Skynet Skynet - Router Firewall & Security Enhancements

[yk101]

I don't blame you, I've made 84 changes in the last week and basically rewritten it twice

Lets say you wanted to update a country list on a regular interval, you could make a cronjob for the command;

/jffs/scripts/firewall ban country "cn jp sa bz"

Lets say we wanted to update this list on the 15th and the 30th of every month, we would add something like the following to the bottom of "/jffs/scripts/firewall-start"

cru a Firewall_BanCountry "0 0 */15 * * /jffs/scripts/firewall ban country "cn jp sa bz""

Did I understand your question correctly?

Actually, one more question - would the merge during banmalware/country updates delete entries that are no longer appear in the lists?
I found that the lists I use are fairly dynamic. Not only they add things to ban, but also they remove certain entries....

 

[Adamm]

Actually, one more question - would the merge during banmalware/country updates delete entries that are no longer appear in the lists?
I found that the lists I use are fairly dynamic. Not only they add things to ban, but also they remove certain entries....

At this time, no. The reason being some of the lists I include are things like "Top monitored attackers in the last 48 hours".

As you can imagine, some change constantly for that reason, and could be completely different. I figured for a situation where you would want to regularly update them, every few weeks/months you would just remove everything and start fresh when you feel the list is starting to get too big. I may look for some sort of middle ground solution in the future but as functionality stands now that's the best we can do.

 

[Adamm]

I've added a new "stats" command. It gives you some insight into what actually is being blocked (only works with debug mode enabled). On an hourly basis all debug stats are now moved to /jffs/skynet.log and the syslog will be cleaned up.

The command by default shows the Top10 results in several categories, but can be specified in the command-line. eg;

sh /jffs/scripts/firewall stats 20

To reset stats, issue the following command;

sh /jffs/scripts/firewall stats reset

(Please disable then re-enable debug mode if upgrading from a previous Skynet version)

Debug Data Detected in /jffs/skynet.log
Monitoring From May 12 16:31:54 To May 12 23:58:42
1069 Connections Detected

Top 10 Ports Attacked;   (Port 80 or 443 Usually Indicates Website Blocking Hits)
612x http://www.speedguide.net/port.php?port=18158
190x http://www.speedguide.net/port.php?port=23
51x http://www.speedguide.net/port.php?port=1433
23x http://www.speedguide.net/port.php?port=22
20x http://www.speedguide.net/port.php?port=56437
15x http://www.speedguide.net/port.php?port=7547
13x http://www.speedguide.net/port.php?port=50915
10x http://www.speedguide.net/port.php?port=3389
8x http://www.speedguide.net/port.php?port=2323
6x http://www.speedguide.net/port.php?port=5358

Top 10 Attacker Source Ports;
53x http://www.speedguide.net/port.php?port=49001
23x http://www.speedguide.net/port.php?port=3544
13x http://www.speedguide.net/port.php?port=19718
12x http://www.speedguide.net/port.php?port=52026
10x http://www.speedguide.net/port.php?port=57602
10x http://www.speedguide.net/port.php?port=36286
8x http://www.speedguide.net/port.php?port=55122
7x http://www.speedguide.net/port.php?port=6889
7x http://www.speedguide.net/port.php?port=53
6x http://www.speedguide.net/port.php?port=1354

Last 10 Connections Blocked;
http://www.ip-tracker.org/locator/ip-lookup.php?ip=184.105.139.83
http://www.ip-tracker.org/locator/ip-lookup.php?ip=179.61.255.86
http://www.ip-tracker.org/locator/ip-lookup.php?ip=95.154.201.183
http://www.ip-tracker.org/locator/ip-lookup.php?ip=95.154.201.183
http://www.ip-tracker.org/locator/ip-lookup.php?ip=95.154.201.183
http://www.ip-tracker.org/locator/ip-lookup.php?ip=188.35.130.160
http://www.ip-tracker.org/locator/ip-lookup.php?ip=178.130.12.62
http://www.ip-tracker.org/locator/ip-lookup.php?ip=188.35.130.160
http://www.ip-tracker.org/locator/ip-lookup.php?ip=188.35.130.160
http://www.ip-tracker.org/locator/ip-lookup.php?ip=27.251.70.82

