Skynet Skynet - Router Firewall & Security Enhancements

[MacG32]

What's the standard filter list? URL?

https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

 

[andywee]

I am getting 404 Not Found error for the web UI.
CLI seems to be working fine.
currently on RT-AC3100.
any idea how to troubleshoot?

2gb swap file is fine. no file lock problems.

that said, i am installing this router from within china. and I am not able to use amtm to install skynet.
i could only install if with the help of my nas
/usr/sbin/curl -s "http://192.168.10.20/firewall.sh"
-o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install


lately internet clamping down in china has gotten worst during this pandemic period..

and I am also unable to update the blacklist as it is banned from china.


when I tried to disable and enable Display WebUI i got this.

Mounting Skynet Web Page As user1.asp
cp: can't stat '/tmp/mnt/16GB/skynet/webui/skynet.asp': No such file or directory
WebUI Enabled
Generating Stats

and then in webui folder. there is only stats folder with 4 txt files and stats.js

 

[PC Pilot]

I am a relative newcomer to the more advanced aspects of the Asus Router/Merlin Firmware and so rather finding my way by degrees, including currently attempting to install Skynet (V7.1.6) using installation code provided in the 1st post.

The inserted USB already contains scripts currently in use and when the install process begins it asks to "which Partition Number the install is to use". The available options offered are as set out below:

[1] --> /tmp/mnt/ASUS_ROUTER - (/dev/sda1)
[2] --> /tmp/home - (/dev/sda1)
[3] --> /tmp/mnt/ASUS_ROUTER/debian/mnt - (/dev/sda1)

As I would like to run Skynet alongside the existing scripts I am keen not to commit any actions which might (as part of the install process) erase or disable the existing files & directory structure. I would be extremely grateful if any of the users familiar with Skynet and the install actions could advise how best to proceed so as to preserve the current functions provided by the USB whilst also installing and enabling Skynet alongside.

Many thanks

PC Pilot

 

[Jayshere]

I am getting 404 Not Found error for the web UI.
CLI seems to be working fine.
currently on RT-AC3100.
any idea how to troubleshoot?

2gb swap file is fine. no file lock problems.

that said, i am installing this router from within china. and I am not able to use amtm to install skynet.
i could only install if with the help of my nas
/usr/sbin/curl -s "http://192.168.10.20/firewall.sh"
-o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install


lately internet clamping down in china has gotten worst during this pandemic period..

and I am also unable to update the blacklist as it is banned from china.


when I tried to disable and enable Display WebUI i got this.

Mounting Skynet Web Page As user1.asp
cp: can't stat '/tmp/mnt/16GB/skynet/webui/skynet.asp': No such file or directory
WebUI Enabled
Generating Stats

and then in webui folder. there is only stats folder with 4 txt files and stats.js

since u r posting here i suppose u r already over the fence but how do u deal with dns poisoning? maybe u need to look into that department...

 

[andywee]

since u r posting here i suppose u r already over the fence but how do u deal with dns poisoning? maybe u need to look into that department...

sad to say I havent found a way to deal with it unless I build a localized dns. ping to 8.8.8.8 or to 8.8.4.4 would get 50% dropped packets. attempting to use a non china DNS would result in 1/2 the local china websites unable to load. not to mention glitchy sub-district DNS.
skynet has helped me blocking several huawei websites and almost all of baidu servers. and many other sties like 360.cn and stuff, to prevent my staff from downloading those junk applications.

china websites have reach the level of annoying to irritant. i used to be able to block mmstat.com and their subdomains. ( those data collection stuff) but now if you were to block it, most china sites after you login, you get thrown back to the login screen. sites like taobao.com and alipay and many others. so the china sites, if you dont allow them to data mine you they dont let you use their services.

recently my VPN has been glitchy also. I have a few private built VPN servers that i threw in my a few of my consenting friends house outside of china. all on dynamic IP.
even then, in the past 3 months. after using VPN for 30mins or less. the data would just stop. meaning all ping would no longer work, all packets dropped. almost as if the china cant see that you are communating they would just terminate that connection. using open VPN XOR helps once awhile .but I mainly use AES256

 

[Quenlinlom]

EDIT: Disregard this post. The AiProtectionMonitor.db file isn't actually the AiProtection rule set, it's the log of past blocks by AiProtection. AiProtection's rule set lies elsewhere (I don't know where... does anyone?)

