Skynet Skynet - Router Firewall & Security Enhancements

[WMConey]

I've been running Skynet for about three weeks now and I have yet to get any blocked inbound connection attempts. Outbound, yes, but inbound is completely clean ["No Data To Display"] which I find hard to believe. Any suggestions on how to investigate this?

 

[juched]

Based on what metric?

top command. 300m. Am I misreading?

 

[Adamm]

I've been running Skynet for about three weeks now and I have yet to get any blocked inbound connection attempts. Outbound, yes, but inbound is completely clean ["No Data To Display"] which I find hard to believe. Any suggestions on how to investigate this?

Whats the output of;

sh /jffs/scripts/firewall debug info

 

[cmkelley]

top command. 300m. Am I misreading?

There is something seriously wrong there, although I ain't smart enough to know what. Pixelserv certainly shouldn't be 222mb either.

Mem: 86188K used, 169248K free, 800K shrd, 1756K buff, 22920K cached
CPU: 54.1% usr 41.0% sys  0.0% nic  2.5% idle  0.6% io  0.0% irq  1.4% sirq
Load average: 2.48 2.54 2.45 3/112 11799
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
23168 23167 lionroot S    15556  6.0   1  0.0 syslog-ng
23167     1 lionroot S     8600  3.3   0  0.0 {syslog-ng} supervising syslog-ng
  274     1 lionroot S     6124  2.3   0  0.0 httpd -i br0
 1910     1 lionroot S     6084  2.3   1  0.0 /usr/sbin/smbd -D -s /etc/smb.conf
  295     1 lionroot S     5912  2.3   0  0.0 networkmap --bootwait
 1889     1 lionroot S     5880  2.3   1  0.0 nmbd -D -s /etc/smb.conf

 

[Makaveli]

There is something seriously wrong there, although I ain't smart enough to know what. Pixelserv certainly shouldn't be 222mb either.

Mem: 86188K used, 169248K free, 800K shrd, 1756K buff, 22920K cached
CPU: 54.1% usr 41.0% sys  0.0% nic  2.5% idle  0.6% io  0.0% irq  1.4% sirq
Load average: 2.48 2.54 2.45 3/112 11799
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
23168 23167 lionroot S    15556  6.0   1  0.0 syslog-ng
23167     1 lionroot S     8600  3.3   0  0.0 {syslog-ng} supervising syslog-ng
  274     1 lionroot S     6124  2.3   0  0.0 httpd -i br0
 1910     1 lionroot S     6084  2.3   1  0.0 /usr/sbin/smbd -D -s /etc/smb.conf
  295     1 lionroot S     5912  2.3   0  0.0 networkmap --bootwait
 1889     1 lionroot S     5880  2.3   1  0.0 nmbd -D -s /etc/smb.conf

mine is similar for syslog however I don't see that for pixelserv

 

[cmkelley]

mine is similar for syslog however I don't see that for pixelserv

My AC86U went Tango Uniform last Sunday, so I'm using my old AC3200, but still, it shouldn't be THAT big of a difference between platforms. Can someone with a (working) AC86U chime in with their syslog-ng memory usage?

 

[Centrifuge]

AC86U chime in with their syslog-ng memory usage?

 

[cmkelley]

View attachment 21912

I wonder if whoever is compiling them for Entware left some switches set wrong for the HND platform? Last version there was a problem with the non-HND reporting a bogus error. Not throwing stones at the Entware team, if the documentation for compiling syslog-ng is as poorly written as the "administration guide" I'm sure it took a lot of effort to figure out how to get it to work at all.

 

[Chris_J]

Quick question - is there a way that I can add an exception for a particular device on my network from the country blocks?

I have Unbound running on a Raspberry Pi and when it is trying to connect to any TLD servers located in China, Skynet steps in & blocks the connection. I'd like to keep the China country block, as I have a few devices on my network that try to 'phone home'.

 

[Adamm]

Quick question - is there a way that I can add an exception for a particular device on my network from the country blocks?

I have Unbound running on a Raspberry Pi and when it is trying to connect to any TLD servers located in China, Skynet steps in & blocks the connection. I'd like to keep the China country block, as I have a few devices on my network that try to 'phone home'.

No, not with how the rules are currently designed.

 

[juched]

There is something seriously wrong there, although I ain't smart enough to know what. Pixelserv certainly shouldn't be 222mb either.

