Skynet Skynet - Router Firewall & Security Enhancements

[EmeraldDeer]

Ok, the servers I use are time.cloudflare.com and time.nist.com no pool.ntp.org anything. So are you saying the ntp intercept feature is not working or that my two chosen time servers are not working? That particular pool.ntp.org IP being hit 48x does not seem too random to me.

Not sure that those use multicast to pool.ntp.org. I've read extensively on the NTP system linked off the Admin - System page where time servers options are set.

My Cambridge Audio CXNv2 has attempted to connect to 23.129.64.159 via cambridge-audio.pool.ntp.org three times in the last three months and been blocked by my router.

Might be worth checking nvram getall | grep ntp
because of this https://github.com/RMerl/asuswrt-me...875ab18b/release/src/router/shared/defaults.c

Am I interpreting this correctly that 198,000 URL's are or have been hosted on this one IP?
https://otx.alienvault.com/indicator/ip/213.186.33.19
I do not have any hits for this IP in my logs.

 

[dave14305]

Ok, the servers I use are time.cloudflare.com and time.nist.com no pool.ntp.org anything. So are you saying the ntp intercept feature is not working or that my two chosen time servers are not working? That particular pool.ntp.org IP being hit 48x does not seem too random to me.

Not sure that those use multicast to pool.ntp.org. I've read extensively on the NTP system linked off the Admin - System page where time servers options are set.

As I understand it, the Associated Domain in Skynet stats is not necessarily 100% accurate, meaning it's isn't guaranteed that was the domain that led to the blocking of the IP. Skynet is harvesting all the queries from your Diversion dnsmasq logging (IP and domain name pairs). When it encounters a blocked IP, it's searching for a match against all the previous week's DNS queries that Diversion logged. It may not be picking the correct one if multiple domains map to the same IP, as mentioned above. You'd have to correlate the Skynet logs with dnsmasq logs to be 99% certain of the cause and source.

 

[Butterfly Bones]

I take it that grep OUTBOUND of skynet.log does not answer this either because you are not logging or that it happened too long ago.

I forward all of my syslogd traffic to a Cygwin syslogd on my Windows computer where I keep months of history.

Bingo! wifi iot lights!

Jan  2 03:34:48 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:fb:28:87:08:00 SRC=192.168.1.xyz DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=3248 PROTO
Jan  2 03:34:50 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:5e:65:39:08:00 SRC=192.168.1.xxy DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=9865 PROTO
Jan  2 03:34:51 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:fb:28:87:08:00 SRC=192.168.1.xyz DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=3249 PROTO
Jan  2 03:34:53 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:5e:65:39:08:00 SRC=192.168.1.xxy DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=9866 PROTO
Jan  2 03:34:54 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:fb:28:87:08:00 SRC=192.168.1.xyz DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=3250 PROTO
Jan  2 03:34:56 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:5e:65:39:08:00 SRC=192.168.1.xxy DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=9867 PROTO

Stats header showed this, so I did the grep OUTBOUND on that log

[i] Logging Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 8.3M
[i] Monitoring From Dec 31 12:00:25 To Jan 7 13:49:41
[i] 29711 Block Events Detected
[i] 5633 Unique IPs

So the ntp server intercept does not work, I got about 30 lines of all three lights hitting that same pool.ntp.org IP every 4 hours.

I use scribe (syslog-ng / logrotate) and can save logs as long as my USB has room, but the way Skynet purges logs to an hourly report means no need for this function. I just forgot that Skynet keeps its own logs. Thanks!

My Cambridge Audio CXNv2 has attempted to connect to 23.129.64.159 via cambridge-audio.pool.ntp.org three times in the last three months and been blocked by my router.

Might be worth checking nvram getall | grep ntp
because of this https://github.com/RMerl/asuswrt-me...875ab18b/release/src/router/shared/defaults.c

Am I interpreting this correctly that 198,000 URL's are or have been hosted on this one IP?
https://otx.alienvault.com/indicator/ip/213.186.33.19
I do not have any hits for this IP in my logs.

That nvram grep returns nothing here. I scanned that link, but I never had any code or script experience until the last couple of years on SNB.

That does not seem possible to have 198K urls, but I guess many are subdomains (?)
https://whois.domaintools.com/213.186.33.19

 

[Butterfly Bones]

As I understand it, the Associated Domain in Skynet stats is not necessarily 100% accurate, meaning it's isn't guaranteed that was the domain that led to the blocking of the IP. Skynet is harvesting all the queries from your Diversion dnsmasq logging (IP and domain name pairs). When it encounters a blocked IP, it's searching for a match against all the previous week's DNS queries that Diversion logged. It may not be picking the correct one if multiple domains map to the same IP, as mentioned above.

Thanks, that makes sense, I think, given my limited networking understanding.

You'd have to correlate the Skynet logs with dnsmasq logs to be 99% certain of the cause and source.

Way above my pay grade and biological sciences background.