----------------------------------------------

I want to ask a bit about the AiProtection import feature of Skynet. I've searched the thread and so far it doesn't seem to have been explained.

Reading from Skynet's source code at https://github.com/Adamm00/IPSet_ASUS/blob/master/firewall.sh it seems the Refresh_AiProtect() function basically reads the /jffs/.sys/AiProtectionMonitor/AiProtectionMonitor.db file and imports all the rules from the "monitor" table into IPSet. And since the AiProtectionMonitor.db is basically just a single "monitor" table, AiProtection and Skynet are practically filtering the same IPs. (It's quite a small list as well, just 1554 rows as of writing.)

So, the questions:
1. Is there a point then to enable both AiProtection and Skynet? Skynet's filtering seems to be a superset of AiProtection's.
2. How is the AiProtectionMonitor.db file updated? Per firmware updates (won't that make the db extremely outdated)? Or does the bwdpi module somehow fetch new versions? Do you have to enable AiProtection for it to be updated? I'm trying to find the logic from the Merlin source code but if anyone has any pointers that'll be great.
3. If the AiProtectionMonitor.db is fetched periodically from a certain URL, won't it be possible to write a cron job and fetch that manually instead of whatever mechanism that AiProtection currently uses? If Skynet could basically do all of AiProtection's does, it'll save a lot of kernel RAM usage especially with the Broadcom models where the bwdpi module sucks up loads.

 

[Jayshere]

sad to say I havent found a way to deal with it unless I build a localized dns. ping to 8.8.8.8 or to 8.8.4.4 would get 50% dropped packets. attempting to use a non china DNS would result in 1/2 the local china websites unable to load. not to mention glitchy sub-district DNS.
skynet has helped me blocking several huawei websites and almost all of baidu servers. and many other sties like 360.cn and stuff, to prevent my staff from downloading those junk applications.

china websites have reach the level of annoying to irritant. i used to be able to block mmstat.com and their subdomains. ( those data collection stuff) but now if you were to block it, most china sites after you login, you get thrown back to the login screen. sites like taobao.com and alipay and many others. so the china sites, if you dont allow them to data mine you they dont let you use their services.

recently my VPN has been glitchy also. I have a few private built VPN servers that i threw in my a few of my consenting friends house outside of china. all on dynamic IP.
even then, in the past 3 months. after using VPN for 30mins or less. the data would just stop. meaning all ping would no longer work, all packets dropped. almost as if the china cant see that you are communating they would just terminate that connection. using open VPN XOR helps once awhile .but I mainly use AES256

Andy, i sense u neck deep...most of the things u experienced i'm afraid don't have anything to do with skynet. first of all, i think u might want to try the dot stuff in merlin fw. to alleviate lengthy pings to the your dot servers try to setup different routings btw "walled" traffic and others...using dot will be definitely slower but this setup will make sure its negative impacts manageable.

if data mining and other shadowy practices are a real concern for u nuke all ur devices and start over again from the very beginning to set them up...never use anything of a mandarin locale, and properly set up ur router with merlin/skynet/diversion/dot. u may have ur devices compromised already if ur statements above are true, as a counter data point, u can still use tb and alipay even with all of MMSTAT.COM BLOCKED!

VPN traffic is easily finger-printed and readily recognized by the big brother. circumvention tools work better in terms of service availability, of course VPN is more secure...ur choice.

 

[Adamm]

I am getting 404 Not Found error for the web UI.
CLI seems to be working fine.
currently on RT-AC3100.
any idea how to troubleshoot?

2gb swap file is fine. no file lock problems.

that said, i am installing this router from within china. and I am not able to use amtm to install skynet.
i could only install if with the help of my nas
/usr/sbin/curl -s "http://192.168.10.20/firewall.sh"
-o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install


lately internet clamping down in china has gotten worst during this pandemic period..

and I am also unable to update the blacklist as it is banned from china.


when I tried to disable and enable Display WebUI i got this.

