Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

Maybe you should uninstall reboot and install again.

 

[eclp]

Thanks for the watch and help.

Router Model: RT-AC87U
Skynet Version: v5.1.5 (24/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_0 (Aug 18 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]

Why two times?

22:48:02 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate )
Aug 24 22:48:46 Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [44s]
Aug 24 22:51:58 Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]

 

[skeal]

When the script executes it clears the information I just pointed out the previous post.

 

[Adamm]

Thanks for the watch and help.

Router Model: RT-AC87U
Skynet Version: v5.1.5 (24/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_0 (Aug 18 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]

Okay I have a good idea of what the issue is now. Specifically relating to error "Level 5 Messages Won't Be Logged"

This indicates you changed the default syslog settings so that anything with the default log level won't be logged. Is there any specific reason for this?

Secondly I'm assuming due to this the router modifies the drop rule to account for this so my default rules won't remove it.

Please post the output of;

"iptables-save"

 

[eclp]

Honestly, I have no idea why this is so. There is no reason.

iptables-save, the output is too large to post. which part are you interested in?

 

[Adamm]

Honestly, I have no idea why this is so. There is no reason.

You probably did it without realising, for reference the default and recommended settings are;

Default message log level: Notice
Log only messages more urgent than: debug

iptables-save, the output is too large to post. which part are you interested in?

Before you change the setting above to fix the issue, I'm specifically looking for the output from;

"iptables-save | grep "A logdrop"

Then I'll be able to push an update accordingly to prevent this kind of breakage in future (although your current syslog settings will have other adverse effects)

 

[eclp]

A logdrop -i eth0 -m set --match-set Whitelist src -j ACCEPT
-A logdrop -i eth0 -p tcp -m multiport --sports 80,443,143,993,110,995,25,465 -m state --state INVALID -j DROP
-A logdrop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A logdrop -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j SET --add-set Skynet src
-A logdrop -j DROP
COMMIT

 

[Xentrk]

Does Skynet block certain countries by default? For now, I am blocking the following:

firewall ban country "cn ru jp ua gb de br fr in tr it kr pl es vn ar co tw mx cl ph"

Is there a command to list what countries are being blocked? Thank you.

 

[Adamm]

A logdrop -i eth0 -m set --match-set Whitelist src -j ACCEPT
-A logdrop -i eth0 -p tcp -m multiport --sports 80,443,143,993,110,995,25,465 -m state --state INVALID -j DROP
-A logdrop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A logdrop -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j SET --add-set Skynet src
-A logdrop -j DROP
COMMIT

Now that I have access to my router, I've tried to replicate your issue with no luck. Your output here also indicates it isn't printing drop messages so its quite confusing. If you are still experiencing this, please post the output of the following;

iptables-save | grep "\--log-prefix"

Does Skynet block certain countries by default?

No

Is there a command to list what countries are being blocked?

Forgot to add this during the comment support update, for now this will show under "debug info" if it detects country blocking in use, it should look something like the following;

As I didn't push a version change, you will need to force update to get these changes;

sh /jffs/scripts/firewall update -f

 

[eclp]

The output is:

ASUSWRT-Merlin RT-AC87U 380.68-0 Fri Aug 18 21:40:17 UTC 2017
miju@RT-AC87U:/tmp/home/root# iptables-save | grep "\--log-prefix"-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[Adamm]

The output is:

After scratching my head, It finally occurred to me why this is happening while going over your posts.

This is because you are using IPv6 and the IPTables rules related to it is whats triggering the messages. Skynet was written with only IPv4 in mind as I have no way to test anything IPv6 related.

To remove the messages, you will need to add something like the following to the bottom of your firewall-start file;

ip6tables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options

But please note I do not officially support ip6tables, Skynet in its current state will only filter IPv4 traffic, I'm not sure how much having IPv6 will or won't affect it.

 

[eclp]

Understand.
It would be good if you can simply switch it off permanently.

 

[Adamm]

Understand.
It would be good if you can simply switch it off permanently.

