Skynet Skynet - Router Firewall & Security Enhancements

[dandle]

Hi

I seem to have an issue with this script running on my AC68U. It has been fine these past few weeks but for some reason now it shows

sed: /tmp/mnt/sda1/skynet/scripts/ipset.txt: No such file or directory
Downloading filter.list
Whitelisting Shared Domains
sed: /tmp/mnt/sda1/skynet/scripts/ipset.txt: No such file or directory
ipset v6.32: Error in line 1: The set with the given name does not exist
Compiling Blacklist
Filtering IPv4 Addresses
Filtering IPv4 Ranges
Applying Blacklists
ipset v6.32: Error in line 1: The set with the given name does not exist

I have done a full uninstall of the script and reinstall but I still get this message. The skynet directory is automatically created in the location set but there doesn't appear to be an ipset.txt to go along with it.

Any ideas?

 

[Adamm]

However while looking at the Whitelist I have noticed the comments for all "Shared-Whitelist:" entries are there, but nothing else appears such as what I would expect generated by these lines: (The IP's are in the Whitelist but the comments are not.)

Did you flush the Whitelist after updating?

Try;

sh /jffs/scripts/firewall whitelist remove

 

[Adamm]

I have done a full uninstall of the script and reinstall but I still get this message. The skynet directory is automatically created in the location set but there doesn't appear to be an ipset.txt to go along with it.

Can you please upload a copy of the file to pastebin if it does exist. Also run;

sh /jffs/scripts/firewall debug info

 

[MarCoMLXXV]

@Adamm, quick question (I´ve looked in the first posts but can't seem to find an answer): I just noticed outbound connections from local systems to Dropbox are being blocked. Is there any way I can find out why these connections are being blocked? Alienvault reports the IP as safe, being a legit Dropbox IP. I thought I´ve read in somewhere (I think), as I know it has been asked before, but I can't seem to find it. And I would like to double check before I whitelist it.

Btw I'm running the latest release of Skynet on .68 alpha2 (I had never thought before that I would even consider installing alpha builds, but I did, just because I couldn't wait to give Skynet v5.1.x a try . And it runs smooth like butter )

Thanks in advance!

 

[Adamm]

Is there any way I can find out why these connections are being blocked?

My guess would be people were hosting some sort of malware on dropbox and it got flagged on a specific list. You can check which lists the IP is present on via;

sh /jffs/scripts/firewall stats search malware IPHERE

Then just whitelist it accordingly.

And it runs smooth like butter

Good to know, thanks!

 

[MarCoMLXXV]

Thanks for the quick reply @Adamm.

I wasn't able to find any more info on it running

sh /jffs/scripts/firewall stats search malware 162.125.18.133

(..)

Debug Data Detected in /tmp/mnt/usb/skynet/skynet.log - 908.0K
Monitoring From Aug 7 23:27:04 To Aug 9 15:51:46
2975 Total Events Detected
25 Unique IPs
46 Autobans Issued
0 Manual Bans Issued

Skynet: [Complete] 45 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 81 Inbound / 544 Outbound Connections Blocked! [10s]

yet, when I run

sh /jffs/scripts/firewall stats show

the IP does appear in the stats as # 1 of the outgoing IP's blocked as shown in the output below:

Top 10 HTTP(s) Blocks (Outbound);
2675x https://otx.alienvault.com/indicator/ip/162.125.18.133

which is strange (to me at least), as Alienvault shows no reason why it should be considered a risk.

Tried to find an FQDN so I could check AB-Solution:

admin@RT-AC68U:/tmp/home/root# nslookup 162.125.18.133
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      162.125.18.133
Address 1: 162.125.18.133

No FQDN found, however when I followed the AB-Solution log, I noticed several dnsmasq entries for the IP with a FQDN within seconds, but it wasn´t blocked for incoming traffic:

 What do you want to do?   f
____________________________________________________

 Select log verbosity to follow:

 1. unfiltered log
 2. filtered by blocked domains (192.168.1.2)
 3. filtered by term
    (e.g by IP address or parts thereof, google.com)
 4. trace by domain and IP, experimental function
    (more info given when selecting option)

 Select log verbosity [1-4 e=Exit] 3

 Enter term to filter by:  162.125.18.133
 Dnsmasq entry detected,
 redirecting hosts to 127.0.0.1
 Be aware that log file entries with '127.0.0.1'
 are from another script, not AB-Solution

 Hit [Enter] to acknowledge


 Hit CTRL-C to show options while following log file

 --> following the logfile now (tail -F | grep 162.125.18.133):

Aug  9 16:29:18 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:29:18 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:29:46 dnsmasq[10258]: cached bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:29:46 dnsmasq[10258]: cached bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:30:01 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:30:01 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:30:23 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:30:23 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:30:56 dnsmasq[10258]: cached bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:30:56 dnsmasq[10258]: cached bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:31:25 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133
Aug  9 16:31:25 dnsmasq[10258]: reply bolt.v.dropbox.com is 162.125.18.133

Tried to whitelist it anyway, to see if there where any near matches in AB's blocking lists (I'm using AB Maximum), but no hits.

 no exact match found in blocking file for
 bolt.v.dropbox.com
 no need to add it to the whitelist

 no near matches found either

So TL;DR: I don't have a clue why (some) outgoing traffic to a specific IP-address that belongs to Dropbox is blocked, yet incoming traffic is allowed? My Dropbox daemon keeps trying to phone home, shows no 'Sync complete' badge on the notification icon on the panel (Linux Mint 18.2 Xfce) Any clue? I can simply whitelist it, but I'm curious why it's being blocked for outgoing traffic in the first place.

