Skynet Skynet - Router Firewall & Security Enhancements

[DonnyJohnny]

Silently 2 updates in 5.7.5. For people to update manually. Lastly is 5.7.5 05/02/2018.
Force update if u already 2.7.5 03/02/2018

 

[M@rco]

Silently 2 updates in 2.7.5. For people to update manually. Lastly is 2.7.5 05/02/2018.
Force update if u already 2.7.5 03/02/2018

Thanks for the heads up. I assume you mean 5.7.5?

 

[Adamm]

Silently 2 updates in 2.7.5. For people to update manually. Lastly is 2.7.5 05/02/2018.
Force update if u already 2.7.5 03/02/2018

Someone has a keen eye Just some minor under the hood updates.

Skynet will prevent you from using specific commands if it hasn't been started up yet
Remove unnecessary "force exits" for certain commands
Purge Skynet syslog entries when there is more then 24 (so they are less spammy)

 

[DonnyJohnny]

Happened to see skynet schedule update to 5.7.5 03/05/2018 , then when see GitHub for changes, saw new update again 05/02/2018 just a few sec ago.. lol

 

[DonnyJohnny]

Recently my ip has been very active with port scanner from new ip . It is blocked by my iptables in mangle.
I would like to know if you can allow us to customise the autoban? Currently is 2 invalid packet within 5min which I think is too long. I am thinking of reducing to a min or 30sec

 

[Adamm]

Recently my ip has been very active with port scanner from new ip . It is blocked by my iptables in mangle.
I would like to know if you can allow us to customise the autoban? Currently is 2 invalid packet within 5min which I think is too long. I am thinking of reducing to a min or 30sec

Wait so are you implying Skynet is banning too many or too few IP's?

 

[accolito]

Adamm, before posting I checked if this error is only from my side. This little error occured if I previously have configured an existing swap partition. This is the output of firewall command (after the skynetv5 logo):

du: invalid option -- 'f'
BusyBox v1.24.1 (2018-02-02 11:14:24 EST) multi-call binary.

Usage: du [-aHLdclsxhmk] [FILE]...

Summarize disk space used for each FILE and/or directory

        -a      Show file sizes too
        -L      Follow all symlinks
        -H      Follow symlinks on command line
        -d N    Limit output to directories (and files with -a) of depth < N
        -c      Show grand total
        -l      Count sizes many times if hard linked
        -s      Display only a total for each argument
        -x      Skip directories on different filesystems
        -h      Sizes in human readable format (e.g., 1K 243M 2G)
        -m      Sizes in megabytes
        -k      Sizes in kilobytes (default)
SWAP File; -f ()
Boot Args; /jffs/scripts/firewall start banmalware autoupdate

Aside this, the app works. ac86u with latest alpha.

 

[Adamm]

Adamm, before posting I checked if this error is only from my side. This little error occured if I previously have configured an existing swap partition. This is the output of firewall command (after the skynetv5 logo):

du: invalid option -- 'f'
BusyBox v1.24.1 (2018-02-02 11:14:24 EST) multi-call binary.

Usage: du [-aHLdclsxhmk] [FILE]...

Summarize disk space used for each FILE and/or directory

        -a      Show file sizes too
        -L      Follow all symlinks
        -H      Follow symlinks on command line
        -d N    Limit output to directories (and files with -a) of depth < N
        -c      Show grand total
        -l      Count sizes many times if hard linked
        -s      Display only a total for each argument
        -x      Skip directories on different filesystems
        -h      Sizes in human readable format (e.g., 1K 243M 2G)
        -m      Sizes in megabytes
        -k      Sizes in kilobytes (default)
SWAP File; -f ()
Boot Args; /jffs/scripts/firewall start banmalware autoupdate

Aside this, the app works. ac86u with latest alpha.

