Skynet Skynet - Router Firewall & Security Enhancements
Hello
Can you explain me
122.228.19.79 is in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Whitelist Reason;
122.228.19.79 "Private IP"
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"
?
I do not understand why that IP is in Whitelist ??? A bit surprised to see an IP white/black listed at the same time.
I will ban it manually because it tried to connect my @home VPN server.
Thanks
Can you explain me
122.228.19.79 is in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Whitelist Reason;
122.228.19.79 "Private IP"
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"
?
I do not understand why that IP is in Whitelist ??? A bit surprised to see an IP white/black listed at the same time.
I will ban it manually because it tried to connect my @home VPN server.
Thanks
EmeraldDeer
Very Senior Member
There is no valid explanation for it to be in the Whitelist. Get it out of there immediately.
How likely is it that your router has been compromised and the attacker knows how to hack something as specific as Skynet? Thinking not likely.
dave14305
Part of the Furniture
It somehow picked it up as a private IP in the Unban_PrivateIP function. You should review your block logs to understand how that happened, or post them if you want.
https://github.com/Adamm00/IPSet_ASUS/blob/master/firewall.sh#L779
Adamm
Part of the Furniture
My private IP regex must be slightly inaccurate, I’ll have to check it when I get home.
I have never added something manually.
dave14305
Part of the Furniture
Is your router’s WAN IP private or public? Any double-NAT? Just guessing...
public. Connected to an ISP box in its DMZ.
Adamm
Part of the Furniture
Can you please post the output of;
Code:
sh /jffs/scripts/firewall stats search ip 122.228.19.79Not quite sure how it ended up on the Private IP list as it doesn't match the regex so I will need to see the log entries.
Logging Data Detected in /tmp/mnt/cleusb/skynet/skynet.log - 412.0K
Monitoring From Mar 5 05:00:08 To Mar 5 12:08:09
1400 Block Events Detected
516 Unique IPs
0 Manual Bans Issued
122.228.19.79 is NOT in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"
IP Location - China (WENZHOU, ZHEJIANG Province, P.R.China. / AS134771)
122.228.19.79 First Tracked On Mar 5 05:19:41
122.228.19.79 Last Tracked On Mar 5 11:54:27
7 Blocks Total
Event Log Entries From 122.228.19.79;
First Block Tracked From 122.228.19.79;
Mar 5 05:19:41 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13466 PROTO=TCP SPT=42816
10 Most Recent Blocks From 122.228.19.79;
Mar 5 05:19:41 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13466 PROTO=TCP SPT=42816
Mar 5 05:40:50 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=4563 PROTO=TCP SPT=56476
Mar 5 06:42:43 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=114 ID=14977 PROTO=UDP SPT=7266
Mar 5 08:38:02 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=89 TOS=0x00 PREC=0x00 TTL=114 ID=10329 PROTO=UDP SPT=61332
Mar 5 09:17:01 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13652 PROTO=TCP SPT=55631
Mar 5 10:54:44 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=25696 PROTO=TCP SPT=50282
Mar 5 11:54:27 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=17013 PROTO=TCP SPT=13930
Top 10 Targeted Ports From 122.228.19.79 (Inbound);
-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------
1x | 7779 | https://www.speedguide.net/port.php?port=7779
1x | 7474 | https://www.speedguide.net/port.php?port=7474
1x | 5432 | https://www.speedguide.net/port.php?port=5432
1x | 502 | https://www.speedguide.net/port.php?port=502
1x | 4500 | https://www.speedguide.net/port.php?port=4500
1x | 2638 | https://www.speedguide.net/port.php?port=2638
1x | 1911 | https://www.speedguide.net/port.php?port=1911
Top 10 Sourced Ports From 122.228.19.79 (Inbound);
-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------
1x | 7266 | https://www.speedguide.net/port.php?port=7266
1x | 61332 | https://www.speedguide.net/port.php?port=61332
1x | 56476 | https://www.speedguide.net/port.php?port=56476
1x | 55631 | https://www.speedguide.net/port.php?port=55631
1x | 50282 | https://www.speedguide.net/port.php?port=50282
1x | 42816 | https://www.speedguide.net/port.php?port=42816
1x | 13930 | https://www.speedguide.net/port.php?port=13930
=============================================================================================================
[#] 154517 IPs (+0) -- 1907 Ranges Banned (+0) || 1401 Inbound -- 0 Outbound Connections Blocked! [stats] [3s]
dave14305
Part of the Furniture
That’s not a public IP.Yes sorry, that's the DMZ of my ISP box.
Adamm
Part of the Furniture
Unfortunately it looks like your logs were purged 7 hours prior to your most recent post so we won't be able to identify the exact entry which caused the automatic whitelisting. In any case I double checked the function to make sure it works correctly and everything seems copacetic on my end, so if it happens again let me know and we can work from there.
bengalih
Senior Member
I've got Skynet running for a couple weeks now. Currently I have it configured to only block incoming traffic from china.
