Skynet Skynet - Router Firewall & Security Enhancements

[brec]

After installing Skynet, my AC86U RAM used increased from [some small %] to 87%. Is that expected?

 

[slidermike]

Yes these routers dynamically manage their resources. The larger the lists you use, the more memory it consumes. There is nothing wrong with it running at high %. That does not mean a thing other than the router is managing to do its job.

 

[Mutzli]

I experience Skynet crashes of the SSH menu when attempting to use [6] Deport IP List --> Blacklist. I entered several IP bans from Suricata manually and wanted to deport them into a file called black-list.txt. When executing the command I get the following error:
404 error detected - stopping import
then Skynet quits.
The events.log doesn't show any further errors and nothing in the system log either. I don't know if there is a problem on my end?

 

[brec]

Do Skynet services overlap with those provided by Quad9 DNS servers?

 

[EmeraldDeer]

--------   | --------------       | --------------                                          | --------------                                | ----------------------
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |
--------   | --------------       | --------------                                          | --------------                                | ----------------------

86x        | 52.149.246.39        | https://otx.alienvault.com/indicator/ip/52.149.246.39   | BanMalware: firehol_level3.netset             | duckduckgo.com

firehol_level3.netset is blocking duckduckgo? What the deuce?

 

[bluepoint]

--------   | --------------       | --------------                                          | --------------                                | ----------------------
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |
--------   | --------------       | --------------                                          | --------------                                | ----------------------

86x        | 52.149.246.39        | https://otx.alienvault.com/indicator/ip/52.149.246.39   | BanMalware: firehol_level3.netset             | duckduckgo.com

firehol_level3.netset is blocking duckduckgo? What the deuce?

It isn't as of 12:10PM Eastern time.

[i] Logging Data Detected in /tmp/mnt/bluestar/skynet/skynet.log - 7.6M
[i] Monitoring From Jul 28 02:00:05 To Aug 1 12:08:42
[i] 28407 Block Events Detected
[i] 3186 Unique IPs
[i] 0 Manual Bans Issued

52.149.246.39 is NOT in set Skynet-Whitelist.
52.149.246.39 is NOT in set Skynet-Blacklist.
52.149.246.39 is NOT in set Skynet-BlockedRanges.


Associated Domain(s);
duckduckgo.com


[i] IP Location - United States (MICROSOFT-CORP-MSN-AS-BLOCK / AS8075)

 

[tekrich]

Can someone explain this message from within Skynet...

IPTables Rules | [Failed]

This happened before and I had to restart Skynet to clear this.

Is there something else I should do?

 

[CriticJay]

--------   | --------------       | --------------                                          | --------------                                | ----------------------
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |
--------   | --------------       | --------------                                          | --------------                                | ----------------------

86x        | 52.149.246.39        | https://otx.alienvault.com/indicator/ip/52.149.246.39   | BanMalware: firehol_level3.netset             | duckduckgo.com

firehol_level3.netset is blocking duckduckgo? What the deuce?

Skynet - Skynet - Router Firewall & Security Enhancements

@Adamm, please consider making skynet much more user friendly for your users by automatically parsing whitlisted domains for ips, ips change. When ips change, they must be whitelisted manually even if the domain is already in the whitelist, very annoying. Should happen each time skynet...

www.snbforums.com

 

[brec]

firehol_level3.netset is blocking duckduckgo? What the deuce?

Possibly unrelated, but I get a blank page from www.walmart.com/grocery/ unless I disable the DuckDuckGo Privacy Essentials add-on in Firefox. This started recently, and is independent of whether SkyNet is running.

 

[XIII]

Skynet is blocking access to forum.keyboardmaestro.com.

Apparently due to observed malicious activity? https://otx.alienvault.com/indicator/ip/192.241.223.247

However, firewall stats search malware 192.241.223.247 does not show a hit.

What does block it then?

(I have whitelisted it for now)

 

[bluepoint]

Skynet is blocking access to forum.keyboardmaestro.com.

Apparently due to observed malicious activity? https://otx.alienvault.com/indicator/ip/192.241.223.247

However, firewall stats search malware 192.241.223.247 does not show a hit.