Thanks in advance!

 

[Xentrk]

My guess would be people were hosting some sort of malware on dropbox and it got flagged on a specific list. You can check which lists the IP is present on via;

sh /jffs/scripts/firewall stats search malware IPHERE

Then just whitelist it accordingly.

Good to know, thanks!

I use dropbox. So I did an nslookup to get the ip address. I then issued the command above and it does not appear dropbox is being blocked:

Monitoring From Aug 9 10:20:24 To Aug 9 21:36:28
763 Total Events Detected
347 Unique IPs
5 Autobans Issued
0 Manual Bans Issued

Skynet: [Complete] 134425 IPs / 2700 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 35 Inbound / 0 Outbound Connections Blocked! [62s]

I also did the MatchIP command in the ipset wiki and did not get a match.

MatchIP 162.125.248.1
162.125.248.1 not found in Whitelist
162.125.248.1 not found in Skynet
162.125.248.1 not found in Skynet
162.125.248.1 not found in Whitelist
162.125.248.1 not found in Skynet
162.125.248.1 not found in Skynet
162.125.248.1 not found in BlockedRanges
162.125.248.1 not found in Blacklist
162.125.248.1 not found in Whitelist

Strange that the same name of ipset lists appears more than once when using MatchIP command. I don't have duplicates ipset lists though:

ipset -L | grep Name:
Name: Whitelist
Name: Blacklist
Name: BlockedRanges
Name: Skynet

 

[Adamm]

the IP does appear in the stats as # 1 of the outgoing IP's blocked as shown in the output below:

Just because its shown in the logs doesn't mean the IP is still banned, you can varify if an IP is banned still using;

sh /jffs/scripts/firewall stats search ip 162.125.18.133

Which at the time of this post will return the following result indicating the IP is currently not banned (it may have been part of a previous malware list then removed but the old logs still exist);

Debug Data Detected in /tmp/mnt/Main/skynet/skynet.log - 5.1M
Monitoring From Jul 22 23:32:49 To Aug 10 00:50:09
20393 Total Events Detected
6428 Unique IPs
195 Autobans Issued
10 Manual Bans Issued

162.125.18.133 is NOT in set Whitelist.
162.125.18.133 is NOT in set Blacklist.
162.125.18.133 is NOT in set BlockedRanges.

Below this output will show you the first time it was blocked and logged, and the last 10 times, but in this case further debugging wouldn't be necessary.


FYI; Skynet will remove old logs in any situation besides when banmalware updates its lists (or when ipset.txt is manually deleted). While this would be possible, the overhead of doing so wouldn't be worthwhile and will be eventually wiped anyway during the logfile purge when it reaches a certain size (7mb for JFFS install, 14mb for USB)

 

[MarCoMLXXV]

Which at the time of this post will return the following result indicating the IP is currently not banned (it may have been part of a previous malware list then removed but the old logs still exist);

My results are different:

admin@RT-AC68U:/tmp/home/root# sh /jffs/scripts/firewall stats search ip 162.125.18.133
#!/bin/sh

Debug Data Detected in /tmp/mnt/usb/skynet/skynet.log - 952.0K
Monitoring From Aug 7 23:27:04 To Aug 9 17:22:49
3117 Total Events Detected
25 Unique IPs
49 Autobans Issued
0 Manual Bans Issued

162.125.18.133 is NOT in set Whitelist.
162.125.18.133 is in set Blacklist.
162.125.18.133 is NOT in set BlockedRanges.

Blacklist Reason;

162.125.18.133 First Tracked On Aug 7 23:27:02
162.125.18.133 Last Tracked On Aug 9 17:22:49
2822 Attempts Total

First Block Tracked From 162.125.18.133;
Aug  7 23:27:02 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC= SRC=162.125.18.133 DST=82.72.XXX.XXX LEN=83 TOS=0x00 PREC=0x00 TTL=52 ID=1566 DF PROTO=TCP SPT=443 DPT=57342 SEQ=1625602120 ACK=3552571522 WINDOW=360 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A61F5BF1FA7BC2656)

