Skynet Skynet - Router Firewall & Security Enhancements

[jack901]

do you have public logs on ip who downloads the script or wgets? since installing this about 2 hours ago I am getting 20+ attempts to login from all sorts of ips. never had much in attempts to get my ip before.

 

[eclp]

@MarCoMLXXV ... thanks for reply

Even after uninstall and reinstall no change.

(RT-AC87U, 380.67b2, AB-Solution, dnscrypt-Installer and kvic's NTP Daemon)

sh /jffs/scripts/firewall start

Skynet: [INFO] Startup Initiated...
ipset v6.32: Cannot open /jffs/scripts/ipset.txt for reading: No such file or directory
Skynet: [Complete] IPs / Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [3s]

 

[Adamm]

Does Skynet provide TOR node blocking? If so - how?

I do not include TOR Nodes in the banmalware filter lists, but these can be easily imported using the "firewall import" command. I figured users would have legitimate use for TOR so I should keep it unblocked.

Any chance to include DNSCrypt into this? Maybe borderline firewall - however a more secure way of name resolution?

I figure its best to have a separate script for this so other maintainers can give it their full attention.

Will there be any integration to the WEB gui, like the NTP daemon code by kvic: https://www.snbforums.com/threads/ntp-daemon-for-asuswrt-merlin.28041/

I did look into this, and while possible I decided against it because of a few reasons. One of those being that every time the routers UI is updated, the whole /www needs to be re-copied and re-mounted (plus any custom edits). I feel like this will just lead to more issues in the future than its worth.

After (error-free) installation, router restart, the following output in syslog:

And how can this "spam" be turned off, even after deinstallation?

This spam indicates the IPTables rules were not applied properly. Can you please run the following commands and post the output;

sh /jffs/scripts/firewall debug restart

(wait 10 seconds then)

sh /jffs/scripts/firewall debug info

 

[eclp]

Router Model: RT-AC87U
Skynet Version: v5.0.2 (01/07/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.67_beta2 (Jun 30 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

 

[Adamm]

Skynet appears to be waiting for the USB-drive to be mounted, as previously discussed, then starts at a second attempt, to exit immediately after finding a lock file. How can it find a lock file if it wasn't running and I did I clean reboot through the WebUI. Isn't the lock file removed on shutdown/reboot?

During boot the restart_firewall event is called twice (thus skynet executed twice), this was the main reason I added lock file support as there were instances where the instances would "race" eachother and cause issues. So generally seconds after the first Skynet process is started there will be a second Skynet process which detects the first then proceeds to exit.

Id also like to add the lockfiles are smart in the sense it will not honour one if the process it was linked to is no longer running.

And last but not least, could you add a line to the startup script to have logger writing to syslog which switches are being used? I've put it in debug mode, total forgot about it, so it would be a nice-to-have if the switches used when the script is invoked are showing in syslog.

I will look into adding this in the "Skynet Initiated" line.

 

[Adamm]

Router Model: RT-AC87U
Skynet Version: v5.0.2 (01/07/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.67_beta2 (Jun 30 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

It looks like either the restart or reinstall fixed whatever issue you are having. Skynet looks to now be working perfectly.

 

[Adamm]

Router Model: RT-AC87U
Skynet Version: v5.0.2 (01/07/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.67_beta2 (Jun 30 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

I just looked closer at your issue. First of all you should never need to run the start command manually (which is why I leave it undocumented). It is best to let the router handle this its-self as there is a good chance the user will forget particular boot args.

Secondly the "DROP IN" print after uninstall was due to the "Logged packets type" setting which I assume you found in the router UI.

Third, the ipset.txt error was due to the save function not being called yet on a fresh install which creates the file and you running a command that usually the system handles (no one would ever see this error)

This being said, there was no issue to begin with, you were just running a command you shouldn't have needed to.

 

[Adamm]

do you have public logs on ip who downloads the script or wgets? since installing this about 2 hours ago I am getting 20+ attempts to login from all sorts of ips. never had much in attempts to get my ip before.

