Skynet Skynet - Router Firewall & Security Enhancements

[jack901]

here are unban commands from first post:
Code:
Here Are Some Example Unban Commands;
"sh /jffs/scripts/firewall unban" This Requires Manual Input (Only IPs accepted)
"sh /jffs/scripts/firewall unban 8.8.8.8" his Unbans The IP Specified
"sh /jffs/scripts/firewall unban range 8.8.8.8/24" This Unbans the CIDR Block Specified
"sh /jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"sh /jffs/scripts/firewall unban domain google.com" This Unbans the URL Specified
"sh /jffs/scripts/firewall unban port 23" This Unbans All Autobans Based On Traffic From Port 23
"sh /jffs/scripts/firewall unban country" This Unbans Entries Added By The "Ban Country" Feature
"sh /jffs/scripts/firewall unban malware" This Unbans Entries Added By The "Ban Malware" Feature
"sh /jffs/scripts/firewall unban autobans" This Unbans All Autobans
"sh /jffs/scripts/firewall unban nomanual" This Unbans Everything But Manual Bans
"sh /jffs/scripts/firewall unban all" This Unbans All Entries From Both Blacklists

Noticed that when using Facebook on the phone, I've got many log entries with SCR being the phone ip and DST being Facebook server ip. In this case is it the right procedure to whitelist Facebook with:

 ...firewall whitelist "DST ip"

 

[MarioCaires]

here are unban commands from first post:
Code:
Here Are Some Example Unban Commands;
"sh /jffs/scripts/firewall unban" This Requires Manual Input (Only IPs accepted)
"sh /jffs/scripts/firewall unban 8.8.8.8" his Unbans The IP Specified
"sh /jffs/scripts/firewall unban range 8.8.8.8/24" This Unbans the CIDR Block Specified
"sh /jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"sh /jffs/scripts/firewall unban domain google.com" This Unbans the URL Specified
"sh /jffs/scripts/firewall unban port 23" This Unbans All Autobans Based On Traffic From Port 23
"sh /jffs/scripts/firewall unban country" This Unbans Entries Added By The "Ban Country" Feature
"sh /jffs/scripts/firewall unban malware" This Unbans Entries Added By The "Ban Malware" Feature
"sh /jffs/scripts/firewall unban autobans" This Unbans All Autobans
"sh /jffs/scripts/firewall unban nomanual" This Unbans Everything But Manual Bans
"sh /jffs/scripts/firewall unban all" This Unbans All Entries From Both Blacklists

Thanks but maybe I haven't explained properly myself! What I get in the log are "BLOCKED" entries, not "BAN"... do I still need to use the "unban" command?

EDIT: It seems like I'm having a lot of blocks when uTorrent is running! I already whitelisted the utorrent port, however it looks like doesn't help much... Is there something I can do to mitigate this?

 

[Adamm]

Thanks but maybe I haven't explained properly myself! What I get in the log are "BLOCKED" entries, not "BAN"... do I still need to use the "unban" command?

Unbanning an IP is temporary in the sense it has the potential to be banned again (for example if banmalware updates its lists). Whitelisting means that IP is unbanned and will never be blocked again.

EDIT: It seems like I'm having a lot of blocks when uTorrent is running! I already whitelisted the utorrent port, however it looks like doesn't help much... Is there something I can do to mitigate this?

There is no way to avoid this. If using a large list like banmalware provides, when connecting to a swarm of IPs when torrenting you are bound to find "dirty" IPs that are linked to malicious activity. For example some of these IPs that are seeding the content may also be (inadvertently) hosting malicious content so they were marked in various databases for distribution etc.

That being said, I don't think this is anything to worry about, it will just make your logs a little harder to sort through.

 

[MarioCaires]

Thanks @Adamm
Understood! In your opinion then, do you think my seeding capability (peers connections) is not vastly affected by these "BLOCKS"? Not particularly concerned about downloading speeds tbh as it seems to be "normal"...

