Skynet Skynet - Router Firewall & Security Enhancements

[dugaduga]

nas is required for WPA authentication, wanduck is required to handle the WAN interface, and watchdog will handle various things including DDNS updates. You shouldn't interfere with these services.

Thanks it appears enabling nas fixed some inconsistency issues I faced connecting to wifi.

 

[ShagBark]

Merlin noob here with some generic questions… been wanting to try Skynet for some time now. With AMTM on the latest Merlin firmware I gave it ago on my RT-AX88U.

1. I assume its OK to turn off SSH after its installed? I see I can do the “LAN Only” setting and even specify a different port number but if I can, I rather turn it off until I need to Putty into it again.

2. I used an old 1GB USB drive and during install I noticed I could use a 2GB swap. Any noticeable performance difference with a 2GB swap drive?

3. Would a USB 3.0 drive have any performance benefit?

4. Very generic and possible off topic. I run PiHole I suspect there would be no issues....I might abandon my PiHole and check out Diversion. Curious if anyone is running PiHole with Skynet.

 

[cmkelley]

Merlin noob here with some generic questions… been wanting to try Skynet for some time now. With AMTM on the latest Merlin firmware I gave it ago on my RT-AX88U.

1. I assume its OK to turn off SSH after its installed? I see I can do the “LAN Only” setting and even specify a different port number but if I can, I rather turn it off until I need to Putty into it again.

Yeah, doesn't hurt anything to turn off SSH. OTOH, if something is inside your network, having SSH open on the LAN side of the router is the least of your worries. If you're lazy (like me) and don't want to type passwords, set up SSH keys and set "Allow Password Login" to 'No'.

2. I used an old 1GB USB drive and during install I noticed I could use a 2GB swap. Any noticeable performance difference with a 2GB swap drive?

IMHO, no. 512MB is fine. Others have differing opinions. You may find having only a 1 GB USB is limiting though depending on what you install. I have a 512MB swap file and I'm using right at a gig total (i.e. including the swap file), but I do have a lot of Entware stuff installed.

3. Would a USB 3.0 drive have any performance benefit?

Doubtful. I have a USB 3.0 SSD in an external enclosure, significantly faster than any USB stick, and I'd be hard pressed to tell you it really has any benefit.

4. Very generic and possible off topic. I run PiHole I suspect there would be no issues....I might abandon my PiHole and check out Diversion. Curious if anyone is running PiHole with Skynet.

Someone else will need to answer this one. I use Diversion and Skynet, never have used a PiHole.

 

[kidd232]

I upgrade to Merlin 384.15 yesterday and installed Diversion.
But when I installed Skynet in amtm today, it shows Failed in amtm menu.
Already tried to reinstall, but it's now working. Please help!

Router Model; RT-AX88U
Skynet Version; (10/02/2020) (4a00829efa2ab48e59fd37c5916dadb7)
iptables v1.4.15 - (ppp0 @ 192.168.0.1)
ipset v6.32, protocol version: 6
IP Address; (220.132.17.73) - (2001:b011:300d:30e1::/64)
FW Version; 384.15_0 (Feb 8 2020) (4.1.51)
Install Dir; /tmp/mnt/sda1/skynet (4.8G / 7.2G Space Available)
Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

 

[L&LD]

@kidd232, how is your USB drive formatted?

 

[kidd232]

8G usb drive and format to ext4 with 1 partition and set 2G for swap file when upgrade to 384.15 yesterday.

Now when I get in Skynet through amtm, it shows
"Skynet: [*] Lock File Detected (start skynetloc=/tmp/mnt/sda1/skynet) (pid=1586)"

 

[L&LD]

What router are we talking about?

Did you also enable journalling on that Ext4 partition? And also install Disk Checker? If you did, what does the dcl command in amtm show? Is the USB drive 'clean'?

Does rebooting the router fix things? After the reboot, wait at least 10 to 15 minutes, depending on your router for it to fully initialize all functions.

 

[kidd232]

RT-AX88U with journalling Ext4 partition.

I got new message now, "Skynet: [*] USB Not Found - Sleeping For 10 Seconds"
But I can see the the partition in webui, diversion and swap file are still working, and access sda1 through WinSCP.

I just install the disk checker, but when I use dcl command,
it shows "No amtm-disk-check.log found"

 

[L&LD]

You need to reboot the router for the disk checker to run at least once for 'dcl' to work.

