Skynet Skynet - Router Firewall & Security Enhancements

[RMerlin]

hggomes hasn't been around lately, I suspect he might be on vacation. We haven't had the usual Portuguese vs Russian banter between him and themiron on IRC lately

 

[Stevemcclure]

hggomes hasn't been around lately, I suspect he might be on vacation. We haven't had the usual Portuguese vs Russian banter between him and themiron on IRC lately

Haha, can't beat a good ol bit of banter, and I imagine Portuguese vs Russian would be right up there.


Sent from my iPhone using Tapatalk

 

[skeal]

Default message log level: Notice
Log only messages more urgent than: debug

My logs show this message now.

Aug 17 14:22:15 Skynet: [INFO] Lock File Detected (pid=6808) - Exiting
Aug 17 14:22:33 Skynet: [Complete] 139836 IPs / 3412 Ranges Banned. 139836 New IPs / 3412 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [30s]

Is this going to be a problem going forward this locked file??

 

[Jack Yaz]

Sorry if this is answered elsewhere, does Skynet block the MS telemetry servers?

Spoiler

# This file contains the blacklisted domains used by iblocklist-loader (Referenced via BLACKLIST_DOMAINS_FILE= line)
# The IPv4 addresses for the domains in this file would be added to an ipset list called [BlacklistDomains] and then
# an iptables DROP/REJECT rule will be created by iblocklist-loader. These domains would be processed right after the
# WHITELIST_DOMAINS_FILE processing.

# Below are some telemetry and scanner blocking found from the sources as indicated.
# You can add to this list any domains you'd like to explicitly block

# Telemetry servers from http://cyberwarzone.com/block-these-ips-to-stop-microsoft-from-snooping-on-your-windows-10-device/
settings-sandbox.data.microsoft.com # Singapore
statsfe1.ws.microsoft.com # United States
fe2.update.microsoft.com.akadns.net # United States
telemetry.appex.bing.net # United States
cs1.wpc.v0cdn.net # United States
redir.metaservices.microsoft.com # United States, CO, Englewood
i1.services.social.microsoft.com # United States, MA, Cambridge
sls.update.microsoft.com.akadns.net # United States, WA, Redmond
diagnostics.support.microsoft.com # United States, WA, Redmond
choice.microsoft.com # United States, WA, Redmond
choice.microsoft.com.nsatc.net # United States, WA, Redmond
a-0001.a-msedge.net # United States, WA, Redmond
pre.footprintpredict.com # United States, WA, Redmond
watson.live.com # United States, WA, Redmond
survey.watson.microsoft.com # United States, WA, Redmond
vortex.data.microsoft.com # United States, WA, Redmond
vortex-win.data.microsoft.com # United States, WA, Redmond
vortex-sandbox.data.microsoft.com # United States, WA, Redmond
watson.ppe.telemetry.microsoft.com # United States, WA, Redmond
df.telemetry.microsoft.com # United States, WA, Redmond
telemetry.microsoft.com # United States, WA, Redmond
reports.wes.df.telemetry.microsoft.com # United States, WA, Redmond
services.wes.df.telemetry.microsoft.com # United States, WA, Redmond
public-family.api.account.microsoft.com # United States, WY, Cheyenne
urs.microsoft.com # United States, TX, San Antonio
wes.df.telemetry.microsoft.com # United States, WA, Redmond
sqm.df.telemetry.microsoft.com # United States, WA, Redmond
statsfe2.ws.microsoft.com # United States, WA, Redmond
statsfe2.update.microsoft.com.akadns.net # United States, WA, Redmond
watson.telemetry.microsoft.com # United States, WA, Redmond
oca.telemetry.microsoft.com # United States, WA, Redmond
watson.microsoft.com # United States, WA, Redmond
telecommand.telemetry.microsoft.com # United States, WA, Redmond
sqm.telemetry.microsoft.com # United States, WA, Redmond
sqm.telemetry.microsoft.com.nsatc.net # United States, WA, Redmond
corpext.msitadfs.glbdns2.microsoft.com # United States, WA, Redmond
corp.sts.microsoft.com # United States, WA, Redmond
telemetry.urs.microsoft.com # United States, WA, Redmond

# Shodan and project25499 scanners from http://wiki.ipfire.org/en/configuration/firewall/blockshodan
shodan.io # US
census1.shodan.io # US
census2.shodan.io # US
census3.shodan.io # US
census4.shodan.io # NL
census5.shodan.io # RO
census6.shodan.io # US
census7.shodan.io # US
census8.shodan.io # US
census9.shodan.io # US
census10.shodan.io # IS
census11.shodan.io # IS
census12.shodan.io # US
atlantic.census.shodan.io # DE
pacific.census.shodan.io # DE
rim.census.shodan.io # DE
pirate.census.shodan.io # US
ninja.census.shodan.io # US
border.census.shodan.io # US
burger.census.shodan.io # US
atlantic.dns.shodan.io # US
blog.shodan.io # US
hello.data.shodan.io # US
www.shodan.io # US
scanner01.project25499.com # US
scanner02.project25499.com # US
scanner03.project25499.com # US
scanner04.project25499.com # US
scanner05.project25499.com # US

# Ragentek Android OTA MITM Vulnerability from https://www.kb.cert.org/vuls/id/624539
oyag.lhzbdvm.com
oyag.prugskh.net
oyag.prugskh.com

 

[Adamm]

Is this going to be a problem going forward this locked file??

That's intended behavior, during a firewall restart the firewall-start file is executed twice, so I created a lockfile system so there are no race conditions or unexpected behavior in the event certain Skynet commands are run. There are many other "saftey nets" like this throughout the script to prevent unexpected behavior.

Sorry if this is answered elsewhere, does Skynet block the MS telemetry servers?

