Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I've pushed v5.6.7, in this change I've upped the requirements for an IP to be autobanned which should greatly reduce the number of autobans in total and hopefully eliminate false positives all together. Rather then an IP sending one invalid packet to be blacklisted, it now has to send two within a 5 minute period (first attempts will just be silently dropped). This may be tweaked again in future but I'll require some user feedback.

I've also fixed the 82 limit on "ban country". This was actually due to IPSet only allowing 255 chars in the "comment" for each ban, now whenever over 82 countries are selected, rather then individually listing them all it will just say "Multiple Countries".

Due to the changes to autobanning, its probably a good idea to clear your autobans and start fresh, that way I can directly use everyones input towards tweaking this in future with the results of the new ruleset. You can do this via;

sh /jffs/scripts/firewall unban autobans

 

[noworries]

I've also fixed the 82 limit on "ban country". This was actually due to IPSet only allowing 255 chars in the "comment" for each ban, now whenever over 82 countries are selected, rather then individually listing them all it will just say "Multiple Countries".

It looks like there is a two byte limit (65537) on an ipset hash table count. If that's the number of blocked IPs or unique ranges that ipset can accommodate, it would be hard to limit them by numbers of countries as IP counts by country ebb and flow and vary across different sets of countries. The example below is an edge case and is likely more than is needed in practice. I just removed a few countries from the total list and banned the rest.

Removing Previous Country Bans
Banning Known IP Ranges For af ax al dz as ad ao ai aq ag ar am aw az bs bh bd bb by bz bj bm bt bo bq ba bw bv br io bn bg bf bi kh cm cv ky cf td cl cn cx cc co km cg cd ck cr ci hr cu cw cy cz dk dj dm do ec eg sv gq er ee et fk fo fj fi gf pf tf ga gm ge de gh gi gr gl gd gp gu gt gg gn gw gy ht hm va hn hk hu is in id ir iq im il it jm jp je jo kz ke ki kp kr kw kg la lv lb ls lr ly li lt lu mo mk mg mw my mv ml mt mh mq mr mu yt mx fm md mc mn me ms ma mz mm na nr np nc ni ne ng nu nf mp no om pk pw ps pa pg py pe ph pn pl pt pr qa re ro ru rw bl sh kn lc mf pm vc ws sm st sa sn rs sc sl sg sx sk si sb so za gs ss es lk sd sr sj sz ch sy tw tj tz th tl tg tk to tt tn tr tm tc tv ug ua ae um uy uz vu ve vn vg vi wf eh ye zm zw
Downloading Lists
Filtering IPv4 Ranges & Applying Blacklists
ipset v6.32: Error in line 65537: Hash is full, cannot add more elements
Saving Changes

 

[Protik]

Updated to 5.6.7. It seems the lock file is there for more than 10 minutes. Will try to unban the autobans at morning.

Sent from my Moto G (5) Plus using Tapatalk

 

[DonnyJohnny]

Updated without any auto an in the first place. Working ok...
May I know what was the previous setting for invalid packet autoban?

 

[Adamm]

It looks like there is a two byte limit (65537) on an ipset hash table count. If that's the number of blocked IPs or unique ranges that ipset can accommodate, it would be hard to limit them by numbers of countries as IP counts by country ebb and flow and vary across different sets of countries. The example below is an edge case and is likely more than is needed in practice. I just removed a few countries from the total list and banned the rest.

Maxelems was limited to 65536 by default, this again is a edge case so it was never an issue previously for the BlockedRanges set. I've increased it but you will need to force update to see the changes.

Updated to 5.6.7. It seems the lock file is there for more than 10 minutes. Will try to unban the autobans at morning.

I've personally never run into an issue where it gets stuck indefinitely, let me know the exacted locked process output.

May I know what was the previous setting for invalid packet autoban?

Previously it was any invalid packet was autobanned, now the same IP has to send two within 5 minutes

 

[pattiri]

Updated to 5.6.7. Cleared autobans with "sh /jffs/scripts/firewall unban autobans" but;

Checking Autobanning Status... [Failed]

I've tried restarting many times but no change

 

[skeal]

Updated to 5.6.7. Cleared autobans with "sh /jffs/scripts/firewall unban autobans" but;

Checking Autobanning Status... [Failed]

I've tried restarting many times but no change

Have you tried using the gui yet?

