Skynet Skynet - Router Firewall & Security Enhancements

[Lord Lovaduck]

Thanks! Yes, it is the bootloader or BIOS if you fancy. I did update my CFE long ago, hence the question. But it seems 1.02 or close is OK for this router from L&LD's comment. If there's something better I would like to know.

CFE to my understanding is a "BIOS" of our router. I remember when i had RT-N66U upgrading CFE was a way to rise CPU frequency, overclock it.
Not sure about AC68. And since ASUS does not publish CFE release notes we have no idea what changes CFE versions have unless someone does disassembly of code and tells others.
CFE is also related to different HW revisions. Also upgrading CFE is quite dangerous because you can brick your router permanently. ASUS does not support it officialy. Here on forums you can find upgrade instructions though.
CFE should not affect workings of the scripts. Maybe i am wrong...

 

[Ubimo]

I wantet to reset the ban malwarelist, but I get this:

[1-5]: 3

[$] /jffs/scripts/firewall banmalware reset


=============================================================================================================


[i] Filter URL Reset
[i] Downloading filter.list         | [19s]
[i] Refreshing Whitelists           | [36s]
[i] Consolidating Blacklist         | curl: no URL specified!
curl: try 'curl --help' for more information
[11s]
[*] List Content Error Detected - Stopping Banmalware


=============================================================================================================


[#] 333395 IPs (+0) -- 2260 Ranges Banned (+0) || 15 Inbound -- 0 Outbound Connections Blocked! [banmalware] [73s]



[i] Press Enter To Continue...

Edit:
I uninstalled and reinstalled Skynet. Seems to work again.

 

[ShagBark]

Even with AiProtection enabled, your router may not block all outbound traffic to known bad guys. Skynet will do this. If you open external ports on your router for any purpose (gaming, remote access, openVPN), you are creating opportunities for hackers to pound away at those open ports. Skynet will block these attempt from known bad people.

In addition, just seeing the pie and bar charts is an eye opener. It will make you more security aware.

 

[L&LD]

@Lord Lovaduck no, there are no pre-requisites required as far as I know. I was simply confirming that the CFE was factory installed as the models I have seen were much lower, numerically.

 

[L&LD]

@Adamm is this a potentially useful near future change that may help with your compiler script?

WSL1 is being upgraded to WSL2 and seems to be bringing some nice changes if I'm reading it right.

https://docs.microsoft.com/en-us/windows/wsl/wsl2-about


This will be available with Windows 10 2004 (should be April/May release date).

 

[Wisiwyg]

Looking through the Skynet statistics tab, clicking on some blocked Outbound IPs to RU. Details indicate it is a Russian Bot-Net: 194.190.124.17.

How would I use this to identify the local IP of the source machine trying to reach this external IP? I think I have some housecleaning to do.

Or, am I concerned about nothing?

TIA

edit: Watching debug output per Post 2 for the last 20 minutes and only seeing Inbound blocks, no outbound yet.

edit2: Finally got a bunch of blocked Outbound links where the SRC is my Comcast WAN IP and DST is the IP above and others. All of the blocked outgoing links have SRC as my WAN IP address. Modem is an Arris SurfBoard. Compromised modem? How would the Router, behind the modem, record and block this? Curiouser ...

Anyone seen something like this before?

 

[EmeraldDeer]

Looking through the Skynet statistics tab, clicking on some blocked Outbound IPs to RU. Details indicate it is a Russian Bot-Net: 194.190.124.17.

How would I use this to identify the local IP of the source machine trying to reach this external IP? I think I have some housecleaning to do.

Or, am I concerned about nothing?

TIA

edit: Watching debug output per Post 2 for the last 20 minutes and only seeing Inbound blocks, no outbound yet.

edit2: Finally got a bunch of blocked Outbound links where the SRC is my Comcast WAN IP and DST is the IP above and others. All of the blocked outgoing links have SRC as my WAN IP address. Modem is an Arris SurfBoard. Compromised modem? How would the Router, behind the modem, record and block this? Curiouser ...

Anyone seen something like this before?

That IP is not marked as bad by my Skynet

firewall stats search ip 194.190.124.17

I rarely have OUTBOUND blocks and when I do the SRC is an IP on my LAN.

 

[Wisiwyg]

That IP is not marked as bad by my Skynet

firewall stats search ip 194.190.124.17

I rarely have OUTBOUND blocks and when I do the SRC is an IP on my LAN.

Checking ip at AlienVault... https://otx.alienvault.com/indicator/ip/194.190.124.17

Agreed, scratching my head how the SRC could be my Comcast WAN IP.

I do have RU and CN and others blacklisted by country. My primary question is why there's an Outbound attempt to connect to that IP. And why my WAN IP is the source.

 

[Adamm]

@Adamm is this a potentially useful near future change that may help with your compiler script?

