Skynet Skynet - Router Firewall & Security Enhancements

[elorimer]

Hope this clears things up

Very helpful, thanks. So the preferred method of clearing a known good site is to whitelist the domain, and not whitelist the IP or unban either.

 

[Adamm]

Very helpful, thanks. So the preferred method of clearing a known good site is to whitelist the domain, and not whitelist the IP or unban either.

When you use the "whitelist domain" command, its the same as whitelisting the IP, it just automates the process of finding it for you (it uses the output of the command "nslookup URL"). Some websites use multiple IP's for redundancy so its usually best to use the domain command when URL related.

Also when you whitelist an IP, it removes the IP from the blacklist, but this is not really necessary as the whitelist always takes priority over the blacklist if an entry appears on both.

 

[HardCat]

@Adamm

While Whitelisting DNS server IP's this morning I noticed an error is being reported.

./firewall: line 988: arithmetic syntax error

The IP's did still get added to the Whitelist successfully.

 

[Adamm]

@Adamm

While Whitelisting DNS server IP's this morning I noticed an error is being reported.

./firewall: line 988: arithmetic syntax error

The IP's did still get added to the Whitelist successfully.

Can you please post the output of

"sh /jffs/scripts/firewall debug info"

 

[HardCat]

Can you please post the output of

"sh /jffs/scripts/firewall debug info"

Router Model: RT-AC3100
Skynet Version: v4.9.8 (14/06/2017)
iptables v1.4.14 - (eth0)
ipset v6.29, protocol version: 6
FW Version: 380.66_4 (May 26 2017)
Install Dir; /tmp/mnt/USB1/skynet (28.2G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/USB1
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
/jffs/scripts/firewall: line 988: arithmetic syntax error

 

[Adamm]

While Whitelisting DNS server IP's this morning I noticed an error is being reported.

Okay a little strange that first of all the autoupdate hasn't automatically updated you to 4.9.9. Second of all that error indicates the script can't preform the required math to generate the hit counter (yet my workaround should avoid this)

Please post the output of;

cru l


iptables --line -vL -nt raw

 

[TheUntouchable]

Hi Adamm,

somehow your script doesn't detect my usb drive

USB Installation Selected
Compadible Devices To Install Are;

Please Type Device Label - eg /tmp/mnt/Main

/jffs/scripts# df -h -T
Filesystem           Type            Size      Used Available Use% Mounted on
/dev/root            squashfs       31.9M     31.9M         0 100% /
devtmpfs             devtmpfs      251.5M         0    251.5M   0% /dev
tmpfs                tmpfs         251.6M      1.2M    250.4M   0% /tmp
/dev/mtdblock4       jffs2          64.0M      2.9M     61.1M   4% /jffs
/dev/sda1            tfat           29.4G      2.0G     27.4G   7% /tmp/mnt/C_T_USB

 

[Adamm]

somehow your script doesn't detect my usb drive

That is because you have it formatted as tfat, right now I have it only set to detect ext devices as I wasn't sure what exactly the router is compatible with. Do you have any other router related stuff on this device? If it works as per normal I can add support quite easily.

 

[HardCat]

Okay a little strange that first of all the autoupdate hasn't automatically updated you to 4.9.9. Second of all that error indicates the script can't preform the required math to generate the hit counter (yet my workaround should avoid this)

Please post the output of;

cru l


iptables --line -vL -nt raw

0 21 * * * /jffs/scripts/ledsoff.sh #lightsoff#
0 17 * * * /jffs/scripts/ledson.sh #lightson#
00 2 * * Thu /tmp/mnt/USB1/adblocking/addon/update-hosts.add cronjob #UpdateHosts#
20 5 * * * /tmp/mnt/USB1/adblocking/addon/rotate-logs.add #RotateLogs#
25 1 * * 1 sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
25 1 * * * sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#

Chain PREROUTING (policy ACCEPT 1050K packets, 203M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     166K   21M ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist dst
2       20  1280 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
3       20  1280 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges dst
4        3   152 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
5        3   152 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist dst
6     2011  255K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
7      250 10790 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
8      250 10790 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src
9     213K   25M LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
10    213K   25M DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

Chain OUTPUT (policy ACCEPT 1247K packets, 217M bytes)
num   pkts bytes target     prot opt in     out     source               destination

 

[TheUntouchable]

That is because you have it formatted as tfat, right now I have it only set to detect ext devices as I wasn't sure what exactly the router is compatible with. Do you have any other router related stuff on this device? If it works as per normal I can add support quite easily.