Regarding my stats, do you see anything abnormal or to be worried about:

Debug Data Detected in /tmp/mnt/oczrally2/skynet/skynet.log - 1.0M
Monitoring From Jul 7 17:40:13 To Jul 8 19:41:02
3967 Total Events Detected
668 Unique IPs
7 Autobans Issued
0 Manual Bans Issued

Top 10 Targeted Ports (Inbound); (Torrent Clients May Cause Excess Hits In Debug                                                                                                                                                                                                                                              Mode)
338x https://www.speedguide.net/port.php?port=65030
206x https://www.speedguide.net/port.php?port=62500
192x https://www.speedguide.net/port.php?port=23
126x https://www.speedguide.net/port.php?port=22
119x https://www.speedguide.net/port.php?port=1433
69x https://www.speedguide.net/port.php?port=31054
66x https://www.speedguide.net/port.php?port=21367
59x https://www.speedguide.net/port.php?port=5060
29x https://www.speedguide.net/port.php?port=1900
27x https://www.speedguide.net/port.php?port=27737

Top 10 Source Ports (Inbound);
339x https://www.speedguide.net/port.php?port=1024
65x https://www.speedguide.net/port.php?port=50324
34x https://www.speedguide.net/port.php?port=36839
31x https://www.speedguide.net/port.php?port=26249
17x https://www.speedguide.net/port.php?port=10000
14x https://www.speedguide.net/port.php?port=5340
11x https://www.speedguide.net/port.php?port=55404
11x https://www.speedguide.net/port.php?port=41859
10x https://www.speedguide.net/port.php?port=6000
10x https://www.speedguide.net/port.php?port=23934

Last 10 Unique Connections Blocked (Inbound);
https://otx.alienvault.com/indicator/ip/59.45.175.56
https://otx.alienvault.com/indicator/ip/59.45.175.62
https://otx.alienvault.com/indicator/ip/59.45.175.86
https://otx.alienvault.com/indicator/ip/66.240.219.146
https://otx.alienvault.com/indicator/ip/117.158.114.130
https://otx.alienvault.com/indicator/ip/218.6.52.135
https://otx.alienvault.com/indicator/ip/162.243.130.127
https://otx.alienvault.com/indicator/ip/188.18.111.239
https://otx.alienvault.com/indicator/ip/5.255.94.100
https://otx.alienvault.com/indicator/ip/200.52.151.135

Last 10 Unique Connections Blocked (Outbound);
https://otx.alienvault.com/indicator/ip/123.142.250.42
https://otx.alienvault.com/indicator/ip/91.108.183.43
https://otx.alienvault.com/indicator/ip/112.169.87.246
https://otx.alienvault.com/indicator/ip/217.132.120.246
https://otx.alienvault.com/indicator/ip/5.196.140.37
https://otx.alienvault.com/indicator/ip/38.229.70.22
https://otx.alienvault.com/indicator/ip/122.34.241.94
https://otx.alienvault.com/indicator/ip/211.105.36.192
https://otx.alienvault.com/indicator/ip/104.160.21.10
https://otx.alienvault.com/indicator/ip/118.35.57.105

Last 10 Autobans;
https://otx.alienvault.com/indicator/ip/103.207.38.203
https://otx.alienvault.com/indicator/ip/103.207.38.203
https://otx.alienvault.com/indicator/ip/217.132.120.246
https://otx.alienvault.com/indicator/ip/5.196.140.37
https://otx.alienvault.com/indicator/ip/136.243.78.27
https://otx.alienvault.com/indicator/ip/107.154.117.109
https://otx.alienvault.com/indicator/ip/188.165.206.61

Last 10 Manual Bans;

Last 10 Unique HTTP(s) Blocks (Outbound);
https://otx.alienvault.com/indicator/ip/204.11.56.48
https://otx.alienvault.com/indicator/ip/192.30.252.154
https://otx.alienvault.com/indicator/ip/192.30.252.153
https://otx.alienvault.com/indicator/ip/203.124.118.1
https://otx.alienvault.com/indicator/ip/216.58.213.115
https://otx.alienvault.com/indicator/ip/216.58.213.97
https://otx.alienvault.com/indicator/ip/31.13.64.35

Top 10 HTTP(s) Blocks (Outbound);
359x https://otx.alienvault.com/indicator/ip/31.13.64.35
211x https://otx.alienvault.com/indicator/ip/216.58.213.97
60x https://otx.alienvault.com/indicator/ip/204.11.56.48
15x https://otx.alienvault.com/indicator/ip/203.124.118.1
9x https://otx.alienvault.com/indicator/ip/192.30.252.154
9x https://otx.alienvault.com/indicator/ip/192.30.252.153
6x https://otx.alienvault.com/indicator/ip/216.58.213.115