WSL1 is being upgraded to WSL2 and seems to be bringing some nice changes if I'm reading it right.

https://docs.microsoft.com/en-us/windows/wsl/wsl2-about


This will be available with Windows 10 2004 (should be April/May release date).

I wouldn't get your hopes up, there are still a lot of limitations with WSL compared to a regular Linux distro.

Checking ip at AlienVault... https://otx.alienvault.com/indicator/ip/194.190.124.17

Agreed, scratching my head how the SRC could be my Comcast WAN IP.

I do have RU and CN and others blacklisted by country. My primary question is why there's an Outbound attempt to connect to that IP. And why my WAN IP is the source.

The logs work like this, if its an inbound block, your IP will be the dst. If its an outbound block, your IP is the src.

 

[glehel]

this ip address 194.26.69.100 has been harassing me for 2 weeks now. I don't know what's causing it. Anyone have an idea?

 

[kernol]

this ip address 194.26.69.100 has been harassing me for 2 weeks now. I don't know what's causing it. Anyone have an idea?
https://ibb.co/XFFLQH3

https://otx.alienvault.com/indicator/ip/194.26.69.100

 

[dave14305]

Finally got a bunch of blocked Outbound links where the SRC is my Comcast WAN IP and DST is the IP above and others. All of the blocked outgoing links have SRC as my WAN IP address. Modem is an Arris SurfBoard. Compromised modem? How would the Router, behind the modem, record and block this? Curiouser ...

When your WAN IP is the source of an Outbound block, that means it comes from the router itself and not a LAN client. Do you use Unbound as a DNS server?

 

[Ubimo]

What does this mean? Private IP Detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT?
How can I resolve this?

Apr  4 14:18:15 Skynet: [*] Private IP Detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT
Apr  4 14:18:18 nat: apply redirect rules error!
Apr  4 14:18:23 WAN_Connection: Ethernet link up.
Apr  4 14:18:23 nat: apply redirect rules error!
Apr  4 14:18:23 rc_service: wanduck 171:notify_rc restart_wan_if 0
Apr  4 14:18:23 custom_script: Running /jffs/scripts/service-event (args: restart wan_if)
Apr  4 14:18:24 pppd[3538]: Unable to complete PPPoE Discovery
Apr  4 14:18:24 wsdd2[1660]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Apr  4 14:18:27 pppd[3840]: pppd 2.4.7 started by admin, uid 0
Apr  4 14:18:27 pppd[3840]: Connected to xx:xx:xx:xx:xx:xx via interface eth0
Apr  4 14:18:27 pppd[3840]: Connect: ppp0 <--> eth0
Apr  4 14:18:28 nat: apply redirect rules error!
Apr  4 14:18:30 pppd[3840]: PAP authentication succeeded
Apr  4 14:18:30 pppd[3840]: peer from calling number xx:xx:xx:xx:xx:xx authorized
Apr  4 14:18:30 pppd[3840]: local  IP address xxx.xxx.x.xx
Apr  4 14:18:30 pppd[3840]: remote IP address xxx.xxx.x.xxx
Apr  4 14:18:30 wsdd2[1660]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Apr  4 14:18:30 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Apr  4 14:18:30 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Apr  4 14:18:31 wan: finish adding multi routes
Apr  4 14:18:32 WAN_Connection: WAN was restored.

 

[Adamm]

What does this mean? Private IP Detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT?
How can I resolve this?

Apr  4 14:18:15 Skynet: [*] Private IP Detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT
Apr  4 14:18:18 nat: apply redirect rules error!
Apr  4 14:18:23 WAN_Connection: Ethernet link up.
Apr  4 14:18:23 nat: apply redirect rules error!
Apr  4 14:18:23 rc_service: wanduck 171:notify_rc restart_wan_if 0
Apr  4 14:18:23 custom_script: Running /jffs/scripts/service-event (args: restart wan_if)
Apr  4 14:18:24 pppd[3538]: Unable to complete PPPoE Discovery
Apr  4 14:18:24 wsdd2[1660]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Apr  4 14:18:27 pppd[3840]: pppd 2.4.7 started by admin, uid 0
Apr  4 14:18:27 pppd[3840]: Connected to xx:xx:xx:xx:xx:xx via interface eth0
Apr  4 14:18:27 pppd[3840]: Connect: ppp0 <--> eth0
Apr  4 14:18:28 nat: apply redirect rules error!
Apr  4 14:18:30 pppd[3840]: PAP authentication succeeded
Apr  4 14:18:30 pppd[3840]: peer from calling number xx:xx:xx:xx:xx:xx authorized
Apr  4 14:18:30 pppd[3840]: local  IP address xxx.xxx.x.xx
Apr  4 14:18:30 pppd[3840]: remote IP address xxx.xxx.x.xxx
Apr  4 14:18:30 wsdd2[1660]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Apr  4 14:18:30 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Apr  4 14:18:30 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Apr  4 14:18:31 wan: finish adding multi routes
Apr  4 14:18:32 WAN_Connection: WAN was restored.