 

[kidd232]

the log for disk checker:
/dev/sda1: clean, 1221/488640 files, 603043/1952527 blocks
Wed Feb 12 14:08:17 CST 2020 Disk check done on /dev/sda1

 

[L&LD]

Does updating Skynet work now?

 

[kidd232]

after reboot, it shows the message in amtm
Skynet: [*] Lock File Detected (start skynetloc=/tmp/mnt/sda1/skynet) (pid=6102)

 

[L&LD]

Can you uninstall it now?

If not, either wait for others to help here or, format the USB drive and start over.

You may want to have a look at the amtm Step-by-Step Guide for further suggestions.

Do you have any other scripts running? Are you using DoT? Are you using Manual WAN DNS settings?

As you can guess now, any additional information you can provide will help us help you. Can you post any screenshots of your setup? That would be easiest for everyone.

 

[kidd232]

Thank you L&LD, I found my /jffs/scrips/firewll-start script got wrong, it contains duplicated line in the script, I remove one and it's working now!

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/sda1/skynet # Skynet Firewall Addition
sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/sda1/skynet # Skynet Firewall Addition

 

[Chris_J]

I note that some people have used huge lists of country bans, but I would be concerned that this would be restrictive to internet usage. This may be a daft question, but is there a 'sensible' list to use? At the moment, I have set:

cn ir kp ro rs ru ua

I'm not sure how much use this actually is anyway. I do not run any self-hosted services such as a cloud drive or http server (at the moment).

 

[XIII]

FWIW, NextDNS offers to block these TLD's in the Security tab:

• .ru
• .cn
• .ir

As well as the Spamhaus #10 Most Abused TLD's:

1. .live
2. .tk
3. .gq
4. .ga
5. .buzz
6. .cf
7. .loan
8. .ml
9. .fit
10. .top

 

[Stephen Harrington]

At the moment, I have set:

cn ir kp ro rs ru ua

Moldova (md) seems to be right up there (2nd position) in “Top 10 Blocks (Inbound)” for me, so I’m thinking that may be a prudent choice as well perhaps?

 

[Makaveli]

Yeah, doesn't hurt anything to turn off SSH. OTOH, if something is inside your network, having SSH open on the LAN side of the router is the least of your worries. If you're lazy (like me) and don't want to type passwords, set up SSH keys and set "Allow Password Login" to 'No'.

IMHO, no. 512MB is fine. Others have differing opinions. You may find having only a 1 GB USB is limiting though depending on what you install. I have a 512MB swap file and I'm using right at a gig total (i.e. including the swap file), but I do have a lot of Entware stuff installed.

Doubtful. I have a USB 3.0 SSD in an external enclosure, significantly faster than any USB stick, and I'd be hard pressed to tell you it really has any benefit.

Someone else will need to answer this one. I use Diversion and Skynet, never have used a PiHole.

This I use 512mb a 2GB swap is just a waste of space on the drive. Even with 512 my router has never touched the swap ever.

 

[Butterfly Bones]

This I use 512mb a 2GB swap is just a waste of space on the drive. Even with 512 my router has never touched the swap ever.

Best recommendation I have seen from those who write scripts we use is to make swap same size as router memory capacity. That covers all scenarios, install, processing, multiple scripts running at once, etc.


My AC86U has 512 MB, that is the size swap file I run. After ~ five days uptime:

usr_name@RT-AC86U-4608:/tmp/home/root# free

             total       used       free     shared    buffers     cached
Mem:        440420     410228      30192        400      30928      64604
-/+ buffers/cache:     314696     125724
Swap:       524284      16956     507328

 

[dev_null]

FWIW, NextDNS offers to block these TLD's in the Security tab:

• .ru
• .cn
• .ir

As well as the Spamhaus #10 Most Abused TLD's:

1. .live
2. .tk

<snip>

Keep in mind Skynet is blocking IP ranges *associated with countries* not TLDs. We've already seen examples where a .cn (China Daily News IIRC) domain is accessible because its IP is actually in the UK.

My method for identifying country-level blocks is this: do I have any business of any sort in one of those countries, and if not - especially if they have a sketchy history - then they go on the block list.

Only once was I surprised by blocking a country and later finding out that one of my VOIP providers has a backup server there. I needed to either unblock the country or whitelist the IP, or decide if I wanted to move away from that provider. I ended up whitelisting that server IP.

Ironically some of the top antivirus companies are in countries that I normally wouldn't patronize (e.g., Bitdefender has a primary IP in Romania - 81.161.59.90). Avast has some in the Netherlands (which isn't on my country-level block list).