Mounting Skynet Web Page As user1.asp
cp: can't stat '/tmp/mnt/16GB/skynet/webui/skynet.asp': No such file or directory
WebUI Enabled
Generating Stats

and then in webui folder. there is only stats folder with 4 txt files and stats.js

You need the WebUI files locally;

https://github.com/Adamm00/IPSet_ASUS/tree/master/webui

 

[Jayshere]

hi Adam...i recently encountered an issue when updating skynet. At the step of pulling off the new script when update is available, if the connection to github somehow gets interrupted and the curl fails that leaves the script downloaded unfinished, which causes the whole skynet to fail. Only way to remedy is to start over with a new install. Is there a way to get a check in place so that when the curl fails it just drops the unfinished downloads and reverts back to using the current scripts, so i can update at a later time instead of having to start a new installation of skynet. love your script and it's keeping getting better...

 

[randomName]

Was getting a syntax error on line 40, arithmetic, when trying to open the menu through putty. Reformatted the USB drive, reformatted the JFFS partition. Went through the install and the USB was never partitioned. Everthing keeps failing:

SWAP - Failed
Cron Jobs - Failed
IPSets - Failed
IPTabled Rules - Failed

 

[bengalih]

Just want to confirm that the statistics section titled "Top 10 Source Ports (Inbound)" is referring to what the external IP's (i.e. potential attacker's) originating source port is. So if I see that my highest hit "Targeted Port" is 55555 and the highest shows "Source Port" is 22222 that likely means that I am getting a lot of hits coming from their 22222 to my 55555.

Hey...I was just revisiting understanding the source/target port inbound to see if I could understand why I have so many hits to/from a specific port combination? For example looking at the stats page right now I see ~5,600 inbound hits to target port 49734 and ~4,000 attempts inbound from source port 50025. Both of these are 4-5x higher than the next targeted/source ports.

AFAIK both of these ports are meaningless dynamic ports, but I'm curious if they have any relation to my specific network or for instance 49734 happens to be a popular port for malware scans or something? I can't find anything online about 49734 specifically, so I have to think it is somehow related to my network. I thought perhaps that it may be related to my torrent client setup, but I have one server set to a different port (which is forwarded on the router) and the other server is configured using a SOCKS5 proxy (also on a different port). So I don't believe it is this.

It is hard to subjectively tell how much traffic this actually is. For instance if I look for this port in my syslog I find no hits on it, whereas I can find 83 hits against the next highest hit port 59320 (which Skynet has logged for only ~1700 hits). So it is possible that there was just one machine in China that banged away on this port for 5 minutes and that was enough to put these numbers so high. Then again, why did this port get targeted if it isn't a known malware port (or known anything).

What would cause so many attempts against a seemingly random port and is this a cause of any concern?
Even if they are being blocked, I'm curious if there is something that is attracting this level of traffic on these specific ports, or this is likely just scanners and there is nothing more I can do other than continue to drop/block them.

 

[mamakap]

Hi,
I'm new here, quick question, I have 2 router, main router connected from LAN to second router via WAN, main router is installed with Diversion and SkyNet. Does Diversion and SkyNet works on my second router? Thanks advance.

 

[immi803]

Whenever i restart firewall, it restarts my qos as well, actually I'm using freshjr, is it necessary for qos to reapply with firewall?

 

[dave14305]

Whenever i restart firewall, it restarts my qos as well, actually I'm using freshjr, is it necessary for qos to reapply with firewall?

It’s restarting the FreshJR script, but the stock Adaptive QoS should not be restarting. FreshJR built-in and custom iptables rules get erased when the firewall restarts, so they must be reapplied every firewall restart. In most cases, the tc rules remain intact, unless QoS actually restarts also.

Why is your firewall restarting so often (if it is)? Does this even have anything to do with Skynet?

 

[immi803]

It’s restarting the FreshJR script, but the stock Adaptive QoS should not be restarting. FreshJR built-in and custom iptables rules get erased when the firewall restarts, so they must be reapplied every firewall restart. In most cases, the tc rules remain intact, unless QoS actually restarts also.

Why is your firewall restarting so often (if it is)? Does this even have anything to do with Skynet?