Top 10 Blocks (Inbound);
338x https://otx.alienvault.com/indicator/ip/217.132.120.246
96x https://otx.alienvault.com/indicator/ip/5.196.140.37
76x https://otx.alienvault.com/indicator/ip/118.35.57.105
65x https://otx.alienvault.com/indicator/ip/163.172.4.70
39x https://otx.alienvault.com/indicator/ip/211.105.36.192
37x https://otx.alienvault.com/indicator/ip/219.128.76.112
34x https://otx.alienvault.com/indicator/ip/42.54.21.172
32x https://otx.alienvault.com/indicator/ip/42.53.116.49
27x https://otx.alienvault.com/indicator/ip/42.55.237.143
24x https://otx.alienvault.com/indicator/ip/101.248.136.15

Top 10 Blocks (Outbound);
420x https://otx.alienvault.com/indicator/ip/217.132.120.246
217x https://otx.alienvault.com/indicator/ip/118.35.57.105
196x https://otx.alienvault.com/indicator/ip/5.157.7.51
191x https://otx.alienvault.com/indicator/ip/211.105.36.192
190x https://otx.alienvault.com/indicator/ip/122.34.241.94
165x https://otx.alienvault.com/indicator/ip/5.196.140.37
51x https://otx.alienvault.com/indicator/ip/104.160.21.10
18x https://otx.alienvault.com/indicator/ip/112.169.87.246
6x https://otx.alienvault.com/indicator/ip/91.108.183.43
6x https://otx.alienvault.com/indicator/ip/123.142.250.42

Skynet: [Complete] 180119 IPs / 5679 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 39 Inbound / 0 Outbound Connections Blocked! [3s]

 

[Adamm]

In your opinion then, do you think my seeding capability (peers connections) is not vastly affected by these "BLOCKS"? Not particularly concerned about downloading speeds tbh as it seems to be "normal"...

I doubt it would have any noticeable effect on uploading or downloading. With swams of hundreds/thousands of IPs theres always going to be a few.

Regarding my stats, do you see anything abnormal or to be worried about:

I would first of all whitelist 216.58.213.97 and 31.13.64.35. They are false positives from google and facebook respectively. the google for misleading marketing, and the facebook is listed on the bbcan177_ms1 database but its clearly a false positive.


It could be worth further looking into 204.11.56.48 by doing;

sh /jffs/scripts/firewall stats search ip 204.11.56.48

To see if there is any pattern to when it was detected (you have made x60 outbound http connections to it). The IP is linked an in IOC (Indicator of compromise) for various malware strains, but its also linked to several spam domains so it could merely have been a popup from another domain which would be nothing to worry about.

Beyond that, everything looks normal for someone torrenting.

 

[MarioCaires]

You're a star @Adamm thanks once again.

Debug Data Detected in /tmp/mnt/oczrally2/skynet/skynet.log - 960.0K
Monitoring From Jul 7 17:40:13 To Jul 8 20:24:56
3662 Total Events Detected
697 Unique IPs
7 Autobans Issued
0 Manual Bans Issued

204.11.56.48 is NOT in set Whitelist.
204.11.56.48 is in set Blacklist.
204.11.56.48 is NOT in set BlockedRanges.

204.11.56.48 First Tracked On Jul 8 15:40:23
204.11.56.48 Last Tracked On Jul 8 15:54:42
60 Attempts Total

First Block Tracked From 204.11.56.48;
Jul  8 15:40:23 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=47072 DF PROTO=TCP SPT=53411 DPT=443 SEQ=1605710203 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303040101080A3FB337AE0000000004020000) MARK=0x40cd00a0

10 Most Recent Blocks From 204.11.56.48;
Jul  8 15:54:07 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=11316 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF688E0000000004020000) MARK=0x40cd00ea
Jul  8 15:54:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=10820 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF6C770000000004020000) MARK=0x409400bd
Jul  8 15:54:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=38843 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF70600000000004020000)
Jul  8 15:54:10 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=38520 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF74490000000004020000)
Jul  8 15:54:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40056 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF78320000000004020000)
Jul  8 15:54:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40237 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF7C1B0000000004020000)
Jul  8 15:54:14 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=42549 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF83EC0000000004020000)
Jul  8 15:54:18 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=2493 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBF938D0000000004020000) MARK=0x40cd00ea
Jul  8 15:54:26 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=9670 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBFB2CE0000000004020000) MARK=0x409400bd
Jul  8 15:54:42 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ac:9e:17:95:ed:60:28:6a:ba:ad:23:c5:08:00 SRC=192.168.1.230 DST=204.11.56.48 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=27277 DF PROTO=TCP SPT=53538 DPT=443 SEQ=4281261769 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A3FBFF14F0000000004020000) MARK=0x40cd00ea

This was one of my iPads trying to make connection to that ip, the iPad at that time wasn't being used however not sure if should whitelist it or not! The https://otx.alienvault.com/indicator/ip/204.11.56.48 says is "Actively Malicious" though...

