Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Yikes! What seems to have been added overnight to the banned IPs:

nytimes.com
xo.com
netdocuments

1112 new IPs and 19 ranges added at 2:38 am.

All three websites (and all the secondary IP's) all work for me and don't currently appear on any of the lists. If after updating banmalware this is still an issue, please post the afflicted IP's via a snippet of the logs. You can also run the following command to make sure banmalware is the listed reason its blocked;

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

 

[snixel]

it takes a while for the skynet to restart. The file lock will be gone in 2min.

Problem solved, I did not have enough patience
Thank you for your help!

@Adamm, thanks for the clarification

 

[elorimer]

All three websites (and all the secondary IP's) all work for me and don't currently appear on any of the lists.

Thanks. Maybe I jumped to a conclusion. For each of them I got a timed out message; I added each to the ab-solution whitelist (none in the blocklist) and it immediately connected.

Maybe I have something else going on. www.ctmirror.org is blocked. It resolves to 45.79.148.101.
When I ran firewall stats search 45.79.148.101, I got a "Command not recognized message". But inspecting the skynet.log it is in there, blocked.

 

[paulbates]

Amazing results in <24 hours. Helped me focus in on a recent HP workstation in our familyroom:
Top 50 Blocked Devices (Outbound);
5344x 192.168.0.120 FamilyRoomPC Whoaa
95x 192.168.0.123 Julies-iPad
27x 192.168.0.126 PaulSurface

Went on a more aggressive, more extensive bloatware extraction mission.

Appreciation sent to your paypal link

Paul

 

[thelonelycoder]

Thanks. Maybe I jumped to a conclusion. For each of them I got a timed out message; I added each to the ab-solution whitelist (none in the blocklist) and it immediately connected.

Well, AB adds them to the shared whitelist and then has Skynet read them in. So whatever you whitelist in AB is also whitelisted in Skynet.
Convenient but if you don't know where the blocking happened it can be confusing.
But since AB did not complain to add them to its own whitelist then they must have been blocked by Skynet.

 

[Adamm]

Thanks. Maybe I jumped to a conclusion. For each of them I got a timed out message; I added each to the ab-solution whitelist (none in the blocklist) and it immediately connected.

Maybe I have something else going on. www.ctmirror.org is blocked. It resolves to 45.79.148.101.
When I ran firewall stats search 45.79.148.101, I got a "Command not recognized message". But inspecting the skynet.log it is in there, blocked.

Like the other IPs, I also don't see this on any of the current lists and have no issues loading the webiste;

admin@RT-AC68U-EE20:/tmp/home/root# firewall stats search malware 45.79.148.101
#!/bin/sh
#############################################################################################################
#                    _____ _                     _           _____                     #
#                   / ____| |                   | |         | ____|                    #
#                  | (___ | | ___   _ _ __   ___| |_  __   _| |__                      #
#                   \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                     #
#                   ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                    #
#                  |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                     #
#                                __/ |                                                 #
#                               |___/                                                  #
#                                                        #
## - 20/12/2017 -           Asus Firewall Addition By Adamm v5.6.5                    #
##                   https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Main/skynet/skynet.log - 5.2M
Monitoring From Dec 25 09:00:32 To Jan 3 00:40:56
24891 Block Events Detected
4375 Unique IPs
19 Autobans Issued
0 Manual Bans Issued

Exact Matches;


Possible CIDR Matches;


Skynet: [Complete] 131171 IPs / 1945 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 6494 Inbound / 1918 Outbound Connections Blocked! [13s]

Also, I typed the previous command wrong, the actual command is;

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

Sorry about that.

 

[DonnyJohnny]

Easiest way would to be adding this at the end of your firewall-start file.

cru d Skynet_banmalware
cru a Skynet_banmalware "0 */6 * * * sh /jffs/scripts/firewall banmalware"

Problem.
Put in firewall-start after
sh /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/Main # Skynet Firewall Addition

However it did not have effect. The command is good when I key them manually but not executed in jffs script.