Last 10 New Bans;
http://www.ip-tracker.org/locator/ip-lookup.php?ip=179.61.255.86
http://www.ip-tracker.org/locator/ip-lookup.php?ip=178.130.12.62
http://www.ip-tracker.org/locator/ip-lookup.php?ip=27.251.70.82
http://www.ip-tracker.org/locator/ip-lookup.php?ip=91.121.173.72
http://www.ip-tracker.org/locator/ip-lookup.php?ip=175.152.15.208
http://www.ip-tracker.org/locator/ip-lookup.php?ip=79.130.22.173
http://www.ip-tracker.org/locator/ip-lookup.php?ip=37.146.206.179
http://www.ip-tracker.org/locator/ip-lookup.php?ip=176.31.31.85
http://www.ip-tracker.org/locator/ip-lookup.php?ip=116.226.5.68
http://www.ip-tracker.org/locator/ip-lookup.php?ip=186.206.106.205

Top 10 Attackers;
204x http://www.ip-tracker.org/locator/ip-lookup.php?ip=95.154.201.183
126x http://www.ip-tracker.org/locator/ip-lookup.php?ip=85.203.36.139
74x http://www.ip-tracker.org/locator/ip-lookup.php?ip=188.35.130.160
29x http://www.ip-tracker.org/locator/ip-lookup.php?ip=93.114.164.157
23x http://www.ip-tracker.org/locator/ip-lookup.php?ip=157.56.106.189
13x http://www.ip-tracker.org/locator/ip-lookup.php?ip=46.22.250.72
12x http://www.ip-tracker.org/locator/ip-lookup.php?ip=184.173.25.76
11x http://www.ip-tracker.org/locator/ip-lookup.php?ip=118.149.105.17
9x http://www.ip-tracker.org/locator/ip-lookup.php?ip=88.150.157.65
7x http://www.ip-tracker.org/locator/ip-lookup.php?ip=175.137.156.144

Skynet: [Complete] 115549 IPs / 5127 Ranges banned. 5 New IPs / 0 New Ranges Banned. 8430 IP / 434 Range Connections Blocked! [3s]

You can also search for hits on specific Ports or from specific IP's;

sh /jffs/scripts/firewall stats search ip IPHERE
sh /jffs/scripts/firewall stats search port PORTHERE

Debug Data Detected in /jffs/skynet.log
Monitoring From May 12 16:31:54 To May 13 02:17:38
5477 Connections Detected

IP Is Still Banned
157.56.106.189 First Tracked On May 12 19:13:21
157.56.106.189 Last Tracked On May 13 02:16:40
615 Attempts Total

10 Most Recent Attacks From 157.56.106.189;
May 13 02:10:06 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=27332 PROTO=UDP SPT=3544 DPT=50915 LEN=117 
May 13 02:13:00 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=2529 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:13:02 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=2567 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:13:14 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=17677 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:13:30 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=32370 PROTO=UDP SPT=3544 DPT=50915 LEN=117 
May 13 02:16:09 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=1250 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:16:10 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=6555 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:16:12 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=5401 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:16:16 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=19592 PROTO=UDP SPT=3544 DPT=50915 LEN=117
May 13 02:16:40 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=e0:3f:49:27:ee:20:00:22:90:de:d2:d9:08:00 SRC=157.56.106.189 DST=xxx.xxx.26.64 LEN=137 TOS=0x00 PREC=0x00 TTL=43 ID=217 PROTO=UDP SPT=3544 DPT=50915 LEN=117

 

[bayern1975]

i am new to this script. how to activate debug? i insert
sh /jffs/scripts/firewall stats 20 and got message No Debug Data Detected - Make Sure Debug Mode Is Enabled To Compile Stats?

and this is what i got in syslog: Skynet: [Complete] 0 IPs / 0 Ranges banned. -4 New IPs / 0 New Ranges Banned. IP / Range Connections Blocked! [5s]

Router Model: RT-AC3200-0000
Skynet Version: v3.7.8 (13/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_beta5-gfcbc4b3
Startup Entry Detected
Cronjob Detected
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 19 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

 

[yk101]

Run the following:

./firewall debug enable
./firewall banmalware (if that wasn't done before)

 

[Adamm]

i am new to this script. how to activate debug? i insert
sh /jffs/scripts/firewall stats 20 and got message No Debug Data Detected - Make Sure Debug Mode Is Enabled To Compile Stats?

and this is what i got in syslog: Skynet: [Complete] 0 IPs / 0 Ranges banned. -4 New IPs / 0 New Ranges Banned. IP / Range Connections Blocked! [5s]

Router Model: RT-AC3200-0000
Skynet Version: v3.7.8 (13/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_beta5-gfcbc4b3
Startup Entry Detected
Cronjob Detected
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 19 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

The stats will only compile once you enable debug mode & it detects debug data (this may take some time for the firewall to actually pick up a "bad" connection attempt).

