Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

by the way, will the ip become blocked permanently? or it will be release after certain days?

Yes all bans are permanent, unless you unban them of-coarse.

 

[Butterfly Bones]

Yes all bans are permanent, unless you unban them of-coarse.

OK so the bans are not purged but are the blocks purged and if so, on what basis? This is not issue for me, just curious about the negative number? I know the log gets purged based on size.

Oct 21 02:26:07 Skynet: [Complete] 131075 IPs / 2226 Ranges Banned. -37408 New IPs / 170 New Ranges Banned. 229 Inbound / 0 Outbound Connections Blocked! [67s]
Oct 21 03:00:07 Skynet: [Complete] 131075 IPs / 2226 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 258 Inbound / 0 Outbound Connections Blocked! [7s]

 

[Adamm]

OK so the bans are not purged but are the blocks purged and if so, on what basis?

The negative number is from the banmalware lists being updated on the daily cronjob. As these lists are dynamic these numbers will fluctuate when the command is run.

 

[chchia]

Adamm, will you consider to auto release the autoban ip after certain number of days? probable after 72 hours?

 

[Adamm]

Adamm, will you consider to auto release the autoban ip after certain number of days? probable after 72 hours?

Its possible with IPSet but the way I compile logs and try to only keep current bans tracked wouldn't fit in with this system. For the time being you are better off using the following command on a cronjob.

sh /jffs/scripts/firewall unban autobans

 

[chchia]

Hi Adamm, thank you for the advice, it enlighten me about the use of "at" command. although you need to use entware to install it as it is not standard available inside merlin.

i am thinking about the possibility to:

Detected BadIP;
{
AutoBanning BadIP;
add to command
echo "sh /jffs/scripts/firewall unban BadIP" | at -m now + 72 hours
}

I will spend some time to play around this, but i am not a programmer.

 

[Adamm]

Hi Adamm, thank you for the advice, it enlighten me about the use of "at" command. although you need to use entware to install it as it is not standard available inside merlin.

i am thinking about the possibility to:

Detected BadIP;
{
AutoBanning BadIP;
add to command
echo "sh /jffs/scripts/firewall unban BadIP" | at -m now + 72 hours
}

I will spend some time to play around this, but i am not a programmer.

Autobans are handled by IPTables directly, theres no function in Skynet I can just hook in to so to speak. There's an alternative of constantly monitoring the syslog for autoban entries and then adding cronjobs or at-jobs accordingly but the overhead I personally feel is not worthwhile.

Again your best option here would be just adding a simple cronjob with the command provided above.

 

[Adamm]

I've pushed v5.3.8

While there are no major functionality changes, I've spent the last day cleaning up ugly code, specifically the unban/ban/whitelist/stat commands. Everything should work the same (with some performance gains in the process) but this update was mostly to make the code easier to read/maintain on my end and removing some now useless code thanks to our new menu system.

The only noticeable difference will be when unbanning/banning/whitelisting a single IP. Previously the command was;

sh /jffs/scripts/firewall ban 8.8.8.8

From v5.3.8 on-wards you will have to specify the IP field in the command, like so;

sh /jffs/scripts/firewall ban ip 8.8.8.8

This streamlines the ban/unban/whitelist commands with other functionality and probably should have been this way since its inception. I've updated the documentation accordingly. Please let me know if there are any errors with these commands, I'm fairly certain I doubled checked everything but sometimes simple typos get past.

 

[skeal]

This is excellent as usual from you! Any news on support for am382.x?

 

[SeaConn]

Any news on support for am382.x?

Last I heard, Eric or John will need to fix/add the IPSec tool extensions before Adamm can test it on 382. I'd like to see this, too, but for now 382.1 appears to have more pressing issues than IPSec.

So... patiently waiting

 

[RMerlin]

The missing xt_set.ko module was added in 382.1 Beta 2.