When I use access Skynet via amtm, during loading the Skynet, it shows

Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/Main 
d Skynet_banmalware 
a Skynet_banmalware "3 */6 * * * sh /jffs/scripts/firewall banmalware"

The cru command seems to be omitted. Also if the Skynet is reinstall between debug and vanilla, the code arrangement change and go above the following command
sh /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/Main # Skynet Firewall Addition

 

[Adamm]

Problem.
Put in firewall-start after
sh /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/Main # Skynet Firewall Addition

However it did not have effect. The command is good when I key them manually but not executed in jffs script.

When I use access Skynet via amtm, during loading the Skynet, it shows

Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/Main
d Skynet_banmalware
a Skynet_banmalware "3 */6 * * * sh /jffs/scripts/firewall banmalware"

The cru command seems to be omitted. Also if the Skynet is reinstall between debug and vanilla, the code arrangement change and go above the following command
sh /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/Main # Skynet Firewall Addition

Sorry I should have tested the solution before posting it, there was a small bug where Skynet was searching for "unspecific" entries in firewall-start which may have caused issues if the word "Skynet" was elsewhere in the file. I've corrected this in v5.6.6.

The above solution should work as expected now (assuming it is the last two lines in the file). You are right in saying when the boot args change this stop working, unless I code this option into the actual script the only way to avoid this would be changing the cronjob name and having it run in addition to the default one.

So to replace the regular cronjob;

cru d Skynet_banmalware
cru a Skynet_banmalware "25 */6 * * * sh /jffs/scripts/firewall banmalware"

Or to add an additional one as mentioned above;

cru d Skynet_banmalwareextra
cru a Skynet_banmalwareextra "35 */6 * * * sh /jffs/scripts/firewall banmalware"

 

[elorimer]

Like the other IPs, I also don't see this on any of the current lists and have no issues loading the webiste

Poked at this a little more, and they are showing up in my list as autobans. I'm not quite clear on what generates an autoban, but what might have happened at 2:38 in the morning that generated all these?

I did start poking around in the menu driven part (I'd always invoked skynet through cli). I noticed this, that searching autobans, set at top 50 results, just lists the top 10 autobans. I expected something in there to set the ip to search for.

 

[Adamm]

Poked at this a little more, and they are showing up in my list as autobans. I'm not quite clear on what generates an autoban, but what might have happened at 2:38 in the morning that generated all these?

I did start poking around in the menu driven part (I'd always invoked skynet through cli). I noticed this, that searching autobans, set at top 50 results, just lists the top 10 autobans. I expected something in there to set the ip to search for.

If you could post the output of the search command for any of the autobanned IP's that would be great so I can see why they are being banned in the first place and work from there. There's been a few cases where website traffic is being autobanned (port 80/443) somehow ignoring the IPTables rule to only drop them, I've been unable to reproduce it myself so this information would be a big help.

 

[elorimer]

From the Skynet log:

Here's www.ctmirror.org (a newspaper):
Jan  1 17:34:19 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=45.79.148.101 DST=xxx.xxx.xxx.xxx LEN=1500 TOS=0x00 PREC=0x00 TTL=56 ID=41867 DF PROTO=TCP SPT=443 DPT=52910 SEQ=1122075927 ACK=727373211 WINDOW=156 RES=0x00 ACK URGP=0

Here is dropbox:
Jan  1 18:03:48 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=162.125.16.131 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=34801 DF PROTO=TCP SPT=49320 DPT=1 SEQ=3268917209 ACK=3914448712 WINDOW=22561 RES=0x1c CWR RST FIN URGP=1853

I haven't quite figured out the search function yet. In there is also a Microsoft, Google, Amazon, Verizonbusiness. The DST is my WAN address. Pixelserv is on port 443 on the LAN side, and OpenVPN is on port 443 on the WAN side.

 

[Adamm]

From the Skynet log:

Here's www.ctmirror.org (a newspaper):
Jan  1 17:34:19 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=45.79.148.101 DST=xxx.xxx.xxx.xxx LEN=1500 TOS=0x00 PREC=0x00 TTL=56 ID=41867 DF PROTO=TCP SPT=443 DPT=52910 SEQ=1122075927 ACK=727373211 WINDOW=156 RES=0x00 ACK URGP=0

Here is dropbox:
Jan  1 18:03:48 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=162.125.16.131 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=34801 DF PROTO=TCP SPT=49320 DPT=1 SEQ=3268917209 ACK=3914448712 WINDOW=22561 RES=0x1c CWR RST FIN URGP=1853

I haven't quite figured out the search function yet. In there is also a Microsoft, Google, Amazon, Verizonbusiness. The DST is my WAN address. Pixelserv is on port 443 on the LAN side, and OpenVPN is on port 443 on the WAN side.