As yk101 pointed out, debug mode can be enabled via;

sh /jffs/scripts/firewall debug enable

 

[bayern1975]

Run the following:

./firewall debug enable
./firewall banmalware (if that wasn't done before)

ASUSWRT-Merlin RT-AC3200 380.66-beta5-gfcbc4b3 Thu May 11 20:47:39 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# ./firewall debug enable
-sh: ./firewall: not found
admin@RT-AC3200-0000:/tmp/home/root# ./firewall banmalware
-sh: ./firewall: not found
admin@RT-AC3200-0000:/tmp/home/root#

EDIT: got it, forget to insert cd /jffs/scripts.....hmm, why same IP contacting me more times? why the IP isn`t banned at first atempt?

May 12 20:26:25 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=49815 PROTO=TCP SPT=443 DPT=12457 SEQ=3046585368 ACK=2408154252 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:25 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=39865 PROTO=TCP SPT=443 DPT=12458 SEQ=2472939503 ACK=826592960 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:25 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=49967 PROTO=TCP SPT=443 DPT=12457 SEQ=3046585368 ACK=2408154252 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:25 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST=LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=40066 PROTO=TCP SPT=443 DPT=12458 SEQ=2472939503 ACK=826592960 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:27 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST=LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=51324 PROTO=TCP SPT=443 DPT=12457 SEQ=3046585368 ACK=2408154252 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:27 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=40979 PROTO=TCP SPT=443 DPT=12458 SEQ=2472939503 ACK=826592960 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:28 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=51626 PROTO=TCP SPT=443 DPT=12457 SEQ=3046585368 ACK=2408154252 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:28 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=41365 PROTO=TCP SPT=443 DPT=12458 SEQ=2472939503 ACK=826592960 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:32 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=54146 PROTO=TCP SPT=443 DPT=12457 SEQ=3046585368 ACK=2408154252 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:32 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST=LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=43531 PROTO=TCP SPT=443 DPT=12458 SEQ=2472939503 ACK=826592960 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=55085 PROTO=TCP SPT=443 DPT=12457 SEQ=3046585368 ACK=2408154252 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 12 20:26:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.206 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=44746 PROTO=TCP SPT=443 DPT=12458 SEQ=2472939503 ACK=826592960 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)

EDIT: debug data still not working?

Skynet: [Enabling All Debug Output] ... ... ...
Skynet: [Complete] 112406 IPs / 5150 Ranges banned. 4 New IPs / 0 New Ranges Banned. 128 IP / 2 Range Connections Blocked! [2s]
admin@RT-AC3200-0000:/jffs/scripts# sh /jffs/scripts/firewall stats 20
#!/bin/sh
#############################################################################################################
#                              _____ _                     _           ____        #
#                             / ____| |                   | |         |___ \       #
#                            | (___ | | ___   _ _ __   ___| |_  __   __ __) |      #
#                             \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /|__ <       #
#                             ____) |   <| |_| | | | |  __/ |_   \ V / ___) |      #
#                            |_____/|_|\_\\__, |_| |_|\___|\__|   \_(_)____/       #
#                                          __/ |                                   #
#                                         |___/                                    #
#                                                                                  #
## - 13/05/2017 -                  Asus Firewall Addition By Adamm v3.7.8          #
##                                 https://github.com/Adamm00/IPSet_ASUS           #
###################################################################################################################
###                            ----- Make Sure To Edit The Following Files -----  #
### /jffs/scripts/firewall-start                                 <-- Sets up cronjob/initial execution            #
### /jffs/scripts/firewall                                       <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                                      <-- Banned IP List/IPSet Rules                   #
###################################################################################################################

