Skynet Skynet - Router Firewall & Security Enhancements

[bengalih]

You are using the command wrong, as per the readme;

( sh /jffs/scripts/firewall unban comment "Apples" ) This Unbans Entries With The Comment Apples

I know I'm using it wrong...that's kind of the point
What I am showing there is that if you are using the menu system (not command-line) and you hit enter to leave a blank comment then the whole script dies. I don't think this is your intended behavior. I would expect you to just go back to the previous menu option to try again?

These stats are stored on your USB, we keep 10MB worth of logs which ends up being around a week.

Is that configurable? If not and I wanted to hack the script to make it so would there be ill effects?

Every command line option has a menu equivalent, and whenever you run a menu option it will generate the equivalent command for future reference.

I see that...nice touch. And my eye glossed over the "search" inside stats. Sorry!

Invalid packet logging logs entries deemed invalid by the routers SPI firewall.

I'm afraid I don't understand the details on this. Could you maybe provide an example of why this would be useful/necessary?

This blacklists entries flagged by AiProtect

So does this mean you will import entries from AiProtect's lists into Skynet so they are blocked at the raw level?

This setting prevents users (and malicious parties) from exposing SSH/HTTPS to WAN which is highly insecure, it also checks for and disables backdoor access from a known exploit that targeted Asus routers a few months ago.

I see. It looks like this enabled by default with no option during install.
This disabled my SSH (which I do want open). It changed the setting in the GUI to "LAN only"
When I disabled it in skynet it did not change my setting back to "LAN + WAN" and I needed to manually change and apply this.
While I think the intention of security is good, not giving the user the option on install and failing to revert back to the actual settings when disabled is a little....eh...

This is for users who have a non-default syslog location (i.e Scribe users)

Thanks...that's my next project

 

[Adamm]

I know I'm using it wrong...that's kind of the point
What I am showing there is that if you are using the menu system (not command-line) and you hit enter to leave a blank comment then the whole script dies. I don't think this is your intended behavior. I would expect you to just go back to the previous menu option to try again?

Ah gotcha, fixed this inconsistency in a hotfix.

Is that configurable? If not and I wanted to hack the script to make it so would there be ill effects?

No, anything over 10MB is unnecessary imo and will slow down certain functions.

I'm afraid I don't understand the details on this. Could you maybe provide an example of why this would be useful/necessary?

https://en.wikipedia.org/wiki/Stateful_firewall

So does this mean you will import entries from AiProtect's lists into Skynet so they are blocked at the raw level?

Correct

I see. It looks like this enabled by default with no option during install.
This disabled my SSH (which I do want open). It changed the setting in the GUI to "LAN only"
When I disabled it in skynet it did not change my setting back to "LAN + WAN" and I needed to manually change and apply this.
While I think the intention of security is good, not giving the user the option on install and failing to revert back to the actual settings when disabled is a little....eh...

This is intended functionality. Exposing HTTP / SSH to WAN is the quickest way to get your home network compromised. There's no good reason not to use OpenVPN.

 

[bengalih]

No, anything over 10MB is unnecessary imo and will slow down certain functions.

a) Is there a way to at least roll-over the logs to keep them for posterity or
b) Will implementing scribe help keep more (archival) data?

https://en.wikipedia.org/wiki/Stateful_firewall

Yes, I do know what a Stateful firewall is , I'm trying to understand how Skynet involves itself in it.
Doing some digging it appears that as soon as Skynet is installed it is modifying the SPI "Logged Packets Type (UI)" to drop (fw_log_x = drop). It also appears that it interferes with being able to change this back to any other setting (Accepted/Both) while Skynet is installed. This is true even with the default of "Log Invalid Packets" disabled. When I enable "Log Invalid Packets" I still don't see in IPTABLES any of the invalid being sent to "logdrop."
Can you explain why it is necessary to change the router's normal configuration selection of SPI logging and how you are integrating to actually enhance the logging from the default?

This is intended functionality. Exposing HTTP / SSH to WAN is the quickest way to get your home network compromised. There's no good reason not to use OpenVPN.

Well we can agree to disagree there. I use publickey auth only on my SSH. A strong key with a strong password protection is every bit as secure as a VPN connection can be. Regardless of whether it is more secure or less, that decision should be left up to the user. Not providing a dialog during install to ask on this (you can always suggest your recommendation there) and just turning it off seems a bit intrusive to me. Just my view on it...take it or leave it.

thanks

 

[Adamm]

a) Is there a way to at least roll-over the logs to keep them for posterity or
b) Will implementing scribe help keep more (archival) data?

No and not that I know of.

Yes, I do know what a Stateful firewall is , I'm trying to understand how Skynet involves itself in it.
Doing some digging it appears that as soon as Skynet is installed it is modifying the SPI "Logged Packets Type (UI)" to drop (fw_log_x = drop). It also appears that it interferes with being able to change this back to any other setting (Accepted/Both) while Skynet is installed. This is true even with the default of "Log Invalid Packets" disabled. When I enable "Log Invalid Packets" I still don't see in IPTABLES any of the invalid being sent to "logdrop."
Can you explain why it is necessary to change the router's normal configuration selection of SPI logging and how you are integrating to actually enhance the logging from the default?