 

[Adamm]

This was one of my iPads trying to make connection to that ip

Probably nothing to worry about then, but I'd still keep it blocked. It was all during a 14 minute timespan so I assume it was a website of some sort causing it.

 

[Bamsefar]

Strange.... When I installed Skynet, it also seems to block pictures from facebook (not that big a deal for me) and more importent from www.swedroid.se - the last one I thought I do an "skynet deport www.swedroid.se" - just to get a error 404 in return and deport stopped. Am I doing something wrong here?

Oh and by the way, when I do a stats, I get this funny list:

Top 10 Targeted Ports (Inbound); (Torrent Clients May Cause Excess Hits In Debug Mode)
197x https://www.speedguide.net/port.php?port=23
52x https://www.speedguide.net/port.php?port=1433
33x https://www.speedguide.net/port.php?port=445
31x https://www.speedguide.net/port.php?port=22
29x https://www.speedguide.net/port.php?port=5060
12x https://www.speedguide.net/port.php?port=3389
12x https://www.speedguide.net/port.php?port=2323
11x https://www.speedguide.net/port.php?port=21
6x https://www.speedguide.net/port.php?port=443
6x https://www.speedguide.net/port.php?port=2222

Top 10 Source Ports (Inbound);
18x https://www.speedguide.net/port.php?port=10000
15x https://www.speedguide.net/port.php?port=9106
8x https://www.speedguide.net/port.php?port=80
7x https://www.speedguide.net/port.php?port=47392
5x https://www.speedguide.net/port.php?port=7719
5x https://www.speedguide.net/port.php?port=6000
4x https://www.speedguide.net/port.php?port=58470
4x https://www.speedguide.net/port.php?port=56095
4x https://www.speedguide.net/port.php?port=51229
4x https://www.speedguide.net/port.php?port=45079

Last 10 Unique Connections Blocked (Inbound);
https://otx.alienvault.com/indicator/ip/61.160.195.38
https://otx.alienvault.com/indicator/ip/83.110.214.93
https://otx.alienvault.com/indicator/ip/104.31.70.179
https://otx.alienvault.com/indicator/ip/104.31.71.179
https://otx.alienvault.com/indicator/ip/217.77.221.133
https://otx.alienvault.com/indicator/ip/219.140.59.10
https://otx.alienvault.com/indicator/ip/218.60.145.19
https://otx.alienvault.com/indicator/ip/164.52.0.139
https://otx.alienvault.com/indicator/ip/27.151.136.159
https://otx.alienvault.com/indicator/ip/31.163.148.216

Last 10 Unique Connections Blocked (Outbound);
https://otx.alienvault.com/indicator/ip/212.92.16.193
https://otx.alienvault.com/indicator/ip/195.161.115.4
https://otx.alienvault.com/indicator/ip/217.26.163.51
https://otx.alienvault.com/indicator/ip/5.1.56.123
https://otx.alienvault.com/indicator/ip/193.225.190.6
https://otx.alienvault.com/indicator/ip/5.20.0.20
https://otx.alienvault.com/indicator/ip/202.22.158.30

Last 10 Autobans;

Last 10 Manual Bans;

Last 10 Unique HTTP(s) Blocks (Outbound);
https://otx.alienvault.com/indicator/ip/104.31.70.179
https://otx.alienvault.com/indicator/ip/104.31.71.179
https://otx.alienvault.com/indicator/ip/104.27.176.146
https://otx.alienvault.com/indicator/ip/104.27.177.146
https://otx.alienvault.com/indicator/ip/118.102.1.123
https://otx.alienvault.com/indicator/ip/183.111.182.198
https://otx.alienvault.com/indicator/ip/185.66.120.42
https://otx.alienvault.com/indicator/ip/191.232.139.2
https://otx.alienvault.com/indicator/ip/65.55.138.111
https://otx.alienvault.com/indicator/ip/191.232.80.53

Top 10 HTTP(s) Blocks (Outbound);
854x https://otx.alienvault.com/indicator/ip/101.99.2.17
484x https://otx.alienvault.com/indicator/ip/101.99.2.18
125x https://otx.alienvault.com/indicator/ip/191.232.80.53
36x https://otx.alienvault.com/indicator/ip/191.232.139.2
33x https://otx.alienvault.com/indicator/ip/65.55.138.111
12x https://otx.alienvault.com/indicator/ip/104.31.71.179
12x https://otx.alienvault.com/indicator/ip/104.31.70.179
7x https://otx.alienvault.com/indicator/ip/118.102.1.123
6x https://otx.alienvault.com/indicator/ip/104.27.177.146
4x https://otx.alienvault.com/indicator/ip/104.27.176.146

