Skynet Skynet - Router Firewall & Security Enhancements

[DonnyJohnny]

No choice... limited resources. Whitelist them.. and just be careful when opening file ... lol..

I use Skynet more for those attacking ip and port scanner. Those virus / malware I think anti virus should be fine.

 

[DonnyJohnny]

I'm a bit overwhelmed by that site. How can I investigate IP 216.239.34.21 on it?

sh /jffs/scripts/firewall stats search malware 216.239.34.21

See which list it came from. Report to those maintainer.. but whether they acknowledge is one thing.

 

[XIII]

I'll whitelist them and try SkyNet for a couple of days, hoping I won't get much more false positives (otherwise SkyNet might not be for me / my family).

 

[yk101]

@Adamm, maybe you can help me understand the following:

I have logs riddled with similar entries:

Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=185.108.128.5 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=58364 PROTO=UDP SPT=56243 DPT=8888 LEN=9
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=5.157.38.34 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=1868 PROTO=UDP SPT=62544 DPT=8888 LEN=9
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=82.102.20.183 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=5468 PROTO=UDP SPT=56862 DPT=8888 LEN=9
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=185.230.125.36 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=20636 PROTO=UDP SPT=59251 DPT=8888 LEN=9
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=185.230.124.56 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=47336 PROTO=UDP SPT=52942 DPT=8888 LEN=9
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=177.154.139.201 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=760 PROTO=UDP SPT=49578 DPT=8888 LEN=
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=31.24.226.239 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=30301 PROTO=UDP SPT=63867 DPT=8888 LEN=9
Jan 25 17:10:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:22:92:78:a8:20:66:29:90:e4:08:00 SRC=192.168.2.101 DST=185.210.218.103 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=51226 PROTO=UDP SPT=59512 DPT=8888 LEN=9

This appears to be blocked by the firewall, but searches through malware lists or CIDRs do not find anything. In fact, those entries are caused by one of the scripts in PIA agent and are benign in nature (PIA is looking for the best set of endpoints to use). Is there a way to generically allow UDP port 8888 out?

BTW, adding individual IP's to the whitelist doesn't solve the issue as PIA keeps changing those often!

 

[DonnyJohnny]

sh /jffs/scripts/firewall whitelist port 8888) This Whitelists All Autobans Based On Traffic From Port 8888

Copied from the manual. But I think it will simply open up 8888 tcp/udp for all to inbound/outbound.

 

[yk101]

sh /jffs/scripts/firewall whitelist port 8888) This Whitelists All Autobans Based On Traffic From Port 8888

Copied from the manual. But I think it will simply open up 8888 tcp/udp for all to inbound/outbound.

Thanks, but I do not have auto banning enabled on at all! Unfortunately, in my case, this command does absolutely nothing.

Skynet: [INFO] Whitelisting Autobans Issued On Traffic From Port 8888...
Saving Changes
Skynet: [Complete] 131769 IPs / 27801 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 458 Inbound / 6352 Outbound Connections Blocked! [9s]

 

[DonnyJohnny]

Thanks, but I do not have auto banning enabled on at all! Unfortunately, in my case, this command does absolutely nothing.

Skynet: [INFO] Whitelisting Autobans Issued On Traffic From Port 8888...
Saving Changes
Skynet: [Complete] 131769 IPs / 27801 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 458 Inbound / 6352 Outbound Connections Blocked! [9s]

Sorry... better undo that whitelist... but I don’t know how to.. lol ... ask @Adamm

 

[yk101]

Sorry... better undo that whitelist... but I don’t know how to.. lol ... ask @Adamm

That was my original intent! LOL

 

[Adamm]

This appears to be blocked by the firewall, but searches through malware lists or CIDRs do not find anything. In fact, those entries are caused by one of the scripts in PIA agent and are benign in nature (PIA is looking for the best set of endpoints to use).

The following command will show you why they are banned (no reason = autoban);

firewall stats search ip xxx.xxx.xxx.xxx

The next command will show you exactly what list they appear on if its due to banmalware;

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

Then you can make appropriate decisions from there.

Is there a way to generically allow UDP port 8888 out

Through Skynet alone? No. But this can be done via IPTables if you insert the rule above Skynets in the raw table. A quick google search will give you all the information you need

 

[yk101]

No. But this can be done via IPTables if you insert the rule above Skynets in the raw table. A quick google search will give you all the information you need

Do you mean this?
iptables -t raw -I PREROUTING -p udp --dport 8888 -m state --state NEW,ESTABLISHED -j ACCEPT

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination       
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8888 state NEW,ESTABLISHED
LOG        all  --  anywhere             anywhere             ! match-set Whitelist dst match-set Skynet dst LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - OUTBOUND] "
DROP       all  --  anywhere             anywhere             ! match-set Whitelist dst match-set Skynet dst
LOG        all  --  anywhere             anywhere             ! match-set Whitelist src match-set Skynet src LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - INBOUND] "
DROP       all  --  anywhere             anywhere             ! match-set Whitelist src match-set Skynet src

I think you are talking about raw in PREROUTING section. Correct? If that is the case, it does absolutely nothing to stop the spam!