 

[Butterfly Bones]

Might be worth checking nvram getall | grep ntp
because of this https://github.com/RMerl/asuswrt-me...875ab18b/release/src/router/shared/defaults.c

Following up, nvram getall without grep ntp returns nothing.
This does. The ntp_server_tried= line is new to me from my reading on ntp.

@RT-AC86U-4608:/tmp/home/root# nvram show | grep ntp
ntp_ready=1
size: 67092 bytes (63980 left)
ntp_server0=time.cloudflare.com
ntp_server1=time.nist.gov
ntp_server_tried=us.pool.ntp.org
ntpd_enable=1
ntpd_server_redir=1

 

[bluepoint]

Bingo! wifi iot lights!

Jan  2 03:34:48 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:fb:28:87:08:00 SRC=192.168.1.xyz DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=3248 PROTO
Jan  2 03:34:50 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:5e:65:39:08:00 SRC=192.168.1.xxy DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=9865 PROTO
Jan  2 03:34:51 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:fb:28:87:08:00 SRC=192.168.1.xyz DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=3249 PROTO
Jan  2 03:34:53 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:5e:65:39:08:00 SRC=192.168.1.xxy DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=9866 PROTO
Jan  2 03:34:54 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:fb:28:87:08:00 SRC=192.168.1.xyz DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=3250 PROTO
Jan  2 03:34:56 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=88:d7:f6:1d:46:08:50:c7:bf:5e:65:39:08:00 SRC=192.168.1.xxy DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=9867 PROTO

You have omitted the destination port(DPT) in your log which is important to determine if the outband request is a true NTP request, if it is, the dest port will show port 123. What is it and what protocol?

 

[Butterfly Bones]

You have omitted the destination port(DST) in your log which is important to determine if the outband request is a true NTP request, if it is, the dest port will show port 123. What is it and what protocol?

Yes, 123. I forgot to go full screen with my terminal and it was cut off. From 31 Dec. through today I see 46 lines. All PROTO=UDP

Dec 31 19:29:31 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 19:29:34 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 19:29:37 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 22:32:05 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 22:32:08 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56

 

[bluepoint]

Yes, 123. I forgot to go full screen with my terminal and it was cut off. From 31 Dec. through today I see 46 lines. All PROTO=UDP

Dec 31 19:29:31 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 19:29:34 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 19:29:37 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 22:32:05 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56
Dec 31 22:32:08 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] ... DST=23.129.64.159 ... DPT=123 LEN=56

Okay, it was an NTP request but the IP has a bad reputation, therefore, it's blocked. It looks like the firewall takes precedence over the NTP intercept so it wasn't intercepted. I tried a traceroute of the IP through network tools and it was blocked also.

traceroute to 23.129.64.159 (23.129.64.159), 30 hops max, 60 byte packets
send: Operation not permitted

 

[dave14305]

Okay, it was an NTP request but the IP has a bad reputation, therefore, it's blocked. It looks like the firewall takes precedence over the NTP intercept so it wasn't intercepted. I tried a traceroute of the IP through network tools and it was blocked also.

traceroute to 23.129.64.159 (23.129.64.159), 30 hops max, 60 byte packets
send: Operation not permitted

Good point that the iptables raw table (where Skynet lives) is processed before the nat table (where ntpfilter and DNSFilter live).

 

[Ripo05]

I'm a newbie at Skynet. When Skynet is on, the web pages are loading 5-10 times slower than without it. I have an Asus RT- AX88U, Skynet installed an USB3 stick. What should I check?

 

[EmeraldDeer]

Following up, nvram getall without grep ntp returns nothing.
This does. The ntp_server_tried= line is new to me from my reading on ntp.

@RT-AC86U-4608:/tmp/home/root# nvram show | grep ntp
ntp_ready=1
size: 67092 bytes (63980 left)
ntp_server0=time.cloudflare.com
ntp_server1=time.nist.gov
ntp_server_tried=us.pool.ntp.org
ntpd_enable=1
ntpd_server_redir=1

Wow, even nvram is different between router models. It must be a real pain to support firmware and add-on software across router models!

======== NVRAM CMDS ========
[set]                   : set name with value
[setflag]               : set bit value
[unset]                 : remove nvram entry
[get]                   : get nvram value with name
[getflag]               : get bit value
[show:dump:getall]      : show all nvrams
[loadfile]              : populate nvram value from files
[savefile]              : save all nvram value to file
[commit]                : save nvram [optional] to restart wlan when following restart
[restart]               : restart wlan
[save]                  : save all nvram value to file
[restore]               : restore all nvram value from file
[erase]                 : erase nvram partition
[fb_save]               : save the romfile for feedback
[dump_prev_oops]        : dump previous oops log
============================

I am using ntpMerlin but I think the firmware integrated NTP client is used before the NTP server is started. I have two GPS disciplined NTP servers on my LAN. This is what I get in nvram:

# nvram show | grep ntp_ | sort
size: 66347 bytes (64725 left)
ntp_ready=1
ntp_server0=192.168.50.230
ntp_server1=192.168.50.200
ntp_server_tried=192.168.50.230

I wonder whether, as the router boots, NTP client attempts to connect before DNS is ready, resulting in your NTP client dropping down to the firmware last ditch effort pool.ntp.org. Since I have an IP address in the configuration, this does not happen, leaving ntp_server_tried on 192.169.50.230.

