Skynet Skynet - Router Firewall & Security Enhancements

[HardCat]

Thanks for pointing out that flaw, damn you guys

For the time being on the first attempt you can just scroll up to see the result, I'll work on a real fix shortly.

Hey, I knew that already. Take your time, new features always require a bit of time to work the bugs out! Great script!

 

[Adamm]

Hey, I knew that already. Take your time, new features always require a bit of time to work the bugs out! Great script!

Okay I've pushed a temporary fix (you will need to force update if already on v5.5.5). I'll improve on this later when I have some free time, internet was down for 48 hours so I have some catching up todo

Right now each time you "reload" the menu it spawns a new process, not an ideal situation but the only way I could get this feature to work as intended until I brainstorm on a better solution.

 

[thelonelycoder]

When I play with the Skynet menus nearly all menu's log out after completing function, instead of going back into the main menu? can that be changed so that after doing "something" you end up back in the main main instead of your telnet cursor?

By now I can also envision a new app called "SNB Menu" pulling all this stuff together, putting all the scripts and installers in one place, which would save a lot of notes and separate sessions, something like:
----------------------------------------------------------------------
Welcome to the SNBforum Merlin firmware addition menu, what would you like to do today?

1. Download and install Skynet
2. Download and install ab-solution
3. Open Skynet
4. Open ab-solution
5. Update pixelserv
6. Update this menu
7. Exit

Please select input: (1-7)
----------------------------------------------------------------------

Let's see how far this goes: Introducing the SNBForums Asuswrt-Merlin Terminal Menu or in short amtm

 

[Adamm]

Let's see how far this goes: Introducing the SNBForums Asuswrt-Merlin Terminal Menu or in short amtm

Looks good, once its up on github I'll be sure to contribute if necessary!

Also, I fixed the multiple process spawning issue from my previous post, another forced update will fix this. Thanks for the suggestions and debugging guys.

 

[chibby]

using the latest build (forced update), when running banmalware for the first time, this happened:

Downloading filter.list     [0s]
Whitelisting Shared Domains     date:594: can't map '/lib/libc.so.0'
date:594: can't map '/lib/libc.so.0'
date: can't load library 'libc.so.0'
[1511773947s]
Saving Changes             [6s]
Removing Previous Malware Bans  [4s]
Filtering IPv4 Addresses     [6s]
Filtering IPv4 Ranges         [0s]
Applying Blacklists         [10s]

It seemed to work, though .. numbers of blocked IPs/ranges changed.
Running banmalware a second time just produced the expected output, like it normally does.

Anything to worry about?
Thank you

 

[Adamm]

using the latest build (forced update), when running banmalware for the first time, this happened:

Downloading filter.list     [0s]
Whitelisting Shared Domains     date:594: can't map '/lib/libc.so.0'
date:594: can't map '/lib/libc.so.0'
date: can't load library 'libc.so.0'
[1511773947s]
Saving Changes             [6s]
Removing Previous Malware Bans  [4s]
Filtering IPv4 Addresses     [6s]
Filtering IPv4 Ranges         [0s]
Applying Blacklists         [10s]

It seemed to work, though .. numbers of blocked IPs/ranges changed.
Running banmalware a second time just produced the expected output, like it normally does.

Anything to worry about?
Thank you

Quick google leads me to believe this is possibly an entware related issue, by any chance did you install the entware version of the date package or something similar?

 

[chibby]

did you install the entware version of the date package or something similar?

I didn't ever touch entware by itself, I merely use AB-solution which uses it i guess.
No other scripts installed besides skynet and ab-solution.

 

[Adamm]

I didn't ever touch entware by itself, I merely use AB-solution which uses it i guess.
No other scripts installed besides skynet and ab-solution.

Whats the output of;

opkg list-installed

sh /jffs/scripts/firewall debug info

 

[chibby]

Spoiler: output of opkg list-installed

entware-opt - 222108-5

findutils - 4.6.0-1

ldconfig - 2.23-6

libc - 2.23-6

libgcc - 6.3.0-6

libopenssl - 1.0.2l-1

libpthread - 2.23-6

librt - 2.23-6

libssp - 6.3.0-6

libstdcpp - 6.3.0-6

locales - 2.23-6

opkg - 2011-04-08-9c97d5ec-17a

pixelserv-tls - V35.HZ12.Kk-1

terminfo - 6.0-1c

zlib - 1.2.11-1

Spoiler: output of sh /jffs/scripts/firewall debug info

Router Model; RT-AC68U

Skynet Version; v5.5.5 (27/11/2017)

iptables v1.4.14 - (eth0 @ 192.168.11.1)

ipset v6.32, protocol version: 6

FW Version; 380.68_4 (Oct 4 2017) (2.6.36.4brcmarm)