##############################
###       Commands         ###
##############################
#         "unban"            # <-- Remove Entry From Blacklist (IP/Range/Domain/All)
#         "save"             # <-- Save Blacklists To /jffs/scripts/ipset.txt
#         "ban"              # <-- Adds Entry To Blacklist (IP/Range/Domain/Country)
#         "banmalware"       # <-- Bans Various Malware Domains
#         "whitelist"        # <-- Add Entry To Whitelist (IP/Range/Domain)
#         "import"           # <-- Import And Merge IPSet Backup To Firewall
#         "disable"          # <-- Disable Firewall
#         "debug"            # <-- Enable/Disable Debug Output
#         "update"           # <-- Update Script To Latest Version (check github for changes)
#         "start"            # <-- Initiate Firewall
#         "stats"            # <-- Print Stats Of Recently Banned IPs (Requires debugging enabled)
##############################

No Debug Data Detected - Make Sure Debug Mode Is Enabled To Compile Stats
admin@RT-AC3200-0000:/jffs/scripts#

 

[Adamm]

EDIT: got it, forget to insert cd /jffs/scripts.....hmm, why same IP contacting me more times? why the IP isn`t banned at first atempt?

That output is perfect, each line means the firewall "blocked" that connection attempt sucessfully.

This ban in particular is a "false positive" though. What that means is the routers built in firewall detected it as a threat by mistake. I just pushed an update to help unban "false positives" every hour automatically. But beyond that your firewall is working perfectly.

Please update using the update command;

sh /jffs/scripts/firewall update

 

[bayern1975]

still can`t get working with sh /jffs/scripts/firewall stats 20 command? what are [BLOCKED - RAW] and [BLOCKED - NEW BAN] mean in syslog?

 

[Adamm]

still can`t get working with sh /jffs/scripts/firewall stats 20 command?

I just pushed another update (3.8.0) which will purge the syslog before attempting to detect debug data, this should fix your issue (and thanks for pointing out a bug in the logic!)

sh /jffs/scripts/firewall update

 

[bayern1975]

I just pushed another update (3.8.0) which will purge the syslog before attempting to detect debug data, this should fix your issue (and thanks for pointing out a bug in the logic!)

sh /jffs/scripts/firewall update

that was fast and now statistics working.....

Skynet: [New Version Detected - Updating To v3.8.0]... ... ...
Skynet: [Firewall Sucessfully Updated]
admin@RT-AC3200-0000:/jffs/scripts# sh /jffs/scripts/firewall stats 20
#!/bin/sh
#############################################################################################################
#                              _____ _                     _           ____        #
#                             / ____| |                   | |         |___ \       #
#                            | (___ | | ___   _ _ __   ___| |_  __   __ __) |      #
#                             \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /|__ <       #
#                             ____) |   <| |_| | | | |  __/ |_   \ V / ___) |      #
#                            |_____/|_|\_\\__, |_| |_|\___|\__|   \_(_)____/       #
#                                          __/ |                                   #
#                                         |___/                                    #
#                                                                                  #
## - 13/05/2017 -                  Asus Firewall Addition By Adamm v3.8.0          #
##                                 https://github.com/Adamm00/IPSet_ASUS           #
###################################################################################################################
###                            ----- Make Sure To Edit The Following Files -----  #
### /jffs/scripts/firewall-start                                 <-- Sets up cronjob/initial execution            #
### /jffs/scripts/firewall                                       <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                                      <-- Banned IP List/IPSet Rules                   #
###################################################################################################################

##############################
###       Commands         ###
##############################
#         "unban"            # <-- Remove Entry From Blacklist (IP/Range/Domain/All)
#         "save"             # <-- Save Blacklists To /jffs/scripts/ipset.txt
#         "ban"              # <-- Adds Entry To Blacklist (IP/Range/Domain/Country)
#         "banmalware"       # <-- Bans Various Malware Domains
#         "whitelist"        # <-- Add Entry To Whitelist (IP/Range/Domain)
#         "import"           # <-- Import And Merge IPSet Backup To Firewall
#         "disable"          # <-- Disable Firewall
#         "debug"            # <-- Enable/Disable Debug Output
#         "update"           # <-- Update Script To Latest Version (check github for changes)
#         "start"            # <-- Initiate Firewall
#         "stats"            # <-- Print/Search Stats Of Recently Banned IPs (Requires debugging enabled)
##############################

