Skynet Skynet - Router Firewall & Security Enhancements

[SMS786]

Does the average user have to worry about coin mining though? I'm new to this coin mining and don't practice any myself.

Sorry, maybe I wasn't too clear in my post. The idea is to block the IPs of sites that involuntarily run scripts on webpages and apps that may use your PC or phone's cpu to mine coins on their own behalf. While you may visit a website that is non mining related, some may still embed mining Java scripts that may be maliciously eating up your computational resources in the background. Most of the IPs on the aforementioned list are for servers that run the said malicious java script code. Definitely a good idea to block on the router level.

Some more info for those interested:

https://arstechnica.com/information-technology/2017/10/a-surge-of-sites-and-apps-are-exhausting-your-cpu-to-mine-cryptocurrency/

https://arstechnica.com/information...s-cpus-picks-up-steam-with-aid-of-2500-sites/

 

[skeal]

@Adamm Is this something you want to integrate into Skynet? How would it stay up to date? I notice a date at the top of the list but that was compiled yesterday is this something we want to run every day? Lots of questions sorry sir! I have to say; I know nothing about coin mining or custom lists.

 

[Adamm]

Can Skynet ban by MAC address? Dont seem to find that option

That would be a negative, it's IP based only.

Getting dozens of requests from a particular mac (and different IPs, very strange)

Feb 07 06:13:37 xxxxxasuscomm.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=77.72.82.179 DST=XXXXXXLEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=47375 PROTO=TCP SPT=57906 DPT=33923 SEQ=702345863 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 07 06:14:42
xxxxx.asuscomm.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=112.124.123.115 DST=XXXXXXLEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=26026 PROTO=TCP SPT=48544 DPT=1433 SEQ=1698475832 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 07 06:15:28 xxxxxxx.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=211.233.46.76 DST=XXXXXXLEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=63148 PROTO=TCP SPT=43992 DPT=3389 SEQ=2127312026 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 07 06:15:33 xxxxx.asuscomm.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=14.134.100.6 DST=XXXXXLEN=52 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=16603 DPT=55116 SEQ=3558742493 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030001010402

Thats pretty much normal background noise these days, nothing out of the ordinary getting a few hundred/thousand hits per day.

I have a list of malicious coin mining IP addresses that I manually import on a regular basis (in case anyone is interested: https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/MiningServerIPList.txt)..

I was wondering if there was a setting that I'm missing within the menu to automatically import this list on, say, a weekly basis? I can't seem to find it...

You could add it as part of a custom banmalware filter, but as I already include a identical much larger list, this one is almost redundant. A non scientific test I did just copy and pasting random IP's shows almost every one from the list you posted was already included here.

Does the average user have to worry about coin mining though? I'm new to this coin mining and don't practice any myself.

Already blocked by banmalware, nothing to worry about.

@Adamm Is this something you want to integrate into Skynet? How would it stay up to date? I notice a date at the top of the list but that was compiled yesterday is this something we want to run every day? Lots of questions sorry sir! I have to say; I know nothing about coin mining or custom lists.

Like I said above, you could include this in a custom banmalware filter, but most of these addresses are already covered.

 

[skeal]

Thanks @Adamm!

 

[SMS786]

That would be a negative, it's IP based only.



Thats pretty much normal background noise these days, nothing out of the ordinary getting a few hundred/thousand hits per day.



You could add it as part of a custom banmalware filter, but as I already include a identical much larger list, this one is almost redundant. A non scientific test I did just copy and pasting random IP's shows almost every one from the list you posted was already included here.



Already blocked by banmalware, nothing to worry about.



Like I said above, you could include this in a custom banmalware filter, but most of these addresses are already covered.

Great to know @Adamm, thanks much!

 

[DonnyJohnny]

Check out my current custom Banmalware list. Use it if you want or you can always do customisation.
https://pastebin.com/raw/wb9xsPW4

I always playing around with the number of list. Hence the list has 1yr expiration.

Like Adamm said, likely the mining already covered. But if u want to be safe, just add in the link. Lol..

On TOP of the list, I also do country block recently. So far so good. I need china site sometime. You may add in cn , if you not likely to access them. 2nd biggest attacker after USA.
af al ag ao am ar aw bf ba bg bi bd bj bo br bw by bz cd cf cg ci cl co cu cv cz dj do dm dz ec ee eg es et fj hr ht il in iq ir jm ke kg kh kz kw la lb li lk lv ly md mk mn mx mz ne ng ni np om pa pe pg pk pr ps py qa ro rs rw sa sd sn sv sy td tg tj tl tr tt ua ug ve vu ye za zw zm

 

[Zentachi]

Anyone noticed anything strange with version 5.7.6?
When I had 5.7.5 I was receiving multiple bans, however since the update I get just

Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [57s]

Is there any way to go back to 5.7.5?

 

[yk101]

Anyone noticed anything strange with version 5.7.6?
When I had 5.7.5 I was receiving multiple bans, however since the update I get just

Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [57s]

Is there any way to go back to 5.7.5?

You probably want to run firewall banmalware command!

 

[Zentachi]

You probably want to run firewall banmalware command!

Thanks yk101. That's the one thing I didn't think or tried.

 

[Adamm]

So now that I have access to an AC86U I’ve spent the last week or so on stability for that unit and it will be my main development unit going forward. I’ve also been fixing long term bugs and crossing off the last items that were on my todo list for quite some time.

I’m pretty happy with the state of the project stability wise, there are no major issues I’m aware of and everything works as expected.