10 Most Recent Blocks From 162.125.18.133;
Aug  9 17:16:30 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6080 DF PROTO=TCP SPT=55554 DPT=443 SEQ=1601296855 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DD23FD0000000001030307)
Aug  9 17:16:34 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6081 DF PROTO=TCP SPT=55554 DPT=443 SEQ=1601296855 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DD281D0000000001030307)
Aug  9 17:17:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25928 DF PROTO=TCP SPT=55566 DPT=443 SEQ=118716066 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DD66870000000001030307)
Aug  9 17:17:39 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:49:71:30:74:f0:6d:1f:f3:59:08:00 SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25929 DF PROTO=TCP SPT=55566 DPT=443 SEQ=118716066 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DD67850000000001030307)
Aug  9 17:17:41 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25930 DF PROTO=TCP SPT=55566 DPT=443 SEQ=118716066 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DD697D0000000001030307)
Aug  9 17:17:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25931 DF PROTO=TCP SPT=55566 DPT=443 SEQ=118716066 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DD6D9D0000000001030307)
Aug  9 17:22:41 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8409 DF PROTO=TCP SPT=55652 DPT=443 SEQ=660020460 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DE8ED20000000001030307)
Aug  9 17:22:42 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8410 DF PROTO=TCP SPT=55652 DPT=443 SEQ=660020460 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DE8FCD0000000001030307)
Aug  9 17:22:44 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8411 DF PROTO=TCP SPT=55652 DPT=443 SEQ=660020460 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DE91C50000000001030307)
Aug  9 17:22:49 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC= SRC=192.168.1.217 DST=162.125.18.133 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8412 DF PROTO=TCP SPT=55652 DPT=443 SEQ=660020460 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AA0DE95DD0000000001030307)

I did a clean install of .68 alpha2 two days ago, so history is limited. Because of the new functionality I decided not to import previous data.

Looking at the first ban, it looks like that's incoming traffic, as the IP which is partially masked is my WAN IP. Could it be that Skynet automatically unbanned the IP for incoming traffic, but is still blocking outgoing traffic?

 

[Adamm]

My results are different:

Okay so this was a autoban via the SPI firewall, you can simply just whitelist it.

 

[MarCoMLXXV]

Okay so this was a autoban via the SPI firewall, you can simply just whitelist it.

Still don't get it, but I'll whitelist it. Thanks for your patience.

 

[dandle]

Can you please upload a copy of the file to pastebin if it does exist. Also run;

sh /jffs/scripts/firewall debug info

Hi Adamm

There is no ipset.txt when the directory is created. skynet/scripts directory is empty

The output from the above command is as follows:
Router Model: RT-AC68U
Skynet Version: v5.1.1 (09/08/2017)
ipset v6.32, protocol version: 6
FW Version: 380.67_0 (Jul 16 2017)
Install Dir; /tmp/mnt/sda1/skynet (120.7M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/sda1
Install Dir Writeable
Startup Entry Detected
Cronjobs Not Detected
IPSet Doesn't Support Comments - Please Update To 380.68_alpha1 / V26E3 Or Newer Firmware
Autobanning Disabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Not Detected
Skynet IPTable Not Detected
Whitelist IPSet Not Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Not Detected
Skynet IPSet Not Detected

 

[Henrik!]

IPSet Doesn't Support Comments - Please Update To 380.68_alpha1 / V26E3 Or Newer Firmware

You need to update your firmware

 

[dandle]

So I need to update my Router's firmware to a pre-release version just to contuinue using this script?

 

[Henrik!]

So I need to update my Router's firmware to a pre-release version just to contuinue using this script?

Yes, see this link
https://www.snbforums.com/threads/s...-manual-ip-blocking.16798/page-37#post-339137

 

[MarCoMLXXV]

So I need to update my Router's firmware to a pre-release version just to contuinue using this script?

No, you don't have to update to a pre-release (even though it's very stable), it's entirely your choice, You can just stick to your current firmware until 380.68 is final, but that means you can't update Skynet for the time being. The latest release needs functionality from the alpha (or the current LTS fork) to function properly. If the error annoys you, just disable auto update by reconfiguring Skynet. Skynet will function just as well.

 

[Adamm]

So I need to update my Router's firmware to a pre-release version just to contuinue using this script?

You could also downgrade to an older version of Skynet (v5.0.6) which supports older firmware versions, but it obviously won't have the latest changes.

https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/50a75fea503cfc42b8b48376626991489936dd57/firewall.sh

Download that file instead of the one mentioned in the OP, make sure to turn autoupdates off until you are ready to update your firmware also.

 

[dandle]

Great, thanks for the clarification everyone!

 

[johnathonm]

Hi,

With 38 pages of threads I couldn't dig through it all by hand but I was curious as to why skynet is incompatible with ya-malware. The two packages would make an awesome synergy. Just wondering.

J

 

[Adamm]

Hi,

With 38 pages of threads I couldn't dig through it all by hand but I was curious as to why skynet is incompatible with ya-malware. The two packages would make an awesome synergy. Just wondering.

J

Because the banmalware feature of Skynet sources from the same hosts, there is no need to block the same things twice.