Skynet Skynet - Router Firewall & Security Enhancements

[randomName]

@Adamm The router needed a hard reboot for some reason. All is good now!

 

[thelonelycoder]

Mind elaborating a little further. I can both expand and contract the charts with scrolling, what is your desired functionality here?

When scrolling down or up the page with the mouse wheel and the pointer is over the charts, the charts expand.
Also the charts only expand when scrolling over it, no matter what computer mouse I use and what direction I scroll.
This is in Firefox, does not happen in Opera.

 

[Delusion]

Upgraded to 7.1.7 but when I add countries to block it adds 0 ranges

 

[archiel]

Can someone please help. Now that I have Skynet running, I can see from the web pages that I have some machines with blocked outbound traffic and a list of the outbound addresses. What I want to do is match one with the other. I can see that the details of the blocks are /mnt/Router/skynet/skynet.log and if I run grep against OUTBOUND I get every line. What I would like to do is filter that output so for each line with OUTBOUND what I see Date, Time, IP address of the sending machine and the blocked IP and would appreciate some help in how I can do this.

Also I note that the contents of the logs relates to ipv4 addresses, does Skynet also act on ipv6 traffic?

 

[MWGlidden]

Just added SkyNet 7.1.7 to my RT-AC68P router that's run Diversion for some time. While SkyNet installed as expected (with default values, as far as I know), it doesn't report any blocked ranges. Each startup looks like this.

0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!​

My first thought was to check the Malware Blacklist. When I choose "Update" or "Reset Filter List" from that list of options, I see this.

Filter URL Reset
Downloading filter.list | [2s]
Refreshing Whitelists | [81s]
Consolidating Blacklist | [27s]
[*] List Content Error Detected - Stopping Banmalware​

Since the blacklists seem to fail loading, not surprised it hasn't blocked anything. Your common errors section mentions "List Content Error Detected" and says "Skynet will validate content during processing to make sure it is correctly formatted. Use the default lists for reference."

How should I be sure the default lists are active? Not sure what to check next.

 

[Adamm]

Upgraded to 7.1.7 but when I add countries to block it adds 0 ranges

IPDeny (where we source the country data) seems to have an expired SSL cert. I've added a temporary hotfix to bypass the issue until things are resolved on their end.

skynet@RT-AX88U-DC28:/tmp/skynet# curl -L --retry 3 --connect-timeout 3 https://ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

 

[Adamm]

What I would like to do is filter that output so for each line with OUTBOUND what I see Date, Time, IP address of the sending machine and the blocked IP and would appreciate some help in how I can do this.

As per the readme;

( firewall stats search device 192.168.1.134 ) Search For All Outbound Entries From Local Device 192.168.1.134

Also I note that the contents of the logs relates to ipv4 addresses, does Skynet also act on ipv6 traffic?

We don't support IPv6 at this time, for the simple reason that IPv6 blacklisting is essentially useless. To put this into perspective, a standard residential allocation is /56, that equates to 4,722,366,482,869,645,213,696 addresses.

 

[Adamm]

Just added SkyNet 7.1.7 to my RT-AC68P router that's run Diversion for some time. While SkyNet installed as expected (with default values, as far as I know), it doesn't report any blocked ranges. Each startup looks like this.

0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!​

My first thought was to check the Malware Blacklist. When I choose "Update" or "Reset Filter List" from that list of options, I see this.

Filter URL Reset
Downloading filter.list | [2s]
Refreshing Whitelists | [81s]
Consolidating Blacklist | [27s]
[*] List Content Error Detected - Stopping Banmalware​

Since the blacklists seem to fail loading, not surprised it hasn't blocked anything. Your common errors section mentions "List Content Error Detected" and says "Skynet will validate content during processing to make sure it is correctly formatted. Use the default lists for reference."

How should I be sure the default lists are active? Not sure what to check next.

Strange, what is the output of;

firewall debug info

 

[MWGlidden]

Strange, what is the output of;

firewall debug info

[$] /jffs/scripts/firewall debug info

=============================================================================================================

Router Model; RT-AC68P
Skynet Version; v7.1.7 (03/06/2020) (1f97797bb5e5792518399baf32208c4c)
iptables v1.4.15 - (vlan2 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (24.61.10.28)
FW Version; 384.17_0 (Apr 25 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/UTILS/skynet (5.6G / 7.1G Space Available)
SWAP File; /tmp/mnt/UTILS/myswap.swp (1.0G)
Banned Countries; cn
Uptime; 0 days, 8 hours, 43 minutes.
Ram Available; (26M / 249M)

(then a list of my 20+ IP devices)

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
Profile.add Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]

----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Import AiProtect Data | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]

17/17 Tests Sucessful

=============================================================================================================

[#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [70s]

 

[nlurker]

a standard residential allocation is /56, that equates to 4,722,366,482,869,645,213,696 addresses.