That usb stick is from a computer magazine, there is only a archive of old editions on it till now But I can access them over samba, so the router should support tfat
EDIT: But after reading about tfat I should better remove the files and reformat that drive..

 

[Adamm]

-logs-

Everything looks normal, quite strange. Do me a favour and update to 4.9.9 and see if the error still occurs. Thanks

 

[Adamm]

That usb stick is from a computer magazine, there is only a archive of old editions on it till now But I can access them over samba, so the router should support tfat
EDIT: But after reading about tfat I should better remove the files and reformat that drive..

I mean, if you don't need to plug the device into a windows computer (if its a dedicated router stick you shouldn't) ext4 is a pretty good option.

Reading about tfat in particular there is always this too;

Due to the lack of support in desktop operating systems, neither TFAT nor TexFAT are recommended for removable media. While the desktop OS could still read the drive, it could not use the transaction-safe features, so unexpected removal or a power outage could lead to data loss. In addition, directories created under the desktop OS may not be transaction-safe even if the drive is later attached to a TFAT/TexFAT aware operating system.[1]

Regardless I added support, you will need to force update to download it as I didn't change the version number ( sh /jffs/scripts/firewall update -f )

 

[TheUntouchable]

Regardless I added support, you will need to force update to download it as I didn't change the version number ( sh /jffs/scripts/firewall update -f )

Thank you anyway for your fast response, already updated and it worked!

 

[HardCat]

Everything looks normal, quite strange. Do me a favour and update to 4.9.9 and see if the error still occurs. Thanks

Manually updated with ./firewall update and reran ./firewall debug info

Router Model: RT-AC3100
Skynet Version: v4.9.9 (14/06/2017)
iptables v1.4.14 - (eth0)
ipset v6.29, protocol version: 6
FW Version: 380.66_4 (May 26 2017)
Install Dir; /tmp/mnt/USB1/skynet (28.2G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/USB1
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 124315 IPs / 25923 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

Looks Good

 

[Adamm]

Looks Good

I looked again at the situation now I'm more awake and found the cause of the math error. Your blacklist hit counter was at 213,000... That's a lot for 3 days, like lots. I had personally never gotten the counter so high so I never thought to add support for the rounded numbers (213,000 is displayed as 213k so unix doesn't know how to do math with letters). I have a feeling there may be a false positive or two on your blacklist from before we settled on a "mature" rule list causing the excessive hit counter. I suggest you run;

sh /jffs/scripts/firewall unban nomanual

Then re-download any banmalware or country lists you have applied. Apart from that I will be adding support for letters shortly, but I'm still stumped as to why autoupdate wasn't being triggered on the cron, but I guess that's a mystery for another day.

EDIT; I pushed a fix for rounded numbers, shouldn't be an issue in future.

 

[MarCoMLXXV]

I know this next question has been asked before, two or three years ago (in v2.5, if I recall correctly when I was searching), but as the script has undergone so many changes, I can't figure out whether the same functionality is still available in the current version, but I needed to temporarily open ssh for wan access, and nearly immediately I noticed people knocking on my doors. Unfortunately for them, password authentication is not allowed, authorised keys only, but I'd still like a way to automatically ban them.

I started checking the list manually by banning them individually, but the logs are filling up rapidly at a pace that I can't ban them manually:

marco@RT-AC68U:/tmp/home/root# cat /jffs/syslog.log | grep 'nonexistent'
Jun 17 16:55:18 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:18 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:19 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:19 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:19 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:20 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:20 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:20 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:21 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 16:55:21 dropbear[12384]: Login attempt for nonexistent user from 188.19.34.28:36530
Jun 17 17:32:49 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:50 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:51 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:51 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:52 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:53 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:53 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:54 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:55 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:32:55 dropbear[15926]: Login attempt for nonexistent user from 180.139.167.225:38792
Jun 17 17:55:12 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:13 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:13 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:14 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:14 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:15 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:16 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:16 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:17 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 17:55:17 dropbear[18025]: Login attempt for nonexistent user from 190.51.0.84:57691
Jun 17 19:36:07 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:07 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:08 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:08 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:08 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:09 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:09 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:09 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:10 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910
Jun 17 19:36:10 dropbear[27614]: Login attempt for nonexistent user from 81.174.255.65:34910

only to find out that none of them are already blocked. @Adamm, is there any functionality in the Skynet code to ban them automatically? I have brute force SSH protection on, I noticed there are two lines in iptables regarding ssh (but haven't yet found out what they do exactly):

marco@RT-AC68U:/tmp/home/root# iptables -L -v --line-numbers | grep 'ssh'
2     3165  333K SECURITY_PROTECT  tcp  --  any    any     anywhere             anywhere             multiport dports ssh
8      145  7732 SSHBFP     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh state NEW

Any thoughts how to stop them from knocking at my rear SSH door? As in banning them sooner than 10 attempts? I can't specify a single IP because when I log in remotely, the IP's assigned are all over the map.

