Skynet Skynet - Router Firewall & Security Enhancements

[routers]

Hi Adamm, thank you very much for the script!
I want to force my clients to use the routers DNS so I went to AiProtection -> DNS Filtering and enabled it with the Router filter.
But together with Skynet it makes the cpu cores go nuts. It only seems to get back to normal if I disable DNS Filtering and uninstall and reinstall Skynet.

 

[Adamm]

But together with Skynet it makes the cores go nuts. It only seems to get back to normal if I disable DNS Filtering and uninstall and reinstall Skynet.
Do you know a workaround? Thanks.

Skynet doesn't interfere with DNS settings at all, so I would assume your issue is elsewhere.

 

[mrchow]

@Adamm if I like to change the frequency how often new malware entries get pulled, I'd have to adjust the cron entry within the script.. is this correct?

 

[Adamm]

@Adamm if I like to change the frequency how often new malware entries get pulled, I'd have to adjust the cron entry within the script.. is this correct?

Yes but as change will get lost per update I suggest you rather remove the cron via a line in firewall-start then readd it with the frequency you want.

 

[MarCoMLXXV]

I want to force my clients to use the routers DNS so I went to AiProtection -> DNS Filtering and enabled it with the Router filter. But together with Skynet it makes the cores go nuts. It only seems to get back to normal if I disable DNS Filtering and uninstall and reinstall Skynet.

Skynet doesn't interfere with DNS settings at all, so I would assume your issue is elsewhere.

I've had similar issues with DNS Filtering, in my case bypassing AB-Solution and Pixelserv-TLS all together (and probably Skynet as well, but the lack of ad-blocking was what triggered me that something was wrong), so I stopped using DNS Filtering (after three days I needed to figure it out with assistance of several other forum members).

One thing for sure: this is not an issue caused by Skynet which is pure awesomeness. It actually wouldn't surprise me, with what I've learned over the past few days, that DNS Filtering causes the same issues in your case @routers, thus bypassing Skynet. With my limited knowledge, I think you have two options to achieve what you want:

a.) Create some custom IPtables rules to force all outgoing DNS-queries to the DNS servers of your choices (this is actually removed by @RMerlin from the current wiki because of the implementation DNS Filtering, but the link is to a previous version, and I'm assuming here it would be possible to use alongside Skynet - @Adamm, please correct me if I'm wrong) or

b.) You could consider installing DNSCrypt using the installer script by @bigeyes0x0, which not only encrypts DNS-queries but also offers the possibility to force all DNS queries on your local network through DNSCrypt towards the DNS server(s) of your choice.

If anyone thinks I am talking gibberish, please feel free to drop in, as there are many others around with far more (up to date) knowledge. My knowledge dates back to when IPTables where build by writing on a clay tablet...

 

[steelskinz]

Hi there,

When i try to use the script it doesn't work since a week. I tried to reboot and reinstall it it is the same.

Even if i launch it with info, debug, whitelist domain, even disable or uninstall etc.. it run but it is like it is still open and nothing happens. I can write, have to ctrl+c to exit but nothing works :
ASUSWRT-Merlin R7000 380.68-1 Thu Aug 24 04:24:06 UTC 2017

:/tmp/home/root# sh /jffs/scripts/firewall info
#!/bin/sh
################################################################################ #############################
# _____ _ _ _____ #
# / ____| | | | | ____| #
# | (___ | | ___ _ _ __ ___| |_ __ _| |__ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \ #
# ____) | <| |_| | | | | __/ |_ \ V / ___) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ |____/ #
# __/ | #
# |___/ #
# #
## - 30/08/2017 - Asus Firewall Addition By Adamm v5.1.7 #
## https://github.com/Adamm00/IPSet_ASUS #
################################################################################ #############################


##############################
### Commands ###
##############################
# "unban" # <-- Remove From Blacklist (IP/Range/Domain/Port/C omment/Country/Malware/Autobans/Nomanual/All)
# "ban" # <-- Adds Entry To Blacklist (IP/Range/Domain/Port /Country)
# "banmalware" # <-- Bans Various Malware Domains
# "whitelist" # <-- Add Entry To Whitelist (IP/Range/Domain/Port/ Remove)
# "import" # <-- Bans All IPs From URL
# "deport" # <-- Unbans All IPs From URL
# "save" # <-- Save Blacklists To ipset.txt
# "disable" # <-- Disable Firewall
# "update" # <-- Update Script To Latest Version (check github for changes)
# "debug" # <-- Debug Features (Restart/Disable/Watch/Info)
# "stats" # <-- Show/Search Stats Of Banned IPs (Requires deb ugging enabled)
# "install" # <-- Install Script (Or Change Boot Args)
# "uninstall" # <-- Uninstall All Traces Of Skynet
##############################

Any clues ? Thanks

 

[Adamm]

Any clues ? Thanks

First of all the command from your snippet is wrong, its actually "sh /jffs/scripts/firewall debug info"

Secondly this script was made and tested with Asus routers. So if it doesn't work on a "hacked" firmware for a netgear device I don't really have a huge priority in supporting it nor any way to test changes.