It means your router isn't being assigned a public IP and instead you are in a double-nat situation with your modem not being in bridge mode or your ISP has provided you an IP via CG-NAT.

What is the output of;

sh /jffs/scripts/firewall debug info

 

[Ubimo]

Thanks for the fast reply!
My router is behind an Ubiquiti PowerBeam(which is in bridge mode)
My router is logging into my ISP via PPPoE.
I'm using 1.1.1.1 with DoT.
I have internet access.
I cannot understand what you said above... :-( I'm too noob.

Skynet Version; v7.1.5 (03/04/2020) (71b77bbf4497c97c282b9586d6334f1e)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (185.202.7.xxx)
FW Version; 384.15_0 (Feb 11 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/USB/skynet (1.3G / 3.7G Space Available)
SWAP File; /tmp/mnt/USB/myswap.swp (2.0G)
Uptime; 0 days, 0 hours, 16 minutes.
Ram Available; (82M / 249M)




--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Disabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Import AiProtect Data               | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Disabled]

13/13 Tests Sucessful


=============================================================================================================


[#] 180284 IPs (+0) -- 1622 Ranges Banned (+0) || 60 Inbound -- 0 Outbound Connections Blocked! [debug] [5s]

Edit:
I'm currently having internet connectivity issues.
Every time I get this message above, my Internet is working.
But when I reboot my PowerBeam and I get another public IP in my router, the message does not appear. Also my internet connection is not working properly (some website won't load, but I can ping them).
Then, for science sake, I reboot my PowerBeam again, I get another public IP, I get this message, and everything works again. It's some kind of russian rou(ter)lette.

 

[Smokey613]

I get the same message due to CG-NAT even though my ISP cable modem is in bridge mode.

 

[Adamm]

Thanks for the fast reply!
My router is behind an Ubiquiti PowerBeam(which is in bridge mode)
My router is logging into my ISP via PPPoE.
I'm using 1.1.1.1 with DoT.
I have internet access.
I cannot understand what you said above... :-( I'm too noob.

Skynet Version; v7.1.5 (03/04/2020) (71b77bbf4497c97c282b9586d6334f1e)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (185.202.7.xxx)
FW Version; 384.15_0 (Feb 11 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/USB/skynet (1.3G / 3.7G Space Available)
SWAP File; /tmp/mnt/USB/myswap.swp (2.0G)
Uptime; 0 days, 0 hours, 16 minutes.
Ram Available; (82M / 249M)




--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Disabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Import AiProtect Data               | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Disabled]

13/13 Tests Sucessful


=============================================================================================================


[#] 180284 IPs (+0) -- 1622 Ranges Banned (+0) || 60 Inbound -- 0 Outbound Connections Blocked! [debug] [5s]

Edit:
I'm currently having internet connectivity issues.
Every time I get this message above, my Internet is working.
But when I reboot my PowerBeam and I get another public IP in my router, the message does not appear. Also my internet connection is not working properly (some website won't load, but I can ping them).
Then, for science sake, I reboot my PowerBeam again, I get another public IP, I get this message, and everything works again. It's some kind of russian rou(ter)lette.

I pushed a hotfix, the error message will now show the IP which is causing the issue at the time. Post back accordingly if you see this message again.

I get the same message due to CG-NAT even though my ISP cable modem is in bridge mode.

Most carriers (as long as its not a mobile connection) should be able to disable this on request.

 

[Wisiwyg]

When your WAN IP is the source of an Outbound block, that means it comes from the router itself and not a LAN client. Do you use Unbound as a DNS server?

Yes, using Unbound script in AMTM with defaults.

 

[dave14305]

Yes, using Unbound script in AMTM with defaults.

So there must have been a name requested by a LAN client and the authoritative name server for the domain was that blocked Russian IP. It’s happened a lot with no practical way to whitelist all authoritative DNS servers around the world.

There’s plenty of risk, but it would be possible to exclude port 53 from the raw OUTPUT chain iptables rule. But not all DNS blocks should be assumed to be false positives.

 

[JT Strickland]

I'm not sure that AiProtection is doing anything after enabling it. It shows 0's in each module except for a 15 in the router assessment. It seems very different than Skynet. I feel good about it after reading past posts about it, though, especially after Adamm said Skynet was designed to run with Aiprotection.

I haven't noticed any appreciable decrease in performance. Ram usage is about 90%, same as before, and I still have both components of hardware acceleration, so far.

RT-AC86U 384.16 B3, RT-AC68U aimesh node w/ 384.15, Diversion, uiDivstats, Skynet, Scribe, uiScribe, Conmon, spdMerlin, scMerlin, Nsrum, and now AiProtection.