Say what? Are you saying that every standard residential ISP customer receives 4 gazillion fixed IPv6 addresses? In what scenario is this not insane?

 

[L&LD]

Not insane. Forward-thinking.

There's lots for everyone, glad they're sharing it fairly.

 

[Smokey613]

How do I get rid of the two Skynet tabs? Not sure when this happened, I just noticed it today.

 

[dave14305]

How do I get rid of the two Skynet tabs? Not sure when this happened, I just noticed it today.

A reboot is the least complicated method.

 

[MWGlidden]

Bad DHCP behavior led me to factory reset my RT-AC68P and make fresh Diversion 4.1.12 and SkyNet 7.1.7 installs. After router setup, Diversion Standard installed as expected via amtm. So far, SkyNet 7.1.7 install hangs forever at the start, without visible output of what could be wrong. I first tried installing via amtm, which shows me its welcome banner.

#############################################################################################################
# #
# ███████╗██╗ ██╗██╗ ██╗███╗ ██╗███████╗████████╗ ██╗ ██╗███████╗ #
# ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗ ██║██╔════╝╚══██╔══╝ ██║ ██║╚════██║ #
# ███████╗█████╔╝ ╚████╔╝ ██╔██╗ ██║█████╗ ██║ ██║ ██║ ██╔╝ #
# ╚════██║██╔═██╗ ╚██╔╝ ██║╚██╗██║██╔══╝ ██║ ╚██╗ ██╔╝ ██╔╝ #
# ███████║██║ ██╗ ██║ ██║ ╚████║███████╗ ██║ ╚████╔╝ ██║ #
# ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═══╝ ╚═╝ #
# #
# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS #
# 03/06/2020 - v7.1.7 #
#############################################################################################################

=============================================================================================================​

The cursor sits at this point without any further output for 20+ minutes, about as long as I cared to wait, so I canceled this install attempt and tried from shell.

/usr/sbin/curl -s "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install​

This gets me the same welcome banner, followed by a similar wait with no activity. It feels like I'm missing something basic that would allow it to move forward. Will a particular log help to figure out what's up? Thanks for any help.

 

[dave14305]

This gets me the same welcome banner, followed by a similar wait with no activity. It feels like I'm missing something basic that would allow it to move forward. Will a particular log help to figure out what's up? Thanks for any help.

Try running with:

sh -x /jffs/scripts/firewall install

it will give a lot of output but when it hangs, what’s near the bottom should tell us what’s up. I’m guessing it’s hung up searching any attached drives for old incompatible scripts.

 

[Mutzli]

Bad DHCP behavior led me to factory reset my RT-AC68P and make fresh Diversion 4.1.12 and SkyNet 7.1.7 installs. After router setup, Diversion Standard installed as expected via amtm. So far, SkyNet 7.1.7 install hangs forever at the start, without visible output of what could be wrong. I first tried installing via amtm, which shows me its welcome banner.

#############################################################################################################
# #
# ███████╗██╗ ██╗██╗ ██╗███╗ ██╗███████╗████████╗ ██╗ ██╗███████╗ #
# ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗ ██║██╔════╝╚══██╔══╝ ██║ ██║╚════██║ #
# ███████╗█████╔╝ ╚████╔╝ ██╔██╗ ██║█████╗ ██║ ██║ ██║ ██╔╝ #
# ╚════██║██╔═██╗ ╚██╔╝ ██║╚██╗██║██╔══╝ ██║ ╚██╗ ██╔╝ ██╔╝ #
# ███████║██║ ██╗ ██║ ██║ ╚████║███████╗ ██║ ╚████╔╝ ██║ #
# ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═══╝ ╚═╝ #
# #
# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS #
# 03/06/2020 - v7.1.7 #
#############################################################################################################

=============================================================================================================​

The cursor sits at this point without any further output for 20+ minutes, about as long as I cared to wait, so I canceled this install attempt and tried from shell.