I don't host any content nor are logs accessible by anyone. Everything is hosted on github so they are the only ones with access logs. Bots scanning your IP is very common, I think you are just noticing it for the first time as its made clear in the syslog with this script.

 

[eclp]

Thank you for your help and feedback.

It seems to work well, but why is still not blocked?

Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

 

[Adamm]

Thank you for your help and feedback.

It seems to work well, but why is still not blocked?

Please elaborate on "it". What exactly isn't being blocked.

 

[eclp]

Like for example here in your output on page 1.
Or I understand maybe something wrong..?

Jun 24 15:54:26 Skynet: [INFO] Startup Initiated...
Jun 24 15:54:34 Skynet: [Complete] 130448 IPs / 3020 Ranges Banned. 130448 New IPs / 3020 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [9s]

(The "DROP IN" print in the syslog I had again now, but no longer so many.)

 

[Adamm]

Like for example here in your output on page 1.
Or I understand maybe something wrong..?

Jun 24 15:54:26 Skynet: [INFO] Startup Initiated...
Jun 24 15:54:34 Skynet: [Complete] 130448 IPs / 3020 Ranges Banned. 130448 New IPs / 3020 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [9s]

That is the output any user should see upon reboot. The reason I have that many IP's blocked is because I use the "banmalware" feature if that is what you are referring to.

 

[Adamm]

(The "DROP IN" print in the syslog I had again now, but no longer so many.)

If you are still seeing the DROP IN print, please post the output of the following;

iptables -L

 

[eclp]

The output is quite large, I hope this is enough?

...@RT-AC87U:/tmp/home/root# iptables -LChain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere          
PTCSRVLAN  all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere

 

[Adamm]

The output is quite large, I hope this is enough?

The logdrop chain is the one I am after in particular;

iptables -L logdrop

 

[eclp]

ASUSWRT-Merlin RT-AC87U 380.67-beta2 Fri Jun 30 17:02:54 UTC 2017
...@RT-AC87U:/tmp/home/root# iptables -L logdropChain logdrop (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             match-set Whitelist src
DROP       tcp  --  anywhere             anywhere             multiport sports www,https,imap2,imaps,pop3,pop3s,smtp,ssmtp state INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST,ACK
LOG        all  --  anywhere             anywhere             state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - NEW BAN] "
SET        all  --  anywhere             anywhere             state INVALID add-set Blacklist src
DROP       all  --  anywhere             anywhere           
...@RT-AC87U:/tmp/home/root#

 

[Adamm]

ASUSWRT-Merlin RT-AC87U 380.67-beta2 Fri Jun 30 17:02:54 UTC 2017
...@RT-AC87U:/tmp/home/root# iptables -L logdropChain logdrop (0 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             match-set Whitelist src
DROP       tcp  --  anywhere             anywhere             multiport sports www,https,imap2,imaps,pop3,pop3s,smtp,ssmtp state INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST,ACK
LOG        all  --  anywhere             anywhere             state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - NEW BAN] "
SET        all  --  anywhere             anywhere             state INVALID add-set Blacklist src
DROP       all  --  anywhere             anywhere          
...@RT-AC87U:/tmp/home/root#

There shouldn't be any "DROP IN=" messages in your syslog, the rule doesn't exist (which is intended functionality upon Skynet startup) so there is no possible way these messages can be appearing. Everything again looks fine and should be working as expected.

 

[eclp]

Thank you very much!

 

[Bamsefar]

I do not include TOR Nodes in the banmalware filter lists, but these can be easily imported using the "firewall import" command. I figured users would have legitimate use for TOR so I should keep it unblocked.

That is perfectly okay, if anyone needs the same, I guess this is the command needed:

firewall import https://www.dan.me.uk/torlist/?exit

 

[MarioCaires]

Noticed that when using Facebook on the phone, I've got many log entries with SCR being the phone ip and DST being Facebook server ip. In this case is it the right procedure to whitelist Facebook with:

 ...firewall whitelist "DST ip"