Top 10 Blocks (Inbound);
12x https://otx.alienvault.com/indicator/ip/49.205.82.101
7x https://otx.alienvault.com/indicator/ip/91.223.133.13
7x https://otx.alienvault.com/indicator/ip/51.15.13.55
5x https://otx.alienvault.com/indicator/ip/96.8.209.11
5x https://otx.alienvault.com/indicator/ip/5.188.203.15
5x https://otx.alienvault.com/indicator/ip/212.129.1.60
4x https://otx.alienvault.com/indicator/ip/5.188.10.242
4x https://otx.alienvault.com/indicator/ip/5.101.2.205
4x https://otx.alienvault.com/indicator/ip/36.151.90.221
4x https://otx.alienvault.com/indicator/ip/36.151.5.228

Top 10 Blocks (Outbound);
4x https://otx.alienvault.com/indicator/ip/5.20.0.20
4x https://otx.alienvault.com/indicator/ip/5.1.56.123
4x https://otx.alienvault.com/indicator/ip/217.26.163.51
4x https://otx.alienvault.com/indicator/ip/212.92.16.193
4x https://otx.alienvault.com/indicator/ip/202.22.158.30
4x https://otx.alienvault.com/indicator/ip/195.161.115.4
4x https://otx.alienvault.com/indicator/ip/193.225.190.6

 

[MarCoMLXXV]

Strange.... When I installed Skynet, it also seems to block pictures from facebook (not that big a deal for me) and more importent from www.swedroid.se - the last one I thought I do an "skynet deport www.swedroid.se" - just to get a error 404 in return and deport stopped

The deport function is used to process a list at a provided url, to unban the IP-adresses in that list. If you want to unban the domain www.swedroid.se you should run:

sh /jffs/scripts/firewall unban domain www.swedroid.se

or, if you want to permanently whitelist www.swedroid.se, you should issue the following command:

sh /jffs/scripts/firewall whitelist domain www.swedroid.se

See the first post for a detailed explanation of the extensive possibilities of Skynet, lots of usage examples included as well. Definitely worth your time to read.

As for the 'funny stats', that confused me too at first, but it's actually quite simple. Alienvault is used to verify the IP addresses that connect to your router. So what you're seeing is the amount of connections of a certain IP (or port for that matter, see below), and the IP at the end of the alienvault line is being blocked based on it's reputation at Alienvault.

Try for yourself: https://otx.alienvault.com/indicator/ip/[INSERT.YOUR.IP.HERE] without the brackets, to see the reputation of your own IP.

As for the speedguide lines, these are the ports which are most frequently connected to on your router, and Speedguide hosts an extensive database with ports and their uses.

For example: https://www.speedguide.net/port.php?port=443

So basically, look at the numbers at the start of the line and the IP or Port at the end of the line and that'll probably make more sense.

@Adamm, please do correct me if I didn't explain something correctly.

 

[Adamm]

@Adamm, please do correct me if I didn't explain something correctly.

You nailed it, thanks.

 

[oshae]

I was using an earlier iteration of this script back when the thread was originally posted. I updated my router and broke the script due to the new version of ipset. Imagine my surprise when I started troubleshooting and stumbled upon this gem again, only turbo charged! Wow, thanks so much. It's exactly what I was looking for.

Just out of curiosity does it do any TOR node blocking? Also noob Q: how does the autoban function? How does it figure out what to ban?

 

[Adamm]

I was using an earlier iteration of this script back when the thread was originally posted. I updated my router and broke the script due to the new version of ipset. Imagine my surprise when I started troubleshooting and stumbled upon this gem again, only turbo charged! Wow, thanks so much. It's exactly what I was looking for.

Just out of curiosity does it do any TOR node blocking? Also noob Q: how does the autoban function? How does it figure out what to ban?

Thanks. I by default did not include TOR exit nodes as there may be people using it legitimately, but If you look back a page or two you can find a solution of how to do this using the import command.

sh /jffs/scripts/firewall import
https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

The autoban function extends on the routers build-in SPI firewall and SSH BFP. Usually the router would only temporarily drop IPs and has no method for permanently banning offenders. Skynet adds onto this functionality and makes these permanent.

