Skynet Skynet - Router Firewall & Security Enhancements

[CaptainSTX]

I noticed that country lookup was failing in a Skynet stats report. Apparently the site is too popular.

> GET /104.26.9.66/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* The requested URL returned error: 429 Too Many Requests
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (22) The requested URL returned error: 429 Too Many Requests
Warning: Transient problem: HTTP error Will retry in 1 seconds. 3 retries
Warning: left.

Thanks. That probably explains the problem and why some of the time it seemed to work.

Saved me from doing a factory reset and trying to set everything up again.

Perhaps the script should be modified to only try once for the lookup as trying three times slows down the execution of a call for stats since the script tries three times for each entry reported.

Another option I guess would be to turn off the option to resolve countries but I always liked looking at the big pie chart with all the colorful slices for the most blocked countries.

 

[elnash]

Hello, a question that arises. I have installed skynet and in the statistics tab I do not generate these statistics. What can it be, thanks in advance.

Regards!!!

 

[CaptainSTX]

What firmware and version are you running?

If you are on Merlin 384.15 and the latest versions of all the scripts you have installed and are getting some of the information on the Skynet Tab section of the firewall TAB then your problem is similar to mine. Look at possible cause in post 6420.

 

[bengalih]

Just want to confirm that the statistics section titled "Top 10 Source Ports (Inbound)" is referring to what the external IP's (i.e. potential attacker's) originating source port is. So if I see that my highest hit "Targeted Port" is 55555 and the highest shows "Source Port" is 22222 that likely means that I am getting a lot of hits coming from their 22222 to my 55555.

I'm also curious as to why this number (the Source Port) is of much importance for anything? Since a client can run an outgoing request of a service on pretty much any port they choose, and because outgoing ports are quite often random within a range, knowing what the source port is doesn't seem to provide much data or actionable info. Whereas we always know what services we have running on our target ports (even if they aren't running on the standards).

Basically, I'm looking at that as mostly useless data now, so would like to be educated where/how/why people are using that info for anything of import.

thanks.

EDIT: I can think of only one possible useful interpretation. For instance if there is a known attack vector that uses a specific port this might provide some insight into the traffic. However, it is most likely the attack vector is using randomized ports to avoid this and, again, it would be more important to simply see what port they are targeting rather than what port the traffic is sourced... so...any other useful interpretations?

 

[bluepoint]

EDIT: I can think of only one possible useful interpretation. For instance if there is a known attack vector that uses a specific port this might provide some insight into the traffic. However, it is most likely the attack vector is using randomized ports to avoid this and, again, it would be more important to simply see what port they are targeting rather than what port the traffic is sourced... so...any other useful interpretations?

That's exactly what it is, for rare diagnostic purposes as like what you said, most of the time these are random higher ports. I do rarely see service ports hits, sometimes like port 123, so it kinda telling somebody is trying to get time from the router. You can click the bar to collapse if you don't want to see this section, it's up to you.

 

[Ubimo]

I'm using this custom list.
https://pastebin.com/raw/A4ur1PwW
Skynet takes 11 minutes to start, is that normal?

Edit:
Something is wrong with this list...
I did a filter list reset, now I have only 146.554 banned IPs.
Before, I had ~295.000 banned IPs.

 

[martinr]

I'm using this custom list.
https://pastebin.com/raw/A4ur1PwW
Skynet takes 11 minutes to start, is that normal?

Edit:
Something is wrong with this list...
I did a filter list reset, now I have only 146.554 banned IPs.
Before, I had ~295.000 banned IPs.

Did you see this post

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-322#post-558443

I too have noticed the lockfile message takes a good deal longer to clear. Maybe the displayed message needs to be changed from saying it takes one or 2 minutes to clear, to say instead it takes up to 10 minutes.


And maybe that list simply had a tidy up, removing out-of-date IP addresses?

 

[azdeltawye]

Skynet IOT Blocking preventing ICMP request

Hello, I have added an IOT device to my network and wanted to ban said device from accessing the internet with the exception of the 'Allowed Ports' list. When I add the device to the Ban list it promptly goes offline. I checked the Skynet logs and discovered that this device is periodically trying to ping Google and the ICMP request is dropped by Skynet. Is there any way I can add ICMP requests to the Allowed Port list?

Additionally, is there any way you could add a feature to Skynet to individually configure allowed ports per IOT device? Perhaps make a GUI tab for IOT custom configuration?

I know its a lot to ask but I think would be a great feature...

Thx,

 

[Adamm]

I'm using this custom list.
https://pastebin.com/raw/A4ur1PwW
Skynet takes 11 minutes to start, is that normal?

Edit:
Something is wrong with this list...
I did a filter list reset, now I have only 146.554 banned IPs.
Before, I had ~295.000 banned IPs.

https://hosts.ubuntu101.co.za/domains.list
https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list

These are not IP lists, they are domains.