The ip6tables command above does the equivalent. I pushed an update just now with it included, but I again reiterate ip6tables isn't fully supported.

Update via;

sh /jffs/scripts/firewall update -f

 

[eclp]

Thank you!
I think that works, I will continue to monitor it. Is planned and at all possible in the future an Full IPv6 support?

Edit:
Can I remove this line again?

ip6tables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[Adamm]

Is planned and at all possible in the future an Full IPv6 support?

Maybe if my provider ever fully implements it, but adding features that I can't test isn't very ideal. I haven't really looked into IPv6 too much.

Can I remove this line again?

Yes after you force update its included by default.

 

[Xentrk]

Now that I have access to my router, I've tried to replicate your issue with no luck. Your output here also indicates it isn't printing drop messages so its quite confusing. If you are still experiencing this, please post the output of the following;

iptables-save | grep "\--log-prefix"

No



Forgot to add this during the comment support update, for now this will show under "debug info" if it detects country blocking in use, it should look something like the following;

As I didn't push a version change, you will need to force update to get these changes;

sh /jffs/scripts/firewall update -f

Thanks for the update @Adamm! The list of countries comes from pfSense pfBlockerNG package default geo location list. I also added PH as I saw some scan attempts from there recently. I will add more countries as I monitor where the scan attempts originate from.

After the update, debug info showed:

Router Model; RT-AC88U
Skynet Version; v5.1.5 (26/08/2017)
iptables v1.4.14 - (ppp0)
ipset v6.32, protocol version: 6
FW Version; 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/RT-AC88U/skynet (434.8M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/RT-AC88U
Banned Countries; cn ru jp ua gb de br fr in tr it kr pl es vn ar co tw mx cl ph
Install Dir Writeable
Startup Entry Detected
Lock File Detected (pid=7247)
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged - Only 5+
Autobanning Disabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Not Detected
Skynet IPTable Not Detected
Whitelist IPSet Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Detected
Skynet IPSet Not Detected
Skynet: [Complete] 132173 IPs / 53569 Ranges Banned. 0 New IPs / 0 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [3s]

I rebooted and it appears to have self corrected:

Router Model; RT-AC88U
Skynet Version; v5.1.5 (26/08/2017)
iptables v1.4.14 - (ppp0)
ipset v6.32, protocol version: 6
FW Version; 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/RT-AC88U/skynet (434.8M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/RT-AC88U
Banned Countries; cn ru jp ua gb de br fr in tr it kr pl es vn ar co tw mx cl ph
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged - Only 5+
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132173 IPs / 53569 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [3s]

Any concerns with this message? Level 5 Messages Won't Be Logged - Only 5+

 

[MarCoMLXXV]

Just checked my debug info, out of curiousity, and something seems a bit contradictive:

Router Model: RT-AC68U
Skynet Version: v5.1.4 (16/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/usb/skynet (57.2G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/usb
Install Dir Writeable
Startup Entry Detected
cat: can't open '/tmp/skynet.lock': No such file or directory
Lock File Detected (pid=)
Cronjobs Detected
IPSet Supports Comments
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132506 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

marco@router:/tmp# ll /tmp | grep "skynet"
marco@router:/tmp#

Is the lockfile mentioned located elsewhere?

 

[Xentrk]

Just checked my debug info, out of curiousity, and something seems a bit contradictive:

marco@router:/tmp# ll /tmp | grep "skynet"
marco@router:/tmp#

Is the lockfile mentioned located elsewhere?

I noticed that after the upgrade

No Lock File Found

Before the upgrade:

Lock File Detected (pid=7247)

 

[MarCoMLXXV]

Just updated manually and everything looks fine now...

Router Model; RT-AC68U
Skynet Version; v5.1.5 (26/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version; 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/usb/skynet (57.2G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/usb
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Will Be Logged
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132506 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 51 Inbound / 84 Outbound Connections Blocked! [3s]

 

[Joe C]

How do you ban a range of IP's ? Do I need a special character in-between the start and end IP or do I just leave a blank space ?