Whats the output of the following command;

cat /jffs/scripts/post-mount

 

[accolito]

Whats the output of the following command;

cat /jffs/scripts/post-mount

if [ "$1" = "/tmp/mnt/sda" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

[ -f /opt/myswap.swp ] && swapon /opt/myswap.swp

 

[Adamm]

[ -f /opt/myswap.swp ] && swapon /opt/myswap.swp

Okay that makes sense, most scripts on this forum expect the line to start with the swapon command, I suggest you make one of the following modifications rather then me write a workaround for just my script;

1). Change the line to the following, the file detection isn't really necessary as if the swap file doesn't exist there is no adverse affects beyond an error message (Which can be silenced in my example)

swapon /opt/myswap.swp 2>/dev/null

2). Keep the original functionality but move the swapon command to its own line;

[ -f /opt/myswap.swp ] && \
swapon /opt/myswap.swp

 

[thelonelycoder]

if [ "$1" = "/tmp/mnt/sda" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

[ -f /opt/myswap.swp ] && swapon /opt/myswap.swp

Looks OK, make sure there is at least one empty line after the last command.

 

[john9527]

if [ "$1" = "/tmp/mnt/sda" ] ; then
  ln -nsf $1/entware /tmp/opt
fi

[ -f /opt/myswap.swp ] && swapon /opt/myswap.swp

@Adamm
Is it missing the shebang?

 

[accolito]

Okay that makes sense, most scripts on this forum expect the line to start with the swapon command, I suggest you make one of the following modifications rather then me write a workaround for just my script;

1). Change the line to the following, the file detection isn't really necessary as if the swap file doesn't exist there is no adverse affects beyond an error message (Which can be silenced in my example)

swapon /opt/myswap.swp 2>/dev/null

2). Keep the original functionality but move the swapon command to its own line;

[ -f /opt/myswap.swp ] && \
swapon /opt/myswap.swp

I didn't know that, sorry ^_^; Now it works.

 

[Adamm]

I didn't know that, sorry ^_^; Now it works.

Yeah its because my script (and others IIRC) use a basic grep command on any swapon match in that file, then use awk to phrase the second field. In 99% of cases this would be the swap file location, in this edge case its picking up the -f in that line as the second field.

I will put a workaround in Skynet incase other users run into this issue, but again for better compatibility and simplicity I suggest you continue to use one of the fixes above.

 

[DonnyJohnny]

Wait so are you implying Skynet is banning too many or too few IP's?

too few.. should I say nothing... lol.. it could be due to before it reach filter table, it is already drop at prerouting chain in mangle table.
below is my additional rule in mangle table.

-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A PREROUTING -f -j DROP

Could it be done at prerouting in mangle table? I just asking as I know nothing about the iptables. Those above rules are copy and paste from websites.
Another question is autoban ip are dropped via ipset?

 

[accolito]

Yeah its because my script (and others IIRC) use a basic grep command on any swapon match in that file, then use awk to phrase the second field. In 99% of cases this would be the swap file location, in this edge case its picking up the -f in that line as the second field.

I will put a workaround in Skynet incase other users run into this issue, but again for better compatibility and simplicity I suggest you continue to use one of the fixes above.

Ah I understand... it's this line, right?

    if grep -qF "swapon" /jffs/scripts/post-mount 2>/dev/null; then swaplocation="$(grep -F "swapon" /jffs/scripts/post-mount | awk '{print $2}')"; echo "SWAP File; $swaplocation ($(du -h "$swaplocation" | awk '{print $1}'))"; fi

 

[Adamm]

too few..

But I do realise that the invalid packet checking is done at filter table.
Could it be done at prerouting in mangle table? I just asking as I know nothing about the iptables.

It's a tough issue when dealing with thousands of users, I previously had it blacklist any IP that sent an invalid packet but had users complaining of false positives, now an IP has to send 2 packets within 5 minutes to be blacklisted. Do note just because IP's aren't being permanently blacklisted, doesn't mean Skynet isn't dropping those packets still. So the level of security is still similar, just with alittle more wiggle room for legitimate applications.

FYI the higher the timer the more IP's that would be banned, as there would be a longer period in which an IP has to send 2 invalid packets.

 

[Adamm]

Ah I understand... it's this line, right?

    if grep -qF "swapon" /jffs/scripts/post-mount 2>/dev/null; then swaplocation="$(grep -F "swapon" /jffs/scripts/post-mount | awk '{print $2}')"; echo "SWAP File; $swaplocation ($(du -h "$swaplocation" | awk '{print $1}'))"; fi

Yes, which I have modified in this commit (along with amtm which uses the same code)

 

[DonnyJohnny]

Another question is autoban ip are dropped via ipset?

 

[Adamm]

Another question is autoban ip are dropped via ipset?

Any IP that is autobanned is dropped via IPSet like any other ban.