Not really often, just noticed it , so asked
Thanks for clarifying

 

[andywee]

Andy, i sense u neck deep...most of the things u experienced i'm afraid don't have anything to do with skynet. first of all, i think u might want to try the dot stuff in merlin fw. to alleviate lengthy pings to the your dot servers try to setup different routings btw "walled" traffic and others...using dot will be definitely slower but this setup will make sure its negative impacts manageable.

if data mining and other shadowy practices are a real concern for u nuke all ur devices and start over again from the very beginning to set them up...never use anything of a mandarin locale, and properly set up ur router with merlin/skynet/diversion/dot. u may have ur devices compromised already if ur statements above are true, as a counter data point, u can still use tb and alipay even with all of MMSTAT.COM BLOCKED!

VPN traffic is easily finger-printed and readily recognized by the big brother. circumvention tools work better in terms of service availability, of course VPN is more secure...ur choice.

yeah I know most of my issues I mentioned arent related to skynet. i was just saying it's hard to update list from this other planet. I managed to update the list eventually, at 4am of the local time. so i am concluding that the dropped packets and stuff is due to traffic congest leading to the outside world. the irony is I am using skynet to control my office internet traffic from the issues that are mainly found within china. one of the problems is I have to rely on the locals to help me translate as i myself am not able read chinese. and am not able to figure out what their applications do. most of them install from the crappiest sites but luckily for me (so it seems) most of their software are online installers. so if I can block it off I can nib it at the bud.

btw, I am going to take you at your word. gonna try blocking mmstat again and see what happens. from what I tried back in 2019, if you access these sites within china and from outside of china it's different. it would seem china tb would need mmstat but not global TaoBao, i might be wrong.

btw, when you mention dot. do you mean IoT? or something else?
i am no expert in this field. i consider myself amateur at best. so you have to spare me the abbreviations so that I can search google for it. ;-)

 

[andywee]

You need the WebUI files locally;

https://github.com/Adamm00/IPSet_ASUS/tree/master/webui

i copied the 4 files to my webui folder. but launching webUI i get directed to a github page. did i miss some step?

 

[Jayshere]

yeah I know most of my issues I mentioned arent related to skynet. i was just saying it's hard to update list from this other planet. I managed to update the list eventually, at 4am of the local time. so i am concluding that the dropped packets and stuff is due to traffic congest leading to the outside world. the irony is I am using skynet to control my office internet traffic from the issues that are mainly found within china. one of the problems is I have to rely on the locals to help me translate as i myself am not able read chinese. and am not able to figure out what their applications do. most of them install from the crappiest sites but luckily for me (so it seems) most of their software are online installers. so if I can block it off I can nib it at the bud.

btw, I am going to take you at your word. gonna try blocking mmstat again and see what happens. from what I tried back in 2019, if you access these sites within china and from outside of china it's different. it would seem china tb would need mmstat but not global TaoBao, i might be wrong.

btw, when you mention dot. do you mean IoT? or something else?
i am no expert in this field. i consider myself amateur at best. so you have to spare me the abbreviations so that I can search google for it. ;-)

i'm not expert either, just a heavy user i guess. by dot i meant dns-over-tls(DoT), whose setting is in the Wan DNS Setting section of the Internet Connection tab on WAN page of your asus router's management. Mine is 86u so if yours ain't it could be in a bit diff place but u got the idea...dns poisoning can't interfere with dot

also on the mmstat i think u got to block everything of it's tracking nature completely to trick it for u to be able to use tb etc free of worries. start from skynet and i put mmstat.com in my wildcard blacklist in diversion, everything still works smoothly...

 

[dave14305]

i copied the 4 files to my webui folder. but launching webUI i get directed to a github page. did i miss some step?

Click the Raw button for each file before downloading.

 

[andywee]

i'm not expert either, just a heavy user i guess. by dot i meant dns-over-tls(DoT), whose setting is in the Wan DNS Setting section of the Internet Connection tab on WAN page of your asus router's management. Mine is 86u so if yours ain't it could be in a bit diff place but u got the idea...dns poisoning can't interfere with dot

also on the mmstat i think u got to block everything of it's tracking nature completely to trick it for u to be able to use tb etc free of worries. start from skynet and i put mmstat.com in my wildcard blacklist in diversion, everything still works smoothly...

oh, so the norm is the use diversion for stuff like mmstat and just let skynet run on auto with it's own auto updated blacklist? is that what most people are doing? I was just about to say. how to do you wildcard in skynet with all it's subdomain.