04:20:21 Skynet: [*] Lock File Detected (start skynetloc=/tmp/mnt/ASUSTHUMB/skynet) (pid=4692) - Exiting (cpid=5937)

It was previously args:eth0 . Not sure what that means, result is skynet is still bound to the primary and showing 0.0.0.0.

Skynet currently creates rules based on the wan0_ifname value (or ppp0 for PPoE). Unfortunately I have no way to test dual wan and add support.

 

[^Tripper^]

Skynet currently creates rules based on the wan0_ifname value (or ppp0 for PPoE). Unfortunately I have no way to test dual wan and add support.

Ouch. Well at least I know now and that explains some of the behaviour I’ve been seeing. An excellent script regardless and thank you for the great work!

 

[dave14305]

Skynet currently creates rules based on the wan0_ifname value (or ppp0 for PPoE). Unfortunately I have no way to test dual wan and add support.

Is there a reason you can't accept the WAN interface name passed to the firewall-start script? Without knowing the gotchas of PPoE, it seems like an easier way to always know the proper WAN interface name.

 

[randomName]

Getting spammed messages in my log "[BLOCKED - INBOUND] ..... "

 

[Delusion]

Getting spammed messages in my log "[BLOCKED - INBOUND] ..... "

You can disable logging by disabling 'debug mode' in Skynet :
Settings (11)-> Debug Mode (3)->Disable (2)

 

[randomName]

You can disable logging by disabling 'debug mode' in Skynet :
Settings (11)-> Debug Mode (3)->Disable (2)

Awesome! Thank you so much

 

[Adamm]

Is there a reason you can't accept the WAN interface name passed to the firewall-start script? Without knowing the gotchas of PPoE, it seems like an easier way to always know the proper WAN interface name.

The nvram is more reliable to get values, by doing so we won't depend on a script outside Skynets control for functionality. The main problem with adding dual wan support is I have no way of testing the changes it makes.

Getting spammed messages in my log "[BLOCKED - INBOUND] ..... "

You can disable logging by disabling 'debug mode' in Skynet :
Settings (11)-> Debug Mode (3)->Disable (2)

I've pushed v6.8.7 and renamed "debug mode" to simply "logging". Hopefully this stands out more to new users on what the setting does (and more accurately describes the settings current functionality).

 

[dave14305]

Having an issue with the new version not starting after a firewall restart. Seems maybe a leftover debugmode reference. This is the output of running

sh -x /jffs/scripts/firewall start skynetloc=/tmp/mnt/apps/skynet

Spoiler

+ export PATH=/sbin:/bin:/usr/sbin:/usr/bin/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/rtradmin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
+ printf \033[?7l
+ clear
+ sed -n 2,14p /jffs/scripts/firewall
#############################################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 01/10/2019 - Asus Firewall Addition By Adamm v6.8.7 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################
+ export LC_ALL=C
+ mkdir -p /tmp/skynet/lists
+ ntptimer=0
+ nvram get ntp_ready
+ [ 1 = 0 ]
+ [ 0 -ge 300 ]
+ date +%s
+ stime=1570031120
+ grep -ow skynetloc=.* # Skynet /jffs/scripts/firewall-start
+ awk {print $1}
+ grep -vE ^#
+ cut -c 11-
+ skynetloc=/tmp/mnt/apps/skynet
+ skynetcfg=/tmp/mnt/apps/skynet/skynet.cfg
+ skynetlog=/tmp/mnt/apps/skynet/skynet.log
+ skynetevents=/tmp/mnt/apps/skynet/events.log
+ skynetipset=/tmp/mnt/apps/skynet/skynet.ipset
+ [ -z /tmp/mnt/apps/skynet ]
+ [ ! -d /tmp/mnt/apps/skynet ]
+ nvram get wan0_proto
+ [ dhcp = pppoe ]
+ nvram get wan0_proto
+ [ dhcp = pptp ]
+ nvram get wan0_proto
+ [ dhcp = l2tp ]
+ nvram get wan0_ifname
+ iface=eth0
+ [ -z start ]
+ [ -n ]
+ trap Spinner_End EXIT
+ [ -f /tmp/mnt/apps/skynet/skynet.cfg ]
+ . /tmp/mnt/apps/skynet/skynet.cfg
+ model=RT-AC68U
+ localver=v6.8.6
+ autoupdate=enabled
+ banmalwareupdate=daily
+ forcebanmalwareupdate=
+ logmode=
+ filtertraffic=outbound
+ swaplocation=/tmp/mnt/apps/myswap.swp
+ swappartition=
+ blacklist1count=141530
+ blacklist2count=1669
+ customlisturl=
+ customlist2url=
+ countrylist=
+ excludelists=
+ unbanprivateip=enabled
+ loginvalid=disabled
+ banaiprotect=enabled
+ securemode=enabled
+ extendedstats=enabled
+ fastswitch=disabled
+ syslogloc=/tmp/syslog.log
+ syslog1loc=/tmp/syslog.log-1
+ iotblocked=disabled
+ iotports=
+ iotproto=udp
+ lookupcountry=enabled
+ cdnwhitelist=enabled
+ Display_Header 9
+ printf \n\n=============================================================================================================\n\n\n


=============================================================================================================


+ Check_Lock start skynetloc=/tmp/mnt/apps/skynet
+ [ -f /tmp/skynet.lock ]
+ echo start skynetloc=/tmp/mnt/apps/skynet
+ echo 18528
+ date +%s
+ lockskynet=true
+ echo start skynetloc=/tmp/mnt/apps/skynet
+ sed s~start ~~g
+ logger -st Skynet [%] Startup Initiated... ( skynetloc=/tmp/mnt/apps/skynet )
Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/apps/skynet )
+ Unload_Cron all
+ [ -z all ]
+ cru d Skynet_save
+ cru d Skynet_banmalware
+ cru d Skynet_autoupdate
+ cru d Skynet_checkupdate
+ Check_Settings
+ [ ! -f /tmp/mnt/apps/skynet/skynet.cfg ]
+ [ -z /tmp/syslog.log ]
+ [ -z /tmp/syslog.log-1 ]
+ [ -z disabled ]
+ [ -z udp ]
+ [ -z enabled ]
+ [ -z enabled ]
+ [ -z ]
/jffs/scripts/firewall: line 5143: debugmode: parameter not set or null
+ Spinner_End
+ [ -f /tmp/skynet/spinstart ]