What does block it then?

(I have whitelisted it for now)

It's in skynet's blocked range.
Use this to search instead.

firewall stats search ip 192.241.223.247

Logging Data Detected in /tmp/mnt/bluestar/skynet/skynet.log - 9.6M
Monitoring From Jul 28 02:00:05 To Aug 2 15:52:21
35903 Block Events Detected
3625 Unique IPs
0 Manual Bans Issued

192.241.223.247 is NOT in set Skynet-Whitelist.
192.241.223.247 is NOT in set Skynet-Blacklist.
192.241.223.247 is in set Skynet-BlockedRanges.

BlockedRanges Reason;
--*
Associated Domain(s);
forum.keyboardmaestro.com


IP Location - United States (DIGITALOCEAN-ASN / AS14061)

 

[EmeraldDeer]

Skynet - Skynet - Router Firewall & Security Enhancements

@Adamm, please consider making skynet much more user friendly for your users by automatically parsing whitlisted domains for ips, ips change. When ips change, they must be whitelisted manually even if the domain is already in the whitelist, very annoying. Should happen each time skynet...

www.snbforums.com

# firewall banmalware exclude firehol_level3.netset

# grep BanMalware skynet.ipset | cut -d'"' -f2 | sort -u
BanMalware: alienvault_reputation.ipset
BanMalware: bds_atif.ipset
BanMalware: bi_any_2_30d.ipset
BanMalware: cybercrime.ipset
BanMalware: dyndns_ponmocup.ipset
BanMalware: et_block.netset
BanMalware: et_compromised.ipset
BanMalware: firehol_level2.netset
BanMalware: normshield_high_attack.ipset
BanMalware: normshield_high_bruteforce.ipset
BanMalware: spamhaus_edrop.netset
BanMalware: urlvir.ipset

 

[Adamm]

Hi Adam, how would you see adding an option to create a copy of the Skynet's log file before it gets purged? Maybe going back to the last 5 files or so before the oldest one gets purged. As far as I know I can't handle it with logrotate as it would interfere with how Skynet deals with the file but maybe you could from within the script?

Earlier I've been looking into a big bunch of "TCP: time wait bucket table overflow" errors that my router logged two days ago and I wanted to check if there were any hits on the Skynet log at the same time but it doesn't go back far enough as it was purged yesterday.

It could be a worthwhile addition if it's not too much effort.

I'll keep it in mind for the future but right now as we store around a weeks worth of logs I'm not too worried

I experience Skynet crashes of the SSH menu when attempting to use [6] Deport IP List --> Blacklist. I entered several IP bans from Suricata manually and wanted to deport them into a file called black-list.txt. When executing the command I get the following error:
404 error detected - stopping import
then Skynet quits.
The events.log doesn't show any further errors and nothing in the system log either. I don't know if there is a problem on my end?

The only reason I can see this function failing is if you had the path value wrong. Skynet only attempts a curl download if the file doesn't exist;

                echo "[i] This Function Extracts All IPs And Removes Them ALL From Blacklist"
                if [ -f "$3" ]; then
                    echo "[i] Local Custom List Detected: $3"
                    grep -E '^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$' "$3" > /tmp/skynet/iplist-unfiltered.txt
                elif [ -n "$3" ]; then
                    echo "[i] Remote Custom List Detected: $3"
                    curl -fsL --retry 3 --connect-timeout 3 "$3" | grep -E '^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$' > /tmp/skynet/iplist-unfiltered.txt || { echo "[*] 404 Error Detected - Stopping Import"; rm -rf /tmp/skynet/iplist-unfiltered.txt; echo; exit 1; }
                else
                    echo "[*] URL/File Field Can't Be Empty - Please Try Again"
                    echo; exit 2
                fi

Can someone explain this message from within Skynet...

IPTables Rules | [Failed]

This happened before and I had to restart Skynet to clear this.

Is there something else I should do?

I would need the output of;

firewall debug info

Skynet is blocking access to forum.keyboardmaestro.com.

Apparently due to observed malicious activity? https://otx.alienvault.com/indicator/ip/192.241.223.247

However, firewall stats search malware 192.241.223.247 does not show a hit.