From the Skynet log:

Here's www.ctmirror.org (a newspaper):
Jan  1 17:34:19 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=45.79.148.101 DST=xxx.xxx.xxx.xxx LEN=1500 TOS=0x00 PREC=0x00 TTL=56 ID=41867 DF PROTO=TCP SPT=443 DPT=52910 SEQ=1122075927 ACK=727373211 WINDOW=156 RES=0x00 ACK URGP=0

Here is dropbox:
Jan  1 18:03:48 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=162.125.16.131 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=34801 DF PROTO=TCP SPT=49320 DPT=1 SEQ=3268917209 ACK=3914448712 WINDOW=22561 RES=0x1c CWR RST FIN URGP=1853

I haven't quite figured out the search function yet. In there is also a Microsoft, Google, Amazon, Verizonbusiness. The DST is my WAN address. Pixelserv is on port 443 on the LAN side, and OpenVPN is on port 443 on the WAN side.

The dropbox ban I can understand as its on a random port, the ctmirror on the other hand makes no sense to me nor can I replicate it. The IPTables rules specifically state that any invalid packets on source port 80 or 443 should be dropped, not added to the blacklist ipset. Somehow like in this case, the drop rule is being ignored and the packets are being added to the set anyway.

I'm going to have to take some time to think about this as i honestly can't see how its possible, if its becoming a real issue for you to mitigate it for the time being you can unban all autobans and/or disable autobanning in the boot args.

 

[DonnyJohnny]

I play with both my own iptables rule I got from
https://javapipe.com/ddos/blog/iptables-ddos-protection/

And Skynet. So far ok..

Thanks Adamm for the new update. Working great with the Cron.

Cheers.

 

[Adamm]

From the Skynet log:

Can you please also post the output of the following command;

iptables -vL

 

[elorimer]

I've pm'd it to you in two pieces as it was more than 10K.

 

[skeal]

Hello @Adamm ! Can you tell me how to monitor or log traffic on a specific port?

 

[Adamm]

Hello @Adamm ! Can you tell me how to monitor or log traffic on a specific port?

The following would log all inbound tcp packets to the specified interface (eth0 or ppp0 usually) / specified port in the syslog with the specified log prefix. Do note that it would probably be quite spammy depending on what exactly you are monitoring and may potentially affect Skynet if the logs are flooded too much.

iptables -t raw -I PREROUTING -i "INTERFACE" -p tcp --dport PORTHERE -j LOG --log-prefix "[LOG PREFIX HERE] " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[skeal]

The following would log all inbound tcp packets to the specified interface (eth0 or ppp0 usually) / specified port in the syslog with the specified log prefix. Do note that it would probably be quite spammy depending on what exactly you are monitoring and may potentially affect Skynet if the logs are flooded too much.

iptables -t raw -I PREROUTING -i "INTERFACE" -p tcp --dport PORTHERE -j LOG --log-prefix "[LOG PREFIX HERE] " --log-tcp-sequence --log-tcp-options --log-ip-options

I have used some really obscure port numbers for such things as ssh or https I do not expect any traffic at all. What is a log prefix Adamm?

 

[Adamm]

I have used some really obscure port numbers for such things as ssh or https I do not expect any traffic at all.

Ideally you wouldn't want to expose these services to the outside world in the first place.

What is a log prefix Adamm?

If you look at the Skynet logs for reference, this is the phrases such as "BLOCKED - INBOUND". (Please dont use the phrase "BLOCKED -" or it will confuse Skynet's log purging)

 

[skeal]

Ideally you wouldn't want to expose these services to the outside world in the first place.



If you look at the Skynet logs for reference, this is the phrases such as "BLOCKED - INBOUND". (Please dont use the phrase "BLOCKED -" or it will confuse Skynet's log purging)

Do I set interface to something Adamm?