Skynet: [Removing 199.16.156.201 From Blacklist (false positive detected)]
Debug Data Detected in /jffs/skynet.log - 23.8K
Monitoring From May 12 20:26:25 To May 12 20:52:07
25 Connections Detected

Top 20 Ports Attacked;   (Port 80 or 443 Usually Indicates Website Blocking Hits)
10x http://www.speedguide.net/port.php?port=23
3x http://www.speedguide.net/port.php?port=7365
3x http://www.speedguide.net/port.php?port=22
2x http://www.speedguide.net/port.php?port=8080
1x http://www.speedguide.net/port.php?port=9999
1x http://www.speedguide.net/port.php?port=8888
1x http://www.speedguide.net/port.php?port=8081
1x http://www.speedguide.net/port.php?port=7547
1x http://www.speedguide.net/port.php?port=5060
1x http://www.speedguide.net/port.php?port=2323
1x http://www.speedguide.net/port.php?port=161

Top 20 Attacker Source Ports;
3x http://www.speedguide.net/port.php?port=63019
3x http://www.speedguide.net/port.php?port=59605
1x http://www.speedguide.net/port.php?port=64428
1x http://www.speedguide.net/port.php?port=58914
1x http://www.speedguide.net/port.php?port=56662
1x http://www.speedguide.net/port.php?port=53586
1x http://www.speedguide.net/port.php?port=5118
1x http://www.speedguide.net/port.php?port=50199
1x http://www.speedguide.net/port.php?port=47192
1x http://www.speedguide.net/port.php?port=46906
1x http://www.speedguide.net/port.php?port=46640
1x http://www.speedguide.net/port.php?port=44566
1x http://www.speedguide.net/port.php?port=44306
1x http://www.speedguide.net/port.php?port=43667
1x http://www.speedguide.net/port.php?port=40775
1x http://www.speedguide.net/port.php?port=36979
1x http://www.speedguide.net/port.php?port=24625
1x http://www.speedguide.net/port.php?port=23241
1x http://www.speedguide.net/port.php?port=21384
1x http://www.speedguide.net/port.php?port=14422

Last 20 Connections Blocked;
http://www.ip-tracker.org/locator/ip-lookup.php?ip=169.54.233.116
http://www.ip-tracker.org/locator/ip-lookup.php?ip=5.141.139.17
http://www.ip-tracker.org/locator/ip-lookup.php?ip=112.83.59.156
http://www.ip-tracker.org/locator/ip-lookup.php?ip=211.116.216.103
http://www.ip-tracker.org/locator/ip-lookup.php?ip=182.140.215.159
http://www.ip-tracker.org/locator/ip-lookup.php?ip=182.140.215.159
http://www.ip-tracker.org/locator/ip-lookup.php?ip=182.140.215.159
http://www.ip-tracker.org/locator/ip-lookup.php?ip=191.180.118.63
http://www.ip-tracker.org/locator/ip-lookup.php?ip=43.241.211.251
http://www.ip-tracker.org/locator/ip-lookup.php?ip=201.67.169.97
http://www.ip-tracker.org/locator/ip-lookup.php?ip=115.56.158.183
http://www.ip-tracker.org/locator/ip-lookup.php?ip=51.15.8.65
http://www.ip-tracker.org/locator/ip-lookup.php?ip=106.75.114.118
http://www.ip-tracker.org/locator/ip-lookup.php?ip=190.48.17.107
http://www.ip-tracker.org/locator/ip-lookup.php?ip=71.6.158.166
http://www.ip-tracker.org/locator/ip-lookup.php?ip=122.114.183.116
http://www.ip-tracker.org/locator/ip-lookup.php?ip=46.174.191.31
http://www.ip-tracker.org/locator/ip-lookup.php?ip=163.172.168.251
http://www.ip-tracker.org/locator/ip-lookup.php?ip=201.177.10.27
http://www.ip-tracker.org/locator/ip-lookup.php?ip=83.242.66.59