What does block it then?

(I have whitelisted it for now)

The entry is I assume part of a much larger IP range, due to being limited to native bash tools our lookup of the ban reason and existence on your individual lists has some limitations.

 

[grifo]

I'll keep it in mind for the future but right now as we store around a weeks worth of logs I'm not too worried

Thanks Adam and yes one week of logs would probably be enough, the only problem is the file purge cutoff time that can shorten the logs to a few hours worth, then Sod's law will do the rest. Likely just one saved file would be enough to counter it. Thanks for keeping it in mind for a future release.

 

[maelstromm]

Finally took the plunge to install Skynet and Diversion but I'm running into issues. I followed the step by step instructions here. Diversion works but Skynet does not. Not sure what I did wrong. Here's what I see when I select Skynet:

Router Model; RT-AC1750_B1
Skynet Version; (16/07/2020) (fa93f252b6c6a67b78fe2a66c334ff22)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (24.187.60.18)
FW Version; 384.18_0 (Jun 28 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/SanDisk/skynet (12.4G / 14.1G Space Available)

SWAP | [Failed]
Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

 

[L&LD]

@maelstromm did you try any of the appropriate steps from the link below?

Troubleshooting 101 Asus/RMerlin Routers 2020

Top 10 Simple Asus/RMerlin firmware powered Router Troubleshooting steps to try first: NOTE: Although this is for Asus/RMerlin-firmware powered routers, the steps below may be relevant to all routers, to get to a quick fix for common symptoms. Check that the router’s System Time is accurate on...

www.snbforums.com

 

[maelstromm]

@maelstromm did you try any of the appropriate steps from the link below?

Troubleshooting 101 Asus/RMerlin Routers 2020

Top 10 Simple Asus/RMerlin firmware powered Router Troubleshooting steps to try first: NOTE: Although this is for Asus/RMerlin-firmware powered routers, the steps below may be relevant to all routers, to get to a quick fix for common symptoms. Check that the router’s System Time is accurate on...

www.snbforums.com

I didn't see this before but it looks like I tried most of this when trying to troubleshoot. Switching USB from 2.0 to 3.0 alleviated Swap Locks I was getting before but I've already tried two different USB drives (both SanDisk) and formatted multiple times, uninstalled and reinstalled Skynet and still no dice. I'm all out of ideas now.

 

[L&LD]

A full uninstall/reinstall of any amtm scripts should include formatting the USB drive in question to NTFS on a PC along with checking the 'Format the JFFS partition on next boot..' option and hitting 'Apply' before rebooting the router 3 times in the next 15 minutes, waiting 5 to 10 minutes between each reboot.

Now, insert the NTFS formatted USB drive back into the router and repeat the amtm Step-by-Step guide, ignoring the part about installing amtm (not needed after 384.15_0), of course.

The above should get you going. But curious if you did a full reset (M&M Config in the same link above) after flashing RMerlin firmware too?

 

[maelstromm]

The above should get you going. But curious if you did a full reset (M&M Config in the same link above) after flashing RMerlin firmware too?

I have not. Last two times have been a dirty upgrade. I will give that a try and report back. Thank you for your responses.

 

[archiel]

Is there a quick way to find out the port used for blocked outbound traffic?

I have a linux (ubuntu) vm which is used for bittorrent traffic, including p2p search engines. As such I expect a certain amount of questionable traffic and Skynet does a very good job of blocking this.

If I use the GUI I can see which machine is sending traffic and the using the stats functions I can get a list of IPs. What I would like is an easy way of identifying the outbound port, which will tell me if I am looking at transmission (to be expected) or something else, in which case I would want to investigate further.

Currently I running am Wireshark on the vm to get the port from the outbound IP, which feels like overkill, and I can then run lsof to find the process and then investigate in depth.

What I would prefer is to be able to see both the outbound IP and port, which would simplify matters greatly - is there a way to do this or if not, could it be added to a future version.

----------------------------------------

Edit - I can see that if I search though the log and find the outbound entry I can then see the source and destination ports, but would still like a way to see outbound IP and Port in list form.