In trying to troubleshoot (a hopefully unrelated) issue this morning, I took a look at my syslog.log.
My log file was just under 1100 lines long but only went back less than 10 minutes prior to the time I looked at it.
I haven't researched yet what is normal for Merlin in terms of length/size of syslog, but clearly I had hoped to see more than 10 minutes of logs.
99.9% of the entries are "kernel: [BLOCKED - INBOUND]" entries, many from the same IPs. For instance I have within 2 minutes of each other, 34 entries like:
Only thing that differs is the ID field between them.
Is there some better way to handle these log entries? I assume they are required for reporting (?), which I do want, but they seem to be taking up my entire syslog forcing out other data which may be useful.
thanks
In trying to troubleshoot (a hopefully unrelated) issue this morning, I took a look at my syslog.log.
My log file was just under 1100 lines long but only went back less than 10 minutes prior to the time I looked at it.
I haven't researched yet what is normal for Merlin in terms of length/size of syslog, but clearly I had hoped to see more than 10 minutes of logs.
99.9% of the entries are "kernel: [BLOCKED - INBOUND]" entries, many from the same IPs. For instance I have within 2 minutes of each other, 34 entries like:
Code:
SRC=221.215.211.119 DST=68.13.250.141 LEN=129 TOS=0x00 PREC=0x00 TTL=115 ID=30482 PROTO=UDP SPT=11553 DPT=54321 LEN=109Only thing that differs is the ID field between them.
Is there some better way to handle these log entries? I assume they are required for reporting (?), which I do want, but they seem to be taking up my entire syslog forcing out other data which may be useful.
thanks
Just found another tentative
Logging Data Detected in /tmp/mnt/cleusb/skynet/skynet.log - 592.0K
Monitoring From Mar 5 05:00:08 To Mar 5 15:37:41
2018 Block Events Detected
673 Unique IPs
0 Manual Bans Issued
223.71.167.164 is in set Skynet-Whitelist.
223.71.167.164 is in set Skynet-Blacklist.
223.71.167.164 is in set Skynet-BlockedRanges.
Whitelist Reason;
223.71.167.164 "PrivateIP"
Blacklist Reason;
"BanMalware: bds_atif.ipset"
BlockedRanges Reason;
223.71.167.0/24 "BanMalware: firehol_level3.netset"
!!!
EDIT: I checked my whitelist. I have two with comment PRivate IP
223.71.167.164 comment "PrivateIP"
196.62.84.56 comment "PrivateIP"
Last edited:
visortgw
Very Senior Member
Look into installing scribe and uiScribe, both of which are available within amtm.
Adamm
Part of the Furniture
Every time a Skynet command is run (or at the start of every hour) the syslog is purged to its own log file. These logs are then kept until the file reaches 10MB. You can use the various stat commands to navigate these logs or manually view the skynet.log in Skynets install directory.
It will most likely be the same situation as your log file is freshly purged. Update to the latest Skynet version (I just pushed a hotfix) then let me know the next time there is a new one.
bengalih
Senior Member
Can you clarify what you mean by the "syslog is purged to its own log file"? Do you mean the contents of syslog.log get purged into skynet.log or some other location? Is the reason for this obtuse behavior because skynet requires logs of a smaller size in order to run statistics?
Is there a way to run skynet but not have it alter the standard behavior of syslog? I'm curious if the contents of syslog are being copied to another file, which presumably is then being parsed by skynet (?)- what the purpose of purging the syslog instead of allowing to operate under normal behavior? I suppose it is easier to do a copy and delete of syslog rather than intelligently parsing out all data since the last time stamp recorded into skynet's logs?
Adamm
Part of the Furniture
Skynet related entries are removed from syslog and put into their own log file. This is for multiple reasons, first being that the default syslog only stores an arbitrary amount of entries before all data is nuked. Secondly we then use this data to generate stats over a period of time (10MB ends up being roughly a weeks worth). Then finally then we don't hog the syslog with our noisy output.
The syslog binary included in busybox is significantly stripped down, so we have to purge the data manually rather then initially direct these select entries to their own file.
Similar threads
Similar threads
Similar threads
-
-
Skynet Skynet showing router itself making calls to China?
- Started by Skywise
- Replies: 26
-
Skynet Skynet - Blocked outbounds coming from the router itself?
- Started by JuanGF
- Replies: 12
-
Skynet Installing Skynet causes router to crash and reboot
- Started by ovancantfort
- Replies: 26
-
Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important?
- Started by lenovomen
- Replies: 2
-
Skynet Message on SKYNET I havent seen before- Started by Davidncali001
- Replies: 1
-
-
-
Skynet SkyNet/Firewall blocking all ping requests, including outbound
- Started by nearlyheadlessarvie
- Replies: 6
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
Latest threads
-
-
-
-
2G connection keeps randomly disappearing, 5G works ok
- Started by meruserasus
- Replies: 0
-
Diversion AMTM / Diversion stopped working (USB Drive?)
- Started by Dancing Lemur
- Replies: 2
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!