Last 20 New Bans;
http://www.ip-tracker.org/locator/ip-lookup.php?ip=5.141.139.17
http://www.ip-tracker.org/locator/ip-lookup.php?ip=182.140.215.159
http://www.ip-tracker.org/locator/ip-lookup.php?ip=191.180.118.63
http://www.ip-tracker.org/locator/ip-lookup.php?ip=201.67.169.97
http://www.ip-tracker.org/locator/ip-lookup.php?ip=115.56.158.183
http://www.ip-tracker.org/locator/ip-lookup.php?ip=178.149.243.216
http://www.ip-tracker.org/locator/ip-lookup.php?ip=58.141.161.120
http://www.ip-tracker.org/locator/ip-lookup.php?ip=41.32.148.98

Top 20 Attackers;
3x http://www.ip-tracker.org/locator/ip-lookup.php?ip=182.140.215.159
3x http://www.ip-tracker.org/locator/ip-lookup.php?ip=178.149.243.216
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=83.242.66.59
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=71.6.158.166
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=58.141.161.120
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=51.15.8.65
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=5.141.139.17
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=46.174.191.31
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=43.241.211.251
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=41.32.148.98
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=211.116.216.103
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=201.67.169.97
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=201.177.10.27
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=191.180.118.63
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=190.48.17.107
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=169.54.233.116
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=163.172.168.251
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=122.114.183.116
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=115.56.158.183
1x http://www.ip-tracker.org/locator/ip-lookup.php?ip=112.83.59.156

Skynet: [Complete] 112410 IPs / 5150 Ranges banned. 4 New IPs / 0 New Ranges Banned. 158 IP / 7 Range Connections Blocked! [2s]
admin@RT-AC3200-0000:/jffs/scripts#

 

[Adamm]

that was fast and now statistics working.....

Very nice

Glad to see it working on the AC3200.

 

[bayern1975]

Very nice

Glad to see it working on the AC3200.

how to check if everything working ok?

 

[Adamm]

how to check if everything working ok?

From what I see its working perfectly, the script has lots of checks in place to make sure. But for peace of mind, as long as everything is green it should be working.

sh /jffs/scripts/firewall debug info

 

[bayern1975]

From what I see its working perfectly, the script has lots of checks in place to make sure. But for peace of mind, as long as everything is green it should be working.

sh /jffs/scripts/firewall debug info

so, that is it:

Router Model: RT-AC3200-0000
Skynet Version: v3.8.0 (13/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_beta5-gfcbc4b3
Startup Entry Detected
Cronjob Detected
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 112427 IPs / 5150 Ranges banned. 8 New IPs / 0 New Ranges Banned. 234 IP / 9 Range Connections Blocked! [3s]

still do not know what are [BLOCKED - RAW] and [BLOCKED - NEW BAN] mean?

 

[Adamm]

so, that is it:

Yes that output means everything is working perfect.

still do not know what are [BLOCKED - RAW] and [BLOCKED - NEW BAN] mean?

[BLOCKED - NEW BAN] - means the firewall banned the IP and added it to the Blacklist.

[BLOCKED - RAW] - means the firewall blocked a connection attempt from a Blacklisted IP.

 

[thelonelycoder]

@Adamm
I want to make sure AB-Solution does not block the domains used for your script's lists.
I'd like to include the url list file this script uses to whitelist them in AB-Solution.
Is there a permanent file stored on the users device with the url's?
If so, please let me know the standard path/filename to it.
Thanks

 

[Adamm]

@Adamm
I want to make sure AB-Solution does not block the domains used for your script's lists.
I'd like to include the url list file this script uses to whitelist them in AB-Solution.
Is there a permanent file stored on the users device with the url's?
If so, please let me know the standard path/filename to it.
Thanks

The only files it downloads are /jffs/scripts/firewall - /tmp/malwarelist.txt and a country zone file based on user input from http://www.ipdeny.com/ipblocks/data/countries/$country.zone > /tmp/countrylist.txt

 

[thelonelycoder]

The only files it downloads are /jffs/scripts/firewall - /tmp/malwarelist.txt and a country zone file based on user input from http://www.ipdeny.com/ipblocks/data/countries/$country.zone > /tmp/countrylist.txt

Just as I thought, the malwarelist.txt is volatile and gets deleted after the run, right?

 

[Adamm]

Just as I thought, the malwarelist.txt is volatile and gets deleted after the run, right?

Correct and same with the country list, they are just used for processing.