 

[pattiri]

Have you tried using the gui yet?

gui? you mean the firewall menu right? here is the output of "firewall debug info";

Router Model; RT-AC88U
Skynet Version; v5.6.7 (09/01/2018)
iptables v1.4.15 - (eth0 @ 172.24.5.1)
ipset v6.32, protocol version: 6
FW Version; 382.2_beta2 (Jan 1 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/entware/skynet (13.1G / 14.7G Space Available)
SWAP File; /tmp/mnt/entware/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/entware
No Lock File Found

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking Services-Stop Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 5 Settings...            [Passed]
Checking Autobanning Status...                [Failed]
Checking Debug Mode Status...                [Passed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking For Duplicate Rules In Filter...        [Passed]
Checking Skynet IPTable...                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]
Checking For AB-Solution Plus Content...        [Passed]

Skynet: [Complete] 128178 IPs / 1833 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [1s]

 

[skeal]

Yes firewall menu. Choose unban/autobans then run autoban from first menu and choose default unless you have a custom file.

 

[Adamm]

@pattiri @skeal Thanks for pointing that error out, oversight on my behalf, I forgot to update the rule checking in the last patch. Its simply a aesthetic error rather then a functionality one, will have an update out shortly.

 

[pattiri]

Yes firewall menu. Choose unban/autobans then run autoban from first menu and choose default unless you have a custom file.

I've already used "sh /jffs/scripts/firewall unban autobans" to clear autobans but now I've unbanned all IP addressed and used "Banmalware" again and it's still same

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking Services-Stop Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 5 Settings...            [Passed]
Checking Autobanning Status...                [Failed]
Checking Debug Mode Status...                [Passed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking For Duplicate Rules In Filter...        [Passed]
Checking Skynet IPTable...                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]
Checking For AB-Solution Plus Content...        [Passed]

 

[skeal]

I've already used "sh /jffs/scripts/firewall unban autobans" to clear autobans but now I've unbanned all IP addressed and used "Banmalware" again and it's still same

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking Services-Stop Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 5 Settings...            [Passed]
Checking Autobanning Status...                [Failed]
Checking Debug Mode Status...                [Passed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking For Duplicate Rules In Filter...        [Passed]
Checking Skynet IPTable...                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]
Checking For AB-Solution Plus Content...        [Passed]

Instead of doing this with command line, try the gui and start a new. See what happens.

 

[skeal]

I didn't use command line I used the gui instead and had "0" problems.

 

[Adamm]

I've pushed v5.6.8 with a fix for this, along with some extra rule checking. Minor oversight on my behalf and an area that was on my todo list to improve.

@pattiri @skeal

 

[skeal]

Updated by gui and all is well!

 

[Protik]

Maxelems was limited to 65536 by default, this again is a edge case so it was never an issue previously for the BlockedRanges set. I've increased it but you will need to force update to see the changes.



I've personally never run into an issue where it gets stuck indefinitely, let me know the exacted locked process output.



Previously it was any invalid packet was autobanned, now the same IP has to send two within 5 minutes

The lock file was gone after a while and the unbanning the autobans went smoothly. Thanks!

 

[Makaveli]

Question what is the general memory usage with skynet.

Been monitoring it since yesterday seems to use 5-10mb of ram.

What has everyone else seen?

 

[Adamm]

Question what is the general memory usage with skynet.

Been monitoring it since yesterday seems to use 5-10mb of ram.

What has everyone else seen?

Idles around 7 to 9MB, peaks around 2x or 3x that figure for a few seconds during intensive operations.

 

[Makaveli]

Idles around 7 to 9MB, peaks around 2x or 3x that figure for a few seconds during intensive operations.

Thanks for the quick reply I was going to ask about the peaks noticed those also.

 

[pietjepuk100]

Not really - in my case I created countries list contents of which I pass to the script:

admin@RT-AC88U:/jffs/scripts# cat countries.txt
cn br ir ua ar iq tw th lv ru ro cl sa pk bg
admin@RT-AC88U:/jffs/scripts#

I simply used space between the entries!

Love your idea for the countries file.

Where did you place the countries file & how would you get that read by Skynet?

Thanks