 

[Adamm]

I'm a newbie at Skynet. When Skynet is on, the web pages are loading 5-10 times slower than without it. I have an Asus RT- AX88U, Skynet installed an USB3 stick. What should I check?

What are you using to measure this? Skynets impact on the system is negligible, nor would it have any affect on loading of webpages.

 

[Ripo05]

What are you using to measure this? Skynets impact on the system is negligible, nor would it have any affect on loading of webpages.

Just checking on a watch. When Skynet is enabled, I see in browser (Chrome) the steps: Secure connection establishment, waiting for server for 5-10 sec. If I turned off, the page is loaded in 1-2 sec. Also checking the router on ssh and see that the processor is only 1-2%. So I don't understand what happening, maybe my settings is wrong. When restarting the Skynet the processor is 25-75% for 1-2 minutes. Also testing ping and it stays stable (2-3 msec) with and without Skynet. So I guess I need change some settings, but no idea what.

 

[Mutzli]

Just checking on a watch. When Skynet is enabled, I see in browser (Chrome) the steps: Secure connection establishment, waiting for server for 5-10 sec. If I turned off, the page is loaded in 1-2 sec. Also checking the router on ssh and see that the processor is only 1-2%. So I don't understand what happening, maybe my settings is wrong. When restarting the Skynet the processor is 25-75% for 1-2 minutes. Also testing ping and it stays stable (2-3 msec) with and without Skynet. So I guess I need change some settings, but no idea what.

Do you see this delay on all web sites or only on some?

 

[Ripo05]

Do you see this delay on all web sites or only on some?

All websites. Not exactly the same slowness, but all of them sensibly slower with Skynet. Also tried on cable connection, and wifi, different operating systems (windows 10, Android) - same experience. I'm clueless. I also use Diversion, but only Skynet has effect on browsing.

 

[dave14305]

All websites. Not exactly the same slowness, but all of them sensibly slower with Skynet. Also tried on cable connection, and wifi, different operating systems (windows 10, Android) - same experience. I'm clueless. I also use Diversion, but only Skynet has effect on browsing.

The Pixelserv component of Diversion is more likely to cause the slowness you describe more than Skynet. Be sure to import the Pixelserv CA into your devices (at least as a test) assuming you are using Diversion Standard and not Diversion Lite. Post follow-up questions in those threads if necessary.

https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices

 

[Adamm]

All websites. Not exactly the same slowness, but all of them sensibly slower with Skynet. Also tried on cable connection, and wifi, different operating systems (windows 10, Android) - same experience. I'm clueless. I also use Diversion, but only Skynet has effect on browsing.

Easy test - temporarily disable Skynet and see if pages are still "slow";

sh /jffs/scripts/firewall disable

 

[elorimer]

Just checking on a watch. When Skynet is enabled, I see in browser (Chrome) the steps: Secure connection establishment, waiting for server for 5-10 sec. If I turned off, the page is loaded in 1-2 sec. Also checking the router on ssh and see that the processor is only 1-2%. So I don't understand what happening, maybe my settings is wrong. When restarting the Skynet the processor is 25-75% for 1-2 minutes. Also testing ping and it stays stable (2-3 msec) with and without Skynet. So I guess I need change some settings, but no idea what.

You can install the "page load time" extension to the Chrome browser. Unlikely to be Skynet. For me, with Skynet/Diversion/pixelserv enabled, loading the NYTimes website takes about 2 seconds. Without pixelserv, about 57 seconds. So your problem is elswhere, me thinks.

 

[iManuB]

You can install the "page load time" extension to the Chrome browser. Unlikely to be Skynet. For me, with Skynet/Diversion/pixelserv enabled, loading the NYTimes website takes about 2 seconds. Without pixelserv, about 57 seconds. So your problem is elswhere, me thinks.

I can confirm what "elorimer" said

 

[Ripo05]

Easy test - temporarily disable Skynet and see if pages are still "slow";

sh /jffs/scripts/firewall disable

I made some test, same web pages with and without Skynet (temporarily disabled).
1. 11,5 v 1,61 sec
2. 11,4 v 0,43 sec
3. 7,37 v 1,85 sec
4. 42,3 v 1,64

Data from page load time extension. Thanks for elorimer.

4th web page (speedtest.net)
Skynet is running:

Skynet is disabled:

Dave14305: Pixelserv CA is already imported. When Skynet is disabled the time are significally lower.