Skynet Skynet - Router Firewall & Security Enhancements

[Mutzli]

There is a minor update available now. What are the changes?

Changes are always posted here

 

[MarQ]

Hi Guys,
can anybody help a newb, i installed several scripts, but have problems with installing/uninstalling skynet. everytime i want to start skynet i get this screen. diversion and other scripts are working flawlessly.

 

[L&LD]

@MarQ what router? What firmware are you running? Has a reboot and waiting for at least 10 to 15 minutes helped?

 

[MarQ]

Asus RT-AC5300 with latest merlin 384.15, yes i rebooted and waited a lot.
i can not get into the menu for skynet like diversion and others. no error nothing.

 

[L&LD]

@MarQ what other scripts have you installed? What order? What other features are you using on the router itself?

And of course, when was the last time an M&M Config was performed on this router?

 

[MarQ]

Diversion, connmon, uiDivStats (in that order). No other features.

 

[L&LD]

Try uninstalling all of those and start like so:

https://www.snbforums.com/threads/order-of-installing-popular-scripts.61854/#post-551865

 

[dev_null]

Your log file was probably purged recently (we purge this at 10MB) and you haven't had any outbound blocks since. Compare the stats webpage to the CLI version, only then if there is a difference you should investigate further;

sh /jffs/scripts/firewall stats

I updated to 384.15 on Friday and in the UI tab I'm getting "no data to display" for both "Last 10 Unique Connections Blocked (Outbound)" and "Top 10 Blocks (Outbound)".

I have 18+ hours of data:

Logging Data Detected in /tmp/mnt/120G/skynet/skynet.log - 7.5M
Monitoring From Feb 15 11:43:14 To Feb 16 18:48:37
26244 Block Events Detected
1272 Unique IPs
0 Manual Bans Issued

Setup looks okay (custom log message has been around since 384.13).

Spoiler: Debug

Router Model; RT-AC66U_B1
Skynet Version; v7.1.1 (17/02/2020) (851a52ce3484e6f95c7d04e06bf876bb)
iptables v1.4.15 - (eth0 @ 10.1.1.1)
ipset v6.32, protocol version: 6
IP Address; (xxx.xxx.xxx.xxx)
FW Version; 384.15_0 (Feb 11 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/120G/skynet (103.1G / 110.0G Space Available)
SWAP File; /tmp/mnt/120G/myswap.swp (1.0G)
Syslog Location; (/opt/var/log/skynet-0.log) (/tmp/syslog.log-1)
Banned Countries; ru cn ir iq ua by al af ba az bg cz kp kz kg ly md ng pk rs ro sk ye dz bn bo hr ly ne
Uptime; 2 days, 8 hours, 27 minutes.
Ram Available; (50M / 249M)

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]
Diversion Plus Content | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates | [Disabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Custom]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]

17/17 Tests Sucessful

Same is true of the SSH report for 'Unique' (no results show up in the report, despite there being many blocked IPs in the log):

Spoiler: Unique

Last 10 Unique Connections Blocked (Outbound);

-------------- | -------------- | --------------
| IP Address | | | AlienVault | | | Ban Reason |
-------------- | -------------- | --------------

-*-

AND for the SSH report for "Top 10 (Outbound)" - nothing in the summary:

Spoiler: Top-10 SSH

Top 10 Blocks (Outbound);

-------- | -------------- | -------------- | -----------
| Hits | | | IP Address | | | AlienVault | | | Ban Reason |
-------- | -------------- | -------------- | -----------

*--

All the other stats seem to be working. I've reinstalled, restarted, rebooted, etc., without success. Any help appreciated.

 

[Makaveli]

I don't see an uninstall then reinstall listed?

Did you try that?

 

[CaptainSTX]

I updated to 384.15 on Friday and in the UI tab I'm getting "no data to display" for both "Last 10 Unique Connections Blocked (Outbound)" and "Top 10 Blocks (Outbound)".

I have 18+ hours of data:

Probably because there were none. Before the data reset after several days I had 137,000 inbound blocks and no outbound. Of course I try to avoid sketchy sites. Wife on her Ipad sometimes generates a block.