We keep this setting (logged packets type) set to drop or both as it changes the order of IPTables rules and instead Skynet internally will handle weather dropped packets are logged or not. As for the "log invalid packets" setting in Skynet, it does exactly as the name suggests, it toggles logging of packets dropped by the SPI firewall.

Well we can agree to disagree there. I use publickey auth only on my SSH. A strong key with a strong password protection is every bit as secure as a VPN connection can be. Regardless of whether it is more secure or less, that decision should be left up to the user.

Sure, but even when you use a publickey you are still exposing dropbear to WAN giving malicious parties another potential attack surface, the same can be said for HTTP access. Your password or key is not always the weakest link

 

[SomeWhereOverTheRainBow]

Just wanted to say since the past updates of skynet over the last few weeks. skynet is still functioning 100% and is in a league of its own. great work @Adamm.

 

[JohnD5000]

Noob here, is there anyway for Skynet to ban a device wirelessly connected to router from calling out or receiving connections? If so, are there some examples.

Thanks

 

[dave14305]

Noob here, is there anyway for Skynet to ban a device wirelessly connected to router from calling out or receiving connections? If so, are there some examples.

Go into Skynet / Settings / IOT Blocking / Ban to block a LAN IP from accessing the Internet.

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban IOT Device(s) (or CIDR) From Accessing WAN (Allow NTP / Remote Access Via OpenVPN Only) (Use Comma As Separator)

 

[JohnD5000]

Go into Skynet / Settings / IOT Blocking / Ban to block a LAN IP from accessing the Internet.

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban IOT Device(s) (or CIDR) From Accessing WAN (Allow NTP / Remote Access Via OpenVPN Only) (Use Comma As Separator)

Thanks, so lets say I have a camera on my network, and its ip is 192.168.1.212. I would run:

sh /jffs/scripts/firewall settings iot ban 192.168.1.212

and when I wanted to unban it

sh /jffs/scripts/firewall settings iot unban 192.168.1.212

Is that correct? And I could run those commands from another script?

Thanks

 

[Adamm]

Thanks, so lets say I have a camera on my network, and its ip is 192.168.1.212. I would run:

sh /jffs/scripts/firewall settings iot ban 192.168.1.212

and when I wanted to unban it

sh /jffs/scripts/firewall settings iot unban 192.168.1.212

Is that correct? And I could run those commands from another script?

Thanks

Correct

 

[JohnD5000]

Correct

Thanks, after I entered the command to ban, how would I check that it took? What would happen if I entered the command to ban and the ban was in effect, would that mess anything up, or would there be two bans and the unban would have to be issued twice?

Thanks

 

[Adamm]

Thanks, after I entered the command to ban, how would I check that it took?

sh /jffs/scripts/firewall settings iot view

What would happen if I entered the command to ban and the ban was in effect, would that mess anything up, or would there be two bans and the unban would have to be issued twice?

Skynet will alert you that the entry already exists and no further action will be taken.

 

[bigAboo]

Hello.) After install i get this

Router AC68U, firmware 384.15.b1

 

[Adamm]

Hello.) After install i get this
View attachment 21167

Router AC68U, firmware 384.15.b1

Please post the output of;

sh /jffs/scripts/firewall debug info

Along with an extract of your syslog

 

[mafiaboy01]

I got some strange outbound block on my router. Not sure if I should post in this thread or the merlin thread.

It looked like the router was trying to connect to a malicious ip address(TOR exit node). I don't have any TOR related stuff setup on the router. A restart seemed to have stopped the behaviour but it's worrisome why the router was trying to connect to that IP.

I use a strong random password on the router and the router access is restricted to LAN.

 

[L&LD]

@mafiaboy01, is this a used, open box or refurbished router?

Was a full M&M Config recently performed?

 

[dave14305]

I got some strange outbound block on my router. Not sure if I should post in this thread or the merlin thread.

It looked like the router was trying to connect to a malicious ip address(TOR exit node). I don't have any TOR related stuff setup on the router. A restart seemed to have stopped the behaviour but it's worrisome why the router was trying to connect to that IP.

I use a strong random password on the router and the router access is restricted to LAN.

It's also known as an NTP server if you visited the otx link that Skynet provides.

 

[mafiaboy01]

@mafiaboy01, is this a used, open box or refurbished router?

Was a full M&M Config recently performed?

It was purchased used about a year ago. I haven't done a full M&M Config recently since everything has been working great.

 

[L&LD]

@mafiaboy01, I would do that M&M Config plus a Nuclear Reset pronto.

Everything only seemed to be working great. You found a crack in the matrix today.

 

[dave14305]

@mafiaboy01, I would do that M&M Config plus a Nuclear Reset pronto.

Everything only seemed to be working great. You found a crack in the matrix today.

I think before anyone goes nuclear, @mafiaboy01 needs to see if these connections are on port 123 (ntp). If so, there's likely nothing to worry about other than a dual-purpose NTP pool server (time and crime).

firewall stats search ip 158.69.35.227

 

[mafiaboy01]

I think before anyone goes nuclear, @mafiaboy01 needs to see if these connections are on port 123 (ntp). If so, there's likely nothing to worry about other than a dual-purpose NTP pool server (time and crime).

firewall stats search ip 158.69.35.227

Ignore the latest few blocks. Those were me trying to load the address via my computer.

Seems like ti was trying to connect via port 123