 

[SeaConn]

Huh. I still get the same installation error as beta1:

grep: /jffs/scripts/firewall-start: No such file or directory
Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware

 

[Adamm]

The missing xt_set.ko module was added in 382.1 Beta 2.

I believe some more work needs to be done, specifically on the changes @john9527 made when adding support for the comment (and other) extensions. I verify these changes are present by looking for the "ip_set_hash_ipmac.ko" module which isn't present on earlier versions and the current .382 codebase.

He mentioned it briefly on page 49 of this thread.

The changes I made to ipset 6 to support the earlier kernel probably will need to be reviewed (my guess is that they will need to be backed out). There's also a config file that I changed from a dynamic generation to a customized static file that will probably need to be regenerated for the newer kernel.

 

[skeal]

The missing xt_set.ko module was added in 382.1 Beta 2.

I'm not going to beta test or install final version until this script is install-able.

 

[hvluu]

The missing xt_set.ko module was added in 382.1 Beta 2.

Did you recompile the complete kernel since we talked? Cause I updated to beta 2 when you first released it and the module was still not added


Sent from my iPhone using Tapatalk

 

[RMerlin]

Did you recompile the complete kernel since we talked? Cause I updated to beta 2 when you first released it and the module was still not added


Sent from my iPhone using Tapatalk

Make sure you modprobe it. The file does show up here:

admin@Stargate86:/tmp/home/root# find /lib/modules -name xt_set.ko
/lib/modules/4.1.27/kernel/net/netfilter/xt_set.ko

I believe some more work needs to be done, specifically on the changes @john9527 made when adding support for the comment (and other) extensions.

I'll need more details. Right now, 4.1 already came with ipset modules, I didn't have to patch the kernel, so this is probably what's present upstream from kernel.org.

 

[hvluu]

Maybe a new beta2 was compiled? Mine doesn't show the file exists.

hungluu@RT-AC86U-9410:/lib/modules/4.1.27/kernel/net/netfilter# ls

ipset nf_nat_sip.ko xt_hashlimit.ko

nf_conntrack_ftp.ko xt_HL.ko xt_hl.ko

nf_conntrack_h323.ko xt_TPROXY.ko xt_length.ko

nf_conntrack_rtsp.ko xt_comment.ko xt_quota.ko

nf_conntrack_sip.ko xt_condition.ko xt_recent.ko

nf_nat_ftp.ko xt_geoip.ko xt_socket.ko

 

[RMerlin]

Maybe a new beta2 was compiled? Mine doesn't show the file exists.

Sorry, it was only added for beta 3 - you reported it after the beta 2 release.

35a05e9 kernel41: enable XT_SET kernel module
6b56d48 Bumped revision to beta 3

 

[Adamm]

I'll need more details. Right now, 4.1 already came with ipset modules, I didn't have to patch the kernel, so this is probably what's present upstream from kernel.org.

Well I can't really provide specifics as I don't have a AC86U to test with, but I know for starters ip_set_hash_ipmac.ko is missing from what others have posted.

Beyond that you can test if comments are working fairly easily;

admin@RT-AC68U-EE20:/tmp/home/root# ipset create Test hash:ip comment
admin@RT-AC68U-EE20:/tmp/home/root# ipset -A Test 8.8.8.8 comment foobar
admin@RT-AC68U-EE20:/tmp/home/root# ipset -L Test
Name: Test
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 131
References: 0
Number of entries: 1
Members:
8.8.8.8 comment "foobar"
admin@RT-AC68U-EE20:/tmp/home/root# ipset flush Test
admin@RT-AC68U-EE20:/tmp/home/root# ipset -L Test
Name: Test
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 60
References: 0
Number of entries: 0
Members:
admin@RT-AC68U-EE20:/tmp/home/root#

 

[Raphie]

For some reason Skynet started blocking google.com since Thurdaynight, dissabling Skynet or rebooting fixes it for a while but for some reason it gets blocked again shortly after. The whitelist says there is nothing to whitelist. This happened since the latest update I think? Any thoughts?