 

[dev_null]

I don't see an uninstall then reinstall listed?

Did you try that?

You bet. Reinstall both after de-install and as an over-write. No joy. De-install, reboot, reinstall too.

Probably because there were none. Before the data reset after several days I had 137,000 inbound blocks and no outbound. Of course I try to avoid sketchy sites. Wife on her Ipad sometimes generates a block.

117424 IPs (+0) -- 28607 Ranges Banned (+0) || 576 Inbound -- 4868 Outbound Connections Blocked!

Tons of blocks. I waited before posting to make sure there was actual data available (lots of outbound because I've got a housefull of teenagers on February break, all using iDevices full of apps).

 

[5stringdeath]

I've got a housefull of teenagers on February break, all using iDevices full of apps).

You're from MA -- shouldn't you be in Florida?

 

[Joshuajackson]

@Joshuajackson, time to upgrade to an @GNUton compatible DSL model then?

i bought it two days ago and the DSL-AC68U is too expensive over 200USD

 

[Adamm]

You bet. Reinstall both after de-install and as an over-write. No joy. De-install, reboot, reinstall too.



117424 IPs (+0) -- 28607 Ranges Banned (+0) || 576 Inbound -- 4868 Outbound Connections Blocked!

Tons of blocks. I waited before posting to make sure there was actual data available (lots of outbound because I've got a housefull of teenagers on February break, all using iDevices full of apps).

Does the output from the SSH version of stats provide different data to the WebUI version?

sh /jffs/scripts/firewall stats

i bought it two days ago and the DSL-AC68U is too expensive over 200USD

Not sure what website you are buying from, they are listed as $150AUD ($100USD) new on eBay and even less second hand.

 

[rgnldo]

A doubt: does Skynet have limitations with IPV6?
I know they are different applications, I noticed that Suricata IDS/IPS has rules with block Bot's, IP blocks, spamhaus, malware etc and still has IPV6 support.

 

[Adamm]

A doubt: does Skynet have limitations with IPV6?
I know they are different applications, I noticed that Suricata IDS/IPS has rules with block Bot's, IP blocks, spamhaus, malware etc and still has IPV6 support.

With IPv6 blacklisting is essentially useless. A standard residential allocation is /56 which equates to 4,722,366,482,869,645,213,696 (not a typo) addresses.

 

[ICDeadPpl]

I had some network shares mounted on my router when I tried to install Skynet.
It tried to find the swap file by searching the network shares, which would have taken a very long time.
I did a CTRL-C and unmounted the network shares. After that, the Skynet installation went as it should.

 

[dev_null]

Does the output from the SSH version of stats provide different data to the WebUI version?

sh /jffs/scripts/firewall stats

No, as I indicated in my "spoiler snips" above - SSH shows nothing for these either.

Same is true of the SSH report for 'Unique' (no results show up in the report, despite there being many blocked IPs in the log):

Spoiler: Unique

Last 10 Unique Connections Blocked (Outbound);

-------------- | -------------- | --------------
| IP Address | | | AlienVault | | | Ban Reason |
-------------- | -------------- | --------------

-*-

AND for the SSH report for "Top 10 (Outbound)" - nothing in the summary:

Spoiler: Top-10 SSH

Top 10 Blocks (Outbound);

-------- | -------------- | -------------- | -----------
| Hits | | | IP Address | | | AlienVault | | | Ban Reason |
-------- | -------------- | -------------- | -----------

*--

 

[rgnldo]

With IPv6 blacklisting is essentially useless. A standard residential allocation is /56 which equates to 4,722,366,482,869,645,213,696 (not a typo) addresses.

Thank you for the information.

 

[Adamm]

I had some network shares mounted on my router when I tried to install Skynet.
It tried to find the swap file by searching the network shares, which would have taken a very long time.
I did a CTRL-C and unmounted the network shares. After that, the Skynet installation went as it should.

Skynet only does this during startup if your post-mount swapon entry is missing, so something must have edited that file.

No, as I indicated in my "spoiler snips" above - SSH shows nothing for these either.

Thats because your logs were purged as they reached 10MB. I previously didn't reset the counter during this situation but now that more people pay attention to it due to the WebUI I've changed this.