 

[yk101]

@Adamm, would you be able to add capability of exporting and re-importing whitelist? I found that a lot of things stop working without a whitelist in place, so it kind of grew to a hundred plus addresses. Every time i have to reset the firewall, I seem to lose it and have to re-enter everything manually. I could script the process for myself, but I think others may benefit of it as well.

 

[Adamm]

@Adamm, would you be able to add capability of exporting and re-importing whitelist? I found that a lot of things stop working without a whitelist in place, so it kind of grew to a hundred plus addresses. Every time i have to reset the firewall, I seem to lose it and have to re-enter everything manually. I could script the process for myself, but I think others may benefit of it as well.

The whitelist is saved upon almost every user interaction and hourly along with the blacklist @ $location/scripts/ipset.txt ($location either being your USB device or /jffs)

If said lists aren't saving I think that indicates a bigger issue (the location is possibly out of space?), can you please post the output of;

sh /jffs/scripts/firewall debug info

 

[Adamm]

only to find out that none of them are already blocked. @Adamm, is there any functionality in the Skynet code to ban them automatically? I have brute force SSH protection on, I noticed there are two lines in iptables regarding ssh (but haven't yet found out what they do exactly):

Looking further into this, ASUS actually just updated their SSH BFD last month in 380_7627 (this is part of the current Merlin alpha). This new setup only allows 4 attempts every 60 seconds, I've modified this instead and now it will add any offenders directly to the Blacklist.

This feature will only work if you are running Skynet v4.9.10, SSH is set to LAN+WAN, BFD is enabled and you are running Merlin 380.67 (currently in alpha so you will need to update).

 

[yk101]

The whitelist is saved upon almost every user interaction and hourly along with the blacklist @ $location/scripts/ipset.txt ($location either being your USB device or /jffs)

If said lists aren't saving I think that indicates a bigger issue (the location is possibly out of space?), can you please post the output of;

sh /jffs/scripts/firewall debug info

Here you go:

#!/bin/sh
#############################################################################################################
#                  _____ _                     _           _  _                       #
#                  / ____| |                   | |         | || |                    #
#                | (___ | | ___   _ _ __   ___| |_  __   _| || |_                    #
#                  \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /__   _|                    #
#                  ____) |   <| |_| | | | |  __/ |_   \ V /   | |                    #
#                |_____/|_|\_\\__, |_| |_|\___|\__|   \_(_)  |_|                     #
#                              __/ |                                                 #
#                               |___/                                                   #
#                                                        #
## - 17/06/2017 -          Asus Firewall Addition By Adamm v4.9.9                    #
##                  https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################

##############################
###      Commands      ###
##############################
#      "unban"        # <-- Remove Entry From Blacklist (IP/Range/Domain/Port/Country/Malware/Nomanual/All)
#      "ban"            # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)
#      "banmalware"        # <-- Bans Various Malware Domains
#      "whitelist"        # <-- Add Entry To Whitelist (IP/Range/Domain/Port/Remove)
#      "import"        # <-- Bans All IPs From URL
#      "deport"        # <-- Unbans All IPs From URL
#      "save"        # <-- Save Blacklists To ipset.txt
#      "disable"        # <-- Disable Firewall
#      "update"        # <-- Update Script To Latest Version (check github for changes)
#      "debug"        # <-- Debug Features (Restart/Disable/Watch/Info)
#      "stats"        # <-- Show/Search Stats Of Banned IPs (Requires debugging enabled)
#      "install"          # <-- Install Script (Or Change Boot Args)
#      "uninstall"        # <-- Uninstall All Traces Of Skynet
##############################

Router Model: RT-AC88U
Skynet Version: v4.9.9 (17/06/2017)
iptables v1.4.14 - (eth0)
ipset v6.29, protocol version: 6
FW Version: 380.67_alpha2-g925f2ea (Jun 11 2017)
Install Dir; /jffs (64.0M Space Available)
Boot Args; /jffs/scripts/firewall start noautoban debug banmalware autoupdate 
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Disabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 134956 IPs / 4449 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 249 Inbound / 1045 Outbound Connections Blocked! [2s]
admin@RT-AC88U:/jffs/scripts#