Install Dir; /tmp/mnt/sda1/skynet (1.6G / 1.8G Space Available)

Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/sda1 

No Lock File Found


Checking Install Directory Write Permissions... [Passed]

Checking Firewall-Start Entry... [Passed]

Checking OpenVPN-Event Entry... [Passed]

Checking Services-Stop Entry... [Passed]

Checking CronJobs... [Passed]

Checking IPSet Comment Support... [Passed]

Checking Log Level 5 Settings... [Passed]

Checking Autobanning Status... [Passed]

Checking Debug Mode Status... [Passed]

Checking For Duplicate Rules In RAW... [Passed]

Checking For Duplicate Rules In Filter... [Passed]

Checking Skynet IPTable... [Passed]

Checking Whitelist IPSet... [Passed]

Checking BlockedRanges IPSet... [Passed]

Checking Blacklist IPSet... [Passed]

Checking Skynet IPSet... [Passed]


Skynet: [Complete] 135591 IPs / 1907 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 137 Inbound / 149 Outbound Connections Blocked! [3s]

 

[Adamm]

Spoiler: output of opkg list-installed

entware-opt - 222108-5

findutils - 4.6.0-1

ldconfig - 2.23-6

libc - 2.23-6

libgcc - 6.3.0-6

libopenssl - 1.0.2l-1

libpthread - 2.23-6

librt - 2.23-6

libssp - 6.3.0-6

libstdcpp - 6.3.0-6

locales - 2.23-6

opkg - 2011-04-08-9c97d5ec-17a

pixelserv-tls - V35.HZ12.Kk-1

terminfo - 6.0-1c

zlib - 1.2.11-1

Spoiler: output of sh /jffs/scripts/firewall debug info

Router Model; RT-AC68U

Skynet Version; v5.5.5 (27/11/2017)

iptables v1.4.14 - (eth0 @ 192.168.11.1)

ipset v6.32, protocol version: 6

FW Version; 380.68_4 (Oct 4 2017) (2.6.36.4brcmarm)

Install Dir; /tmp/mnt/sda1/skynet (1.6G / 1.8G Space Available)

Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/sda1

No Lock File Found


Checking Install Directory Write Permissions... [Passed]

Checking Firewall-Start Entry... [Passed]

Checking OpenVPN-Event Entry... [Passed]

Checking Services-Stop Entry... [Passed]

Checking CronJobs... [Passed]

Checking IPSet Comment Support... [Passed]

Checking Log Level 5 Settings... [Passed]

Checking Autobanning Status... [Passed]

Checking Debug Mode Status... [Passed]

Checking For Duplicate Rules In RAW... [Passed]

Checking For Duplicate Rules In Filter... [Passed]

Checking Skynet IPTable... [Passed]

Checking Whitelist IPSet... [Passed]

Checking BlockedRanges IPSet... [Passed]

Checking Blacklist IPSet... [Passed]

Checking Skynet IPSet... [Passed]


Skynet: [Complete] 135591 IPs / 1907 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 137 Inbound / 149 Outbound Connections Blocked! [3s]

Nothing looks out of the ordinary and the debug info shows Skynet installed and is running sucessfully. Does this error occur every time you run banmalware or just that one time? Could have just been some random error with the firmware's date binary which is totally unrelated to Skynet.

 

[chibby]

That was the first and only time i saw this.
I guess you are right, that it was some sort of malfunction of something in the firmware.

Just wanted to report it
Thank you very much for clarifying!!
Best regards

 

[2992]

@Adamm, I have the feeling Skynet is blocking DNSCrypt after running it for few hours. Can you replicate it?
I have ABS, OpenVPN, and DNSCrypt installed. The router ran nicely for few days with this configuration.
Then, I have installed Skynet. After running it for few hours (about 4 or so), I've got "dnscrypt-proxy[784]: Unable to retrieve server certificates" and OpenVPN got disconnected, unable to reconnect anymore. Rebooted, and everything works ok again for few hours, then same issue is popping up: DNSCrypt cannot retrieve the certificated, and OpenVPN cannot reconnect anymore..
It could be from DNSCrypt itself, but I doubt, as I have it installed on another router and there is running fine configured with the same DNS servers.
It could be from my external firewall, but I doubt as on the other router everything runs smooth.
(Note: the other router I have is not running Merlin's firmware.)