Yes

 

[skeal]

That's intended behavior, during a firewall restart the firewall-start file is executed twice, so I created a lockfile system so there are no race conditions or unexpected behavior in the event certain Skynet commands are run. There are many other "saftey nets" like this throughout the script to prevent unexpected behavior.



Yes

Totally excellent script!! Man it works well!!

 

[Xentrk]

After a few days of using Skynet on two routers, I was so impressed with its functionality and how clean it is (no bloat!) that I went ahead and upgraded the router at the school I support as a volunteer to the 380.68 Beta 1 Firmware so I could install Skynet on it. I usually wait and don't install beta releases on this router. But it was hard to resist after seeing how awesome Skynet is combined with the new features of 380.68!

 

[RMerlin]

You run beta software in a school? You brave, brave soul...

 

[skeal]

After a few days of using Skynet on two routers, I was so impressed with its functionality and how clean it is (no bloat!) that I went ahead and upgraded the router at the school I support as a volunteer to the 380.68 Beta 1 Firmware so I could install Skynet on it. I usually wait and don't install beta releases on this router. But it was hard to resist after seeing how awesome Skynet is combined with the new features of 380.68!

Yep I second your remarks I have now installed this beta firmware and skynet on my Mom's ac68u. It is truly a great script!

 

[kpratte]

After I enabled the script and turned on malware blocking, it started blocking other things like icmp type 8 packets, aka traceroute. I was under the impression that the malware blocking only did sites. Is there a way to whitelist or unban icmp type 8 packets?

 

[Adamm]

After I enabled the script and turned on malware blocking, it started blocking other things like icmp type 8 packets, aka traceroute. I was under the impression that the malware blocking only did sites. Is there a way to whitelist or unban icmp type 8 packets?

I don't specifically block any ICMP related requests, I just modify the behavior of the default rules so anything that's pushed to the logdrop chain is blacklisted rather then the specific packets only being dropped.

In this case if requests are being blocked that's because of the routers default IPTables ruleset.

 

[Xentrk]

After I enabled the script and turned on malware blocking, it started blocking other things like icmp type 8 packets, aka traceroute. I was under the impression that the malware blocking only did sites. Is there a way to whitelist or unban icmp type 8 packets?

I was experimenting with MTU settings on my pfSense box recently and noticed ipv4 ip addresses did not show up when doing traceroutes on websites (ipv6 showed up okay) and http web sites not displaying in the browser. I had changed from 1492 to 1500. I set it back to 1492 and no problems since. May not apply to your situation but it is a variable to look at.

 

[kpratte]

I don't specifically block any ICMP related requests, I just modify the behavior of the default rules so anything that's pushed to the logdrop chain is blacklisted rather then the specific packets only being dropped.

In this case if requests are being blocked that's because of the routers default IPTables ruleset.

With that I figured it out.. There is a default SECURITY chain that has icmptype 8 limit: avg 1/sec burst 5 and another icmptype 8 in it that blocks it if you exceed the limit. I flushed the chain and enabled skynet and everything works like it is supposed to.

 

[kpratte]

Also figured out that the SECURITY chain is enabled and disabled on the Firewall screen by clicking the enable DoS protection.

My permanent fix is to add this to my firewall-start:
iptables -D SECURITY 5
iptables -D SECURITY 5

That deletes only the two icmptype rules from the SECURITY chain.

 

[Adamm]

With that I figured it out.. There is a default SECURITY chain that has icmptype 8 limit: avg 1/sec burst 5 and another icmptype 8 in it that blocks it if you exceed the limit. I flushed the chain and enabled skynet and everything works like it is supposed to.

IIRC that chain is only used when "DoS Protection" is enabled in the WebUI, which realistically is just some rate limiting on certain packets.

 

[Adamm]

My permanent fix is to add this to my firewall-start:
iptables -D SECURITY 5
iptables -D SECURITY 5

I'd suggest not using the rule number but instead referencing the whole rule, I can see situations where you will inadvertently remove the wrong rule by accident. Alternatively you could just disable DoS protection.

 

[Jack Yaz]

This may be a silly question, but if the firewall is already blocking attempts, what extra protection does banning bring?

Also loving the smoothness of deploying this script. Now I just need to make a little utility for the wife to whitelist domains, as her survey sites are often picked up on malware/tracking lists, though they are quite safe!

 

[Adamm]

This may be a silly question, but if the firewall is already blocking attempts, what extra protection does banning bring?

Its a more permanent solution as the router by default has no real way for this. If you are caught port-scanning/brute-forcing once, there's a good chance (usually bots) will try it again in future, nor are they the type of traffic you want on your router.

Now I just need to make a little utility for the wife to whitelist domains

sh /jffs/scripts/firewall whitelist domain xxxxx.com

 

[Viktor Jaep]

I've upgraded router firmware to 380.68, and ran another install for Skynet... everything seemed to go well. I went through the steps of adding country bans, and got this error message below...

Removing Previous Country Bans
Banning Known IP Ranges For ru cn kp iq ir sa il
Downloading Lists
Filtering IPv4 Ranges & Applying Blacklists
ipset v6.32: Error in line 1: Comment cannot be used: set was created without comment support
Saving Changes
Skynet: [Complete] 133174 IPs / 2979 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 37 Inbound / 0 Outbound Connections Blocked! [7s]

Please let me know what this ipset error means, what I need to do to resolve, and what effects this has...? Thank you...

 

[Adamm]

Please let me know what this ipset error means, what I need to do to resolve, and what effects this has...? Thank you...

Basically its saying your IPSet wasn't automatically converted to support comments (not sure why as it does this check every time Skynet is started).

Run the following;

sh /jffs/scripts/firewall update -f

Then wait about 30s until Skynet restarts check to see if you are still receiving the error.