Mem: 86188K used, 169248K free, 800K shrd, 1756K buff, 22920K cached
CPU: 54.1% usr 41.0% sys  0.0% nic  2.5% idle  0.6% io  0.0% irq  1.4% sirq
Load average: 2.48 2.54 2.45 3/112 11799
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
23168 23167 lionroot S    15556  6.0   1  0.0 syslog-ng
23167     1 lionroot S     8600  3.3   0  0.0 {syslog-ng} supervising syslog-ng
  274     1 lionroot S     6124  2.3   0  0.0 httpd -i br0
 1910     1 lionroot S     6084  2.3   1  0.0 /usr/sbin/smbd -D -s /etc/smb.conf
  295     1 lionroot S     5912  2.3   0  0.0 networkmap --bootwait
 1889     1 lionroot S     5880  2.3   1  0.0 nmbd -D -s /etc/smb.conf

I am pretty sure pixelserv is because of my google home devices. I have whole home using DNS Filtering to redirect to my router, and they generate waves of traffic... I see the memory of pixelserv go up and down, and when up I see like 120 threads running inside the servstats page. They do track to call home a lot... this generates large dnsmasq files as well.

 

[Butterfly Bones]

I am pretty sure pixelserv is because of my google home devices. I have whole home using DNS Filtering to redirect to my router, and they generate waves of traffic... I see the memory of pixelserv go up and down, and when up I see like 120 threads running inside the servstats page. They do track to call home a lot... this generates large dnsmasq files as well.

A quote from the first post of the pixelserv-tls thread -

pixelserv-tls is a tiny bespoke HTTP/1.1 webserver with HTTPS and SNI support. It acts on behalf of hundreds of thousands of advert/tracker servers and responds to all requests with nothing to speed up web browsing.

I really do not believe your IoT devices are calling home to a web page full of ads. They are likely retrieving data from a server, and leaving some data as well. It is the members of your house accessing web pages on their browsers.

Run a tcdump on the router or follow the dnsmasq log in Diversion to see the astonishing number of calls that browser makes on each page.

 

[juched]

A quote from the first post of the pixelserv-tls thread -

I really do not believe your IoT devices are not calling home to a web page full of ads. They are more like retrieving data from a server, and leaving some data as well. It is the members of your house accessing web pages on their browsers.

Ok, good point, the google homes generate a ton of DNS traffic but you are right they are not being redirected to https ad pages. It is odd that pixelserv is seeing huge spikes in blocked usage when it goes up to 12 threads and the memory increases. This happens as well late when many in the family are asleep.

Now I need to investigate more.

That being said, how much memory should syslog ng be using?

 

[Adamm]

Guys lets keep it Skynet related to not drift offtopic and confuse people

 

[Butterfly Bones]

Ok, good point, the google homes generate a ton of DNS traffic but you are right they are not being redirected to https ad pages. It is odd that pixelserv is seeing huge spikes in blocked usage when it goes up to 12 threads and the memory increases. This happens as well late when many in the family are asleep.

Now I need to investigate more.

That being said, how much memory should syslog ng be using?

I just revised the post above as you typed.

Do this when your family is busy using the 'Net. Run a tcdump on the router (port 53 or port 853 depending on if you are using DoT or not) or follow the dnsmasq log in Diversion to see the astonishing number of calls that browser makes on each page.

 

[Butterfly Bones]

Guys lets keep it Skynet related to not drift offtopic and confuse people

Sorry, above is my last post - lets take this to Diversion or a new thread.

 

[martinr]

Guys lets keep it Skynet related to not drift offtopic and confuse people

You’re right: I get confused even when everything’s in its right thread!

 

[Ubimo]

We are well within their 30k per month limit, I actually implemented the update frequency around this value. I assume the changes made on their end were unintended.

Thanks, but I think this is not working anymore. Skynet takes again several minutes to start.
Was good until now.

 

[Adamm]

Thanks, but I think this is not working anymore. Skynet takes again several minutes to start.
Was good until now.

Can't reproduce on my end, make sure you are running the latest version, the run;

sh /jffs/scripts/firewall debug genstats

Post the time log here.

 

[Ubimo]

sh /jffs/scripts/firewall debug genstats

Post the time log here.

Nothing is happening:

[i] Generating Stats For WebUI


=============================================================================================================


[#] 305982 IPs (+0) -- 2052 Ranges Banned (+0) || 5 Inbound -- 0 Outbound Connections Blocked! [debug] [75s]

admin@myrouter-CD47:/tmp/home/root#

I don't use WebUI.