/usr/sbin/curl -s "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install​

This gets me the same welcome banner, followed by a similar wait with no activity. It feels like I'm missing something basic that would allow it to move forward. Will a particular log help to figure out what's up? Thanks for any help.

Did you check your USB drive for errors?

 

[MWGlidden]

Try running with:

sh -x /jffs/scripts/firewall install

it will give a lot of output but when it hangs, what’s near the bottom should tell us what’s up. I’m guessing it’s hung up searching any attached drives for old incompatible scripts.

Thanks, here's section of that output after the header and before the hang.

+ Check_Lock install
+ [ -f /tmp/skynet.lock ]
+ sed -n 2p /tmp/skynet.lock
+ [ -d /proc/23125 ]
+ echo install
+ echo 23205
+ date +%s
+ lockskynet=true
+ + ipsetgrep -qE v6|v7
-v
+ uname -r
+ [ ! -f /lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set_hash_ipmac.ko ]
+ nvram get jffs2_scripts
+ [ 1 != 1 ]
+ nvram get fw_enable_x
+ [ 1 != 1 ]
+ nvram get fw_log_x
+ [ drop != drop ]
+ conflicting_scripts=(IPSet_Block.sh|malware-filter|privacy-filter|ipBLOCKer.sh|ya-malware-block.sh|iblocklist-loader.sh|firewall-reinstate.sh)$
+ grep -qE (IPSet_Block.sh|malware-filter|privacy-filter|ipBLOCKer.sh|ya-malware-block.sh|iblocklist-loader.sh|firewall-reinstate.sh)$
+ find /jffs /tmp/mnt​

Running these last commands on their own, it appears the "find /tmp/mnt" hit my second mounted USB drive, which contains perhaps millions of files, and enumerating all of them will take quite awhile. Going to remove that drive and retry install.

 

[dave14305]

+ find /jffs /tmp/mnt
+ grep -qE (IPSet_Block.sh|malware-filter|privacy-filter|ipBLOCKer.sh|ya-malware-block.sh|iblocklist-loader.sh|firewall-rei
Don't know the purpose of that grep well enough to know why it would hang there. Do you see one of the scripts you suspected?

It’s the find that is hanging. Check your drive health and jffs utilization.

 

[dandle]

Has anyone got the URL blocking feature found within this script working? For some reason when I try to block a URL via the Ban command and then entering the domain, it never sticks. I can see the output read 'banning [IP Address]' but I'm still able to access the URL?

 

[MWGlidden]

It’s the find that is hanging. Check your drive health and jffs utilization.

Thanks, updated my previous note. Discovered it was enumerating millions of files on the second USB drive. Removed that one and install no longer took forever.

Perhaps you can help with secondary issue? At startup, SkyNet says it's not blocking anything. I read that as the default domains not loading as expected, so tried to update the Malware Blacklist with visible logging.

sh -x /jffs/scripts/firewall banmalware​

That failed with "List Content Error Detected" and this last section of output.

+ dos2unix /tmp/mnt/UTILS/skynet/lists/*
+ printf \033[1;32m%s\033[0m\b\b\b --*
+ grep -qF * /tmp/skynet/skynet.manifest
+ usleep 250000
+ rm -rf *
+ grep -qE ^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$ /tmp/mnt/UTILS/skynet/lists/*
+ date +%s
+ Red [27s]
+ printf -- \033[1;31m%s\033[0m\n [27s]
+ result=[27s]
+ printf %-8s\n [27s]
+ printf \b\b\b
[27s]
+ printf %-35s\n [*] List Content Error Detected - Stopping Banmalware
[*] List Content Error Detected - Stopping Banmalware
+ nocfg=1
+ result=1
+ [ 1 != 1 ]
+ [ -f /tmp/skynet/spinstart ]
+ Clean_Temp
+ rm -rf /tmp/skynet/lists /tmp/skynet/skynet.manifest /tmp/skynet/spinstart
+ mkdir -p /tmp/skynet/lists
+ Spinner_End​

Here's shell output without logging.

Downloading filter.list | [3s]
Refreshing Whitelists | [100s]
Consolidating Blacklist | [37s]
[*] List Content Error Detected - Stopping Banmalware​

[#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [banmalware] [156s]​

Is that bolded grep line what triggers the content error? I checked /tmp/mnt/UTILS/skynet/lists/ and the folder's empty on my system, so if it's looking for contents there, I can see why it failed.