 

[Adamm]

@Adamm, I have the feeling Skynet is blocking DNSCrypt after running it for few hours. Can you replicate it?
I have ABS, OpenVPN, and DNSCrypt installed. The router ran nicely for few days with this configuration.
Then, I have installed Skynet. After running it for few hours (about 4 or so), I've got "dnscrypt-proxy[784]: Unable to retrieve server certificates" and OpenVPN got disconnected, unable to reconnect anymore. Rebooted, and everything works ok again for few hours, then same issue is popping up: DNSCrypt cannot retrieve the certificated, and OpenVPN cannot reconnect anymore..
It could be from DNSCrypt itself, but I doubt, as I have it installed on another router and there is running fine configured with the same DNS servers.
It could be from my external firewall, but I doubt as on the other router everything runs smooth.
(Note: the other router I have is not running Merlin's firmware.)

I personally don't use DNSCrypt (although I probably should). Best thing first is to confirm its actually Skynet blocking the script so I can work around it accordingly.

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

1.) Enable Debug Mode via the installer

sh /jffs/scripts/firewall install

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[skeal]

I personally don't use DNSCrypt (although I probably should). Best thing first is to confirm its actually Skynet blocking the script so I can work around it accordingly.

I run dnscrypt and ab-solution and have no problems with skynet at all.

 

[steelskinz]

I run dnscrypt and ab-solution and have no problems with skynet at all.

Same here. No problem so far. I Whitelist dns ip address first.

 

[skeal]

Same here. No problem so far. I Whitelist dns ip address first.

Further I did not do anything to make this work. No white-listing nothing.

 

[MacG32]

When Skynet updated the Banmalware, instead of using and updating my Custom Filter List URL, it reverted back to the default Filter List.

Nov 28 02:00:07 Skynet: [Complete] 434870 IPs / 26315 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 447 Inbound / 0 Outbound Connections Blocked! [7s]
Nov 28 02:25:39 Skynet: [Complete] 135837 IPs / 1962 Ranges Banned. -299033 New IPs / -24353 New Ranges Banned. 487 Inbound / 0 Outbound Connections Blocked! [39s]
Nov 28 03:00:02 Skynet: [Complete] 135837 IPs / 1962 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 550 Inbound / 0 Outbound Connections Blocked! [2s]

 

[Adamm]

When Skynet updated the Banmalware, instead of using and updating my Custom Filter List URL, it reverted back to the default Filter List.

Nov 28 02:00:07 Skynet: [Complete] 434870 IPs / 26315 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 447 Inbound / 0 Outbound Connections Blocked! [7s]
Nov 28 02:25:39 Skynet: [Complete] 135837 IPs / 1962 Ranges Banned. -299033 New IPs / -24353 New Ranges Banned. 487 Inbound / 0 Outbound Connections Blocked! [39s]
Nov 28 03:00:02 Skynet: [Complete] 135837 IPs / 1962 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 550 Inbound / 0 Outbound Connections Blocked! [2s]

Yeah this is intended functionality as Banmalware doesn't save the URL when entering a custom list (it was originally designed to be a one time use). I'll look into enhancing this functionality in the morning.

For the time being, disable automated banmalware updates, and instead put this line in your firewall-start file.

cru a Skynet_banmalwarecustom "25 2 * * * sh /jffs/scripts/firewall banmalware URLHERE"

With URLHERE ofcoarse being the custom URL. This will replicate the desired functionality until I implement it in the script

 

[steelskinz]

Further I did not do anything to make this work. No white-listing nothing.

I didn't had prob too but i rather anticipated one..

 

[G F]

I'm hoping for some help. i have a problem with my DNS server being blocked.

When I white list the IP it works for a while before it starts being blocked again.

Asus Firewall Addition By Adamm v5.5.5
Debug Data Detected in /jffs/skynet.log - 434.0K
Monitoring From Nov 28 05:08:01 To Nov 29 08:20:01
1935 Block Events Detected
423 Unique IPs
90 Autobans Issued
0 Manual Bans Issued

168.1.79.229 is NOT in set Whitelist.
168.1.79.229 is in set Blacklist.
168.1.79.229 is NOT in set BlockedRanges.

Blacklist Reason;
576119

Nov 29 07:45:01 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=168.1.79.229 DST=110.x.x.x LEN=98 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=53 DPT=55475 LEN=

168.1.79.229 is a getflix /unblocker and i dont understand why the whitelist is being ignored. Any thoughts on how to resolve this?

Thanks