 

[Bamsefar]

See the first post for a detailed explanation of the extensive possibilities of Skynet, lots of usage examples included as well. Definitely worth your time to read.

I have to say I misread that part - I put in the domain instead of the sub command domain - my mistake. Anyway I got around it by figuring out which IP it was, and did it on the IP address instead. However I am great full for your explanation!!

Try for yourself: https://otx.alienvault.com/indicator/ip/[INSERT.YOUR.IP.HERE] without the brackets, to see the reputation of your own IP.

As for the speedguide lines, these are the ports which are most frequently connected to on your router, and Speedguide hosts an extensive database with ports and their uses.

For example: https://www.speedguide.net/port.php?port=443

So basically, look at the numbers at the start of the line and the IP or Port at the end of the line and that'll probably make more sense.

Okay, sorry for asking this, but WHO is sending this against my router? For example I have NO open ports from the outside (I used to have OpenVPN up, nowdays I have another solution for that) - the only communication is from the inside, and that is also limited to a few ports (like 80, 443 and so on - I think I have 5 ports open from inside in total). For me, nothing of the above tells me anything - so where does this origin? what is the purpose? and well why?

 

[Adamm]

I have to say I misread that part - I put in the domain instead of the sub command domain - my mistake. Anyway I got around it by figuring out which IP it was, and did it on the IP address instead. However I am great full for your explanation!!



Okay, sorry for asking this, but WHO is sending this against my router? For example I have NO open ports from the outside (I used to have OpenVPN up, nowdays I have another solution for that) - the only communication is from the inside, and that is also limited to a few ports (like 80, 443 and so on - I think I have 5 ports open from inside in total). For me, nothing of the above tells me anything - so where does this origin? what is the purpose? and well why?

Just random bots probing the internet for vulnerable devices. They just go through lists of IPs hitting common ports for badly configured devices hoping to get something.

 

[MarCoMLXXV]

Okay, sorry for asking this, but WHO is sending this against my router? For example I have NO open ports from the outside (I used to have OpenVPN up, nowdays I have another solution for that) - the only communication is from the inside, and that is also limited to a few ports (like 80, 443 and so on - I think I have 5 ports open from inside in total). For me, nothing of the above tells me anything - so where does this origin? what is the purpose? and well why?

Good to hear you figured it out. As for your last questions, which @Adamm already answered, a small addition from my side: just because you lock your home doors securely, doesn't mean no one will try to see whether there's a way to get in. Now back to your router: if you enable logging (firewall > logged packet types: dropped > apply) and look at the log lines from Skynet and the built-in firewall in syslog you'll probably be surprised (if you weren't already) to see how many attempts are made 24/7 to fiddle with your digital 'doorknobs'... Luckily we have iptables, ipset and scripts like Skynet to keep them out and our routers these days are powerful enough to not be affected performance wise, while keeping the kiddo's out, unless someone really gets personal.

 

[Henrik!]

Is it possible to see a list over which countries I have banned using "ban country xx xx" ?
If I need to add another country I have to list all the countries again, because it seems to delete all the old countries I have added.

Otherwise I just need to have a list written down

 

[Adamm]

Is it possible to see a list over which countries I have banned using "ban country xx xx"

Currently no, but this is something I'll keep in mind for future.

If I need to add another country I have to list all the countries again, because it seems to delete all the old countries I have added.

This is intended functionality, the banmalware command works in the same way. That way only current versions of these lists are being blocked, and so we have a way to specifically remove bans added by this feature.

 

[jack901]

are there any tracking list to block windows and other os sites that are available to use with this? or is it just manually add what you find from logs?
great script by the way!
thanks

 

[Adamm]

are there any tracking list to block windows and other os sites that are available to use with this? or is it just manually add what you find from logs?
great script by the way!
thanks

I'm sure theres some sort of list out there somewhere, then you can use the ban domain command accordingly.

 

[gLWxSJeSsEA]

Thanks. I by default did not include TOR exit nodes as there may be people using it legitimately, but If you look back a page or two you can find a solution of how to do this using the import command.

sh /jffs/scripts/firewall import https://www.dan.me.uk/torlist/?exit

The autoban function extends on the routers build-in SPI firewall and SSH BFP. Usually the router would only temporarily drop IPs and has no method for permanently banning offenders. Skynet adds onto this functionality and makes these permanent.

Is anyone using this? I get the following error:

Skynet: [ERROR] 404 Error Detected - Stopping Import