Skynet Skynet - Router Firewall & Security Enhancements

[Jack Yaz]

ahh, I load it with amtm, I'm not even sure what to do with above. I guess I'll have to wait.

it's not available anywhere publicly yet, don't worry

 

[Adamm]

ahh, I load it with amtm, I'm not even sure what to do with above. I guess I'll have to wait.

Not ready for public consumption just yet. This is going to be a big update (which seems to get bigger every day new features are added ), along with adding support for an upcoming firmware addon API/guidelines. Lots of moving parts to worry about so I want to make sure everything is perfect and thoroughly tested before release.

 

[XIII]

May I suggest you not turn on SSH from WAN, and instead VPN in first

Of course, but from what I learned here remote SSH via Dropbear is already a lot safer than remote web GUI (and maybe a bit extra because I use keys instead of passwords for SSH).

 

[XIII]

If they can setup a DDNS name for their WAN IP, you can add that name to your whitelist.

They no longer use an ASUS router, but the one from their ISP instead.

I’m not sure whether it would help, because I believe SkyNet uses the IP address instead of the DNS name when whitelisting.

 

[XIII]

I’m not sure whether it would help, because I believe SkyNet uses the IP address instead of the DNS name when whitelisting.

Worse: I added their current IP to the whitelist, and while it did not change, I got banned again today, when trying to log in remotely from their location.

@Adamm Why does an IP still get banned if it's in the whitelist?

(I'm experimenting with SSH keys, so I'm doing a lot of consecutive logins in a short amount of time)

 

[Adamm]

Worse: I added their current IP to the whitelist, and while it did not change

Must have changed or you unbanned it rather then whitelisted. Its impossible for the blacklist to take priority over the whitelist.

(I'm experimenting with SSH keys, so I'm doing a lot of consecutive logins in a short amount of time)

Are you using a VPN or do you have SSH exposed to WAN? If the latter, Skynet hijacks the SSH BFD (brute force detection) and will blacklist you if you hit 5 failed attempts in 60 seconds.

 

[Adamm]

I’m not sure whether it would help, because I believe SkyNet uses the IP address instead of the DNS name when whitelisting.

Correct but Skynet updates these entries every time the Refresh_MWhitelist() function is called (during startup/malware list updates/manual running).

 

[Adamm]

Here's another 2020 spoiler


Happy New Year!

 

[thelonelycoder]

Here's another 2020 spoiler
Happy New Year!

You're ahead of all of us. Hope the bush fires don't bother you too much and rain is coming your way soon.

 

[dave14305]

You're ahead of all of us. Hope the bush fires don't bother you too much and rain is coming your way soon.

Yes, may a different kind of firewall protect all our friends down under!

 

[randomName]

Here's another 2020 spoiler


Happy New Year!

Can't Wait!

Ty!

 

[XIII]

Are you using a VPN or do you have SSH exposed to WAN? If the latter, Skynet hijacks the SSH BFD (brute force detection) and will blacklist you if you hit 5 failed attempts in 60 seconds.

SSH exposed to WAN, but I did not have 5 failed attempts.

 

[Adamm]

SSH exposed to WAN, but I did not have 5 failed attempts.

In any case, maybe you accidentally unbanned the IP the first time rather then whitelist it, or they did infact have a dynamic IP. Those are the only two explanations.

 

[SomeWhereOverTheRainBow]

any objections if i dabble with a uiSkynet similar to the diversion stats, when 384.15 lands?

i fully support this idea.

 

[Jack Yaz]

i fully support this idea.

I know nothing about the mystery tab that has been shown in a couple of screenshots

 

[Jo Sidarta]

Hi @Adamm thanks for creating such an awesome script! Just sent a donation to your account.

With the country ban, is there a way to block inbound connection only (from the countries selected)? and not both connections.
Last time I applied a couple of countries, and I was not able to access some websites (most likely because their server is located on the countries I banned).

 

[Adamm]

Hi @Adamm thanks for creating such an awesome script! Just sent a donation to your account.

Appreciate the generosity.

With the country ban, is there a way to block inbound connection only (from the countries selected)? and not both connections.
Last time I applied a couple of countries, and I was not able to access some websites (most likely because their server is located on the countries I banned).

We do support selective filtering (either inbound/outbound), the issue is to establish a connection both parties must make a "handshake" meaning communication is required from both sides. So with the current IPTables setup it's just not possible to have the best of both worlds.

 

[XIII]

Today I started using NextDNS.io as my DNS over TLS server. This worked fine for a couple of hours, until suddenly domain name resolving completely stopped. It started working again when I temporarily disabled SkyNet and immediately broke again when I re-enabled SkyNet. The strange thing is that there are no SkyNet (debug) logs whatsoever when domain name resolving fails.

Yesterday when I was still using Cloudflare (and Quad9) I also had a lot of domain name resolving issues, but I did not think of disabling SkyNet. Maybe that was related, maybe not.

When there are no debug logs, what can I do to investigate/fix this?

I would like to use both NextDNS and SkyNet at the same time...

 

[Adamm]

Today I started using NextDNS.io as my DNS over TLS server. This worked fine for a couple of hours, until suddenly domain name resolving completely stopped. It started working again when I temporarily disabled SkyNet and immediately broke again when I re-enabled SkyNet. The strange thing is that there are no SkyNet (debug) logs whatsoever when domain name resolving fails.

Yesterday when I was still using Cloudflare (and Quad9) I also had a lot of domain name resolving issues, but I did not think of disabling SkyNet. Maybe that was related, maybe not.

When there are no debug logs, what can I do to investigate/fix this?

I would like to use both NextDNS and SkyNet at the same time...

With logging enabled, Skynet will always log every block event. There is never an exception to this rule (and for good reason! ). So if Skynet was the cause, there will be logs.

 

[XIII]

That's what I thought.

Still, so far it only reproduces with SkyNet active - and almost immediately. After disabling SkyNet I also have to restart the dnsmasq service to get DNS working again.

I'm afraid I'll have to run without SkyNet for a while to see that the problem also reproduces without SkyNet.