For benefit of others here is the flow:

 

[M@rco]

I'm a bit overwhelmed by that site. How can I investigate IP 216.239.34.21 on it?

I have AlienVault by default in my bookmarks. Whenever I have trouble connecting and see it's blocked by SkyNet or AB-Solution, I check the IP using the following url (no need to subscribe, you can just click away the 'Create Account' pop-over:

https://otx.alienvault.com/indicator/ip/216.239.34.21

When there's no malicious actvitity found, I'll just whitelist it.

 

[XIII]

Can I select which blacklists to (not) use?

I think I agree with the assessment of the one blocking cdn.emsisoft.com:

https://support.emsisoft.com/topic/29063-eam-20171218340-not-updating-for-2-days-now/

 

[DonnyJohnny]

Guess it is all trial and error.
For now it is good to have debug on.... occasionally go in stats to display TOP 10/20 list of blocking log. Check and whitelist if need to.
Also, good to remove some old list. U can go http://iplists.firehol.org/ to see which list is old and obsolete. To be conservative, using firehol lvl 1,2,3 is good enough. Optionally with some randomsome ware blocking, crypto coin block and anonymous blocking.

 

[M@rco]

I can't answer your last question regarding selecting blacklists not to use, but given the info of AlienVault, I see no reason why you wouldn't just whitelist 216.239.34.21 unless I missed something in one of your previous posts?

As for false possitives, I rarely have had any and have been a long time SkyNet user. Occassionally something stops working, I follow both AB-Solution and SkyNet in the tail log mode to see which hosts or IP's are being blocked, verify the IP at AlienVault and whitelist it whenever it's safe to do so. As I see the stats what both scripts have blocked over time versus the extremely low number of false positives, the latter definitely do no not outweigh the advantages.

 

[XIII]

Also, good to remove some old list. U can go http://iplists.firehol.org/ to see which list is old and obsolete. To be conservative, using firehol lvl 1,2,3 is good enough. Optionally with some randomsome ware blocking, crypto coin block and anonymous blocking.

Seems like the answer to "Can I select which blacklists to (not) use?" is yes?

I should have asked "How can I select which blacklists to (not) use?"...

 

[DonnyJohnny]

Seems like the answer to "Can I select which blacklists to (not) use?" is yes?

I should have asked "How can I select which blacklists to (not) use?"...

Lol..
Just choose the list u like from iplists.firehol.org.
Take the link of the “local copy” and paste them to pastebin.
Use the raw link from pastebin and paste to the command below
(sh /jffs/scripts/firewall banmalware RawLinkHere) This Uses The Fitler List From The Specified URL

 

[DonnyJohnny]

I have a feature request for Adamm.
I know some ip should be blocked and will not cause any side effect in application or browsing. Could we stop the stats from displaying or counting them?
Just asking if this kind of feature can be implement?

 

[Adamm]

Can I select which blacklists to (not) use?

I think I agree with the assessment of the one blocking cdn.emsisoft.com:

https://support.emsisoft.com/topic/29063-eam-20171218340-not-updating-for-2-days-now/

You are more then welcome to use any combination of lists with a custom filter file, that is just a default list based on reputation data from various companies. I don't make nor maintain the lists, so what they classify as malicious is completely out of my hands (including what whitelists they use to filter their compiled lists).

As for their comments about wildcards, well clearly they aren't familiar with how Skynet works and that its only IP based blocking, not DNS. Skynet simply preforms a nslookup on the domain at the time of banning/unbanning/whitelisting and grabs the IP's that way.

 

[Adamm]

With the above being said, I have pushed v5.7.1

I have whitelisted some CDN providers as per request (Akamai/Highwinds/Amazon). There should also be some massive speed improvements for the AC86U as the previous fork() issues don't seem to be apparent anymore. From personal testing banmalware takes around 14s and saving 2s which is about x3 faster then the AC68U.

AC86U users be warned:

AC86U IPSet is currently unstable and may lead to random reboots when using banmalware. I suggest turning off auto-banmalware updates until this is addressed in the firmware itsself.

 

[thelonelycoder]

AC86U IPSet is currently unstable and may lead to random reboots when using banmalware. I suggest turning off auto-banmalware updates until this is addressed in the firmware itsself.

Now I really need that elusive piece from Asus to test AB4 on it. I'm poor and have no money to spare, donations are welcome...