 

[Adamm]

Skynet IOT Blocking preventing ICMP request

Hello, I have added an IOT device to my network and wanted to ban said device from accessing the internet with the exception of the 'Allowed Ports' list. When I add the device to the Ban list it promptly goes offline. I checked the Skynet logs and discovered that this device is periodically trying to ping Google and the ICMP request is dropped by Skynet. Is there any way I can add ICMP requests to the Allowed Port list?

Additionally, is there any way you could add a feature to Skynet to individually configure allowed ports per IOT device? Perhaps make a GUI tab for IOT custom configuration?

I know its a lot to ask but I think would be a great feature...

Thx,

I added ICMP support in the latest hotfix, I may refine this in the future with a toggle/selective icmp types but I am very busy moving apartments today/this week so my free time (and sleep! ) is limited.

As for the feature request, maybe in the future. I try keep it as simplistic as possible to reduce the number of IPTables entries.

 

[Adamm]

Having an issue with Skynet. It is not looking up the country that the blocked attempt came from anymore. Checked the Skynet settings and this function is enabled. Have flipped it on and off a couple of times.

Have removed and reinstalled Skynet multiple times and sometimes the country resolve works for awhile then stops. Have also reset the data.

Skynet seems to be working fine otherwise and blocking known problem IPs as well as the seventeen countries I told it to ban

Skynet was running perfectly until I installed uiDivStats. So I removed uiDivStats, Diversion and Skynet. Reinstalled Diversion and Skynet and still the same issue. Running Diversion standard with the standard+ list.

Any suggestions on where to look for a solution?

Thanks.

Looks like a weird API issue on their end, when I manually run the commands it fails but Skynet seems to succeed when doing it for stat reports so no idea. I'm sure they will resolve it over the next few days

 

[Adamm]

Basically, I'm looking at that as mostly useless data now, so would like to be educated where/how/why people are using that info for anything of import.

thanks.

EDIT: I can think of only one possible useful interpretation. For instance if there is a known attack vector that uses a specific port this might provide some insight into the traffic. However, it is most likely the attack vector is using randomized ports to avoid this and, again, it would be more important to simply see what port they are targeting rather than what port the traffic is sourced... so...any other useful interpretations?

Mostly useless, but in the event something bad does happen its always best to have on hand all available data to establish a pattern.

 

[martinr]

.... but I am very busy moving apartments today/this week so my free time (and sleep! ) is limited.

As for the feature request, maybe in the future. I try keep it as simplistic as possible to reduce the number of IPTables entries.

Good luck with the move. Hope it goes as smoothly as possible. And best wishes for life in your new place.

 

[Chris_J]

Good luck with the move, Adamm.

I see a few people have noticed the longer time to free the locked processes. Would this also be the reason why none of the GUI pages load (even for other addons, such as Yazfi) during this interval? Is this actually caused by Skynet?

Not such a problem, as it's only about 10 mins or so. I just had me thinking that my USB was failing or something at first.

 

[Adamm]

Good luck with the move, Adamm.

I see a few people have noticed the longer time to free the locked processes. Would this also be the reason why none of the GUI pages load (even for other addons, such as Yazfi) during this interval? Is this actually caused by Skynet?

Not such a problem, as it's only about 10 mins or so. I just had me thinking that my USB was failing or something at first.

There are no recent changes that would have caused such a reaction on my end.

 

[cmkelley]

I added ICMP support in the latest hotfix, I may refine this in the future with a toggle/selective icmp types but I am very busy moving apartments today/this week so my free time (and sleep! ) is limited.

As for the feature request, maybe in the future. I try keep it as simplistic as possible to reduce the number of IPTables entries.

I feel your pain. I spent ALL of last week moving my father closer to me. He's been in his house 60 years, I really didn't think he had that much stuff, it's not like he had stuff stacked up anywhere. Two 26 ft U-Haul truckloads later, I've decided I'm never moving. :-/

 

[Makaveli]

I don't do parents moves anymore because of that lol I just hire a moving company.

I moved my mom a couple years ago during a Rainy day and that was it for me never again.

 

[AntonK]

I'm not sure if this is a Skynet, Diversion, or neither one of those issue. But, I get the attached error every time I click to play a YouTube video. Hitting "reload" plays the video fine, but I always get the error on the first attempt to play the video. Any thoughts?

Anton

 

[Adamm]

I'm not sure if this is a Skynet, Diversion, or neither one of those issue. But, I get the attached error every time I click to play a YouTube video. Hitting "reload" plays the video fine, but I always get the error on the first attempt to play the video. Any thoughts?

AntonView attachment 21838

I have noticed this recently too but I am certain it’s ad-blocker related.

 

[AntonK]

I have noticed this recently too but I am certain it’s ad-blocker related.

Thank you, I'll check into that here.

Anton