With that being said, I’m always looking for suggestions. While I can’t garentee they will be added, I take all into consideration. Sometimes I overlook posts or genuinely forget as in 100 pages there’s a lot to keep up with. So if anyone has ideas that would suit or benefit the project, post away.

 

[DonnyJohnny]

Thanks to Skynet, I feel safer...

Question,
During updating of Banmalware list, it seems that skynet is taken down for a few second or minutes to update to new updated list. Is that true?
I don’t know how ipset works. But if the above is true, is there way to minimise exposure while updating Banmalware list? Other than system clock speed.

Suggestions

- able to customise interval of Banmalware list update. Thinking 24 hr is too Long. Making have a option of 24/12/6/3

- ignore list. While looking at Search result, some ip (ie. telemetry) are permanently blocked for known privacy purpose. Can we exclude them in stats and search result? Coz it will get a bit messy when looking at those search result or stats.

 

[RMerlin]

it will be my main development unit going forward.

The fast reboots are really nice for development purposes That unit can also be easily modded to leave terminal wires permanently attached to the serial header - I just had to enlarge the opening underneath the back sticker a bit to leave the wires dangling.

I just wish I had a second unit, so I could use it instead of my RT-AC88U as my main router.

 

[2992]

@Adamm, any idea how to configure Skynet to automatically search for an updated version, and just update itself? (i.e. check every night and perfrom the update automatically).
It would be nice to have such option configurable (on/off), in case some users would like to alywas have the latest version, but without going to everyday manually search and perfrom the update. Or is such option already integrated, but I haven't found it yet?..

 

[thelonelycoder]

Or is such option already integrated, but I haven't found it yet?..

Clearly, you do not pay attention to the installer options.

 

[2992]

Clearly, you do not pay attention to the installer options.

I am, but I have instaled so many things lately, that I cannot recall which s/w is having which option during installation and so on...
Sorry for my stupid questions... and I have asked on your forum as well for the same thing...

If such option was available during installation, then most probably I have enabled it. However, I just did a quick check for updates, and seemingly there were updates available since last time I have checked (which was several days ago). That means, either I haven't paid attention during the installation and i've skiped the automatic option, or it doesn't work. Eitherway, I will reinstall them all again now, to make sure I will not miss suck option.

 

[Adamm]

@Adamm, any idea how to configure Skynet to automatically search for an updated version, and just update itself? (i.e. check every night and perfrom the update automatically).
It would be nice to have such option configurable (on/off), in case some users would like to alywas have the latest version, but without going to everyday manually search and perfrom the update. Or is such option already integrated, but I haven't found it yet?..

Run the install function, there's an option for automatic updates.

 

[2992]

Run the install function, there's an option for automatic updates.

indeed, it's there... stupid me. [facepalm]

Perhaps I am manually checking for updates too often for to notice that there is an autoupdate option and that is working just fine.

 

[Zentachi]

Even though the nvram get fw_log_x gives me that drop is enabled I can see no DROP notifications in syslog when I am using Skynet.

When I disable skynet DROP messages are back.

Anyone experienced something similar?

iptables -nvL --line

Chain logdrop (12 references)
num   pkts bytes target     prot opt in     out     source               destination
1        1    40 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
2        0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport sports 80,443,143,993,110,995,25,465 state INVALID
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
4        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x19
6      148  6856 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x11
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x04
8        7   316 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x14
9        0     0            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            recent: SET name: TRACKINVALID side: source mask: 255.255.255.255
10       0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID recent: UPDATE seconds: 300 hit_count: 2 name: TRACKINVALID side: source mask: 255.255.255.255 LOG flags 7 level 4 prefix "[BLOCKED - NEW BAN] "
11       0     0 SET        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID recent: UPDATE seconds: 300 hit_count: 2 name: TRACKINVALID side: source mask: 255.255.255.255 add-set Skynet src
12    1643  105K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain other2wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
2        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[Adamm]

Even though the nvram get fw_log_x gives me that drop is enabled I can see no DROP notifications in syslog when I am using Skynet.

When I disable skynet DROP messages are back.

Anyone experienced something similar?

Whats the output of;

iptables --line -t raw -vnL

and

sh /jffs/scripts/firewall debug info

 

[Zentachi]

Whats the output of;

iptables --line -t raw -vnL

and

sh /jffs/scripts/firewall debug info

Chain PREROUTING (policy ACCEPT 103K packets, 26M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      233 12276 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist dst match-set Skynet dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
2      233 12276 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist dst match-set Skynet dst
3        0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist src match-set Skynet src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
4        0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Whitelist src match-set Skynet src

Chain OUTPUT (policy ACCEPT 61566 packets, 29M bytes)
num   pkts bytes target     prot opt in     out     source               destination

and

Router Model; RT-AC86U
Skynet Version; v5.7.6 (07/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_beta2 (Feb 8 2018) (4.1.27)
Install Dir; /tmp/mnt/ASUS/skynet (2.3G / 2.6G Space Available)
SWAP File; -a (1.5K
512
512
512
14.0K
512
23.5K
512
512
512
512
2.5K
95.0K
140.5K)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ASUS
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking Services-Stop Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking Autobanning Status...                          [Passed]
Checking Debug Mode Status...                           [Passed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking For Duplicate Rules In Filter...               [Passed]
Checking Skynet IPTable...                              [Passed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]
Checking For AB-Solution Plus Content...                [Passed]

Skynet: [Complete] 55080 IPs / 787 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 233 Outbound Connections Blocked! [1s]