 

[steelskinz]

It seems to work now. I had old ntp ip in my hosts.add and in the log file a lots of "start ntp". I delete my old hosts.add entries and it's now OK.

 

[Adamm]

It seems to work now. I had old ntp ip in my hosts.add and in the log file a lots of "start ntp". I delete my old hosts.add entries and it's now OK.

Yes Skynet specifically waits until NTP is up and running on the router so time-stamps are accurate for various actions. So if it fails to start for whatever reason, Skynet will also.

 

[Adamm]

As of v5.1.9 Skynet should have much better VPN Compatibility. Thanks to team at Astrill VPN (who provide a plugin for AsusWRT-Merlin) were able to help me out with a development account making the process much smoother.

Their plugin in particular should be fully supported, along with any other (router) OpenVPN clients. I recommend checking them out, really friendly support team and versatile product.

 

[routers]

@Adamm and @MarCoMLXXV thank you for your inputs regarding coexistence with DNSfilter. I don't know how I missed your replies. I will try to implement the iptables rules from the old merlin wiki entry and report back in a few days.

The actual bad guy is Windows 10. I suspect it can circumvent the DHCP provided DNS server so it can serve it's master. I use WindowsSpyBlocker's IP's plus it's Dnsmasq rules to do what I can to block the data collection.

(I consider creating a feature request at WindowsSpyBlocker to ask if they could provide their lists in CIDR format - or to Adamm, here is a feature request to do the hard work to update the regex to understand the provided ranges).

 

[Adamm]

here is a feature request to do the hard work to update the regex to understand the provided ranges

While simple in concept, its actual a lot of code required to break down or generate CIDR ranges in bash. Its a lot easier in other languages. I've looked into similar ideas previously (specifically breaking down CIDR ranges into ip lists) and decided it was not really worthwhile for this project. Skynet is only around 1000 lines of code, where as a function like this alone would be a huge portion for little benefit.

With that being said, this list specifically all the ranges are .0 - .255 so you can convert the list to something Skynet understands via;

/usr/sbin/wget "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/win10/spy.txt" -qO- | sed 's~-.*~/24~'

Then upload it to somewhere like pastebin so you can feed it to the import command. For convenience I did this already.

sh /jffs/scripts/firewall import https://pastebin.com/raw/5WbjCKbz

 

[routers]

a huge portion for little benefit

I understand.

upload it to somewhere

Yes, that's what I currently do.

 

[Xentrk]

I was surprised at the large number of inbound blocks. The first IP is in China.
Threat Findings: Malicious Host
116.211.0.90 is participating in some form of malicious activity; however, the specific malicious activity cannot be confirmed. Be cautious about interacting with this system.

I wonder why the ISP does not shut them down?

Top 10 Blocks (Inbound);
2253x https://otx.alienvault.com/indicator/ip/116.211.0.90
489x https://otx.alienvault.com/indicator/ip/123.59.64.249
152x https://otx.alienvault.com/indicator/ip/150.70.183.141
129x https://otx.alienvault.com/indicator/ip/46.17.96.12
120x https://otx.alienvault.com/indicator/ip/51.15.144.87
118x https://otx.alienvault.com/indicator/ip/150.70.183.140
101x https://otx.alienvault.com/indicator/ip/178.159.37.99
62x https://otx.alienvault.com/indicator/ip/94.74.81.97
52x https://otx.alienvault.com/indicator/ip/77.72.82.7
38x https://otx.alienvault.com/indicator/ip/91.223.133.13

 

[Xentrk]

@Adamm, I am giving a presentation on Tuesday at my computer club. I will demo Merlin FW, AB-Solution, Skynet among many other items. Is there anything you feel I should emphasize about Skynet? I plan on showing them the blocklists that you use and giving a demo of it's features, use and stats.

 

[Adamm]

I wonder why the ISP does not shut them down?

Probably based on some sort of shared hosting and becomes a whack-a-mole game. A lot of the cheap hosting providers attract the wrong kind of customer.

Is there anything you feel I should emphasize about Skynet?

Whatever seems relevant to the talk I guess. Stats commands are probably the only "visually appealing" features, the rest is sort of just inputting different types of data to be blocked/unblocked. Then again I'm pretty critical of my own work

 

[Xentrk]

Probably based on some sort of shared hosting and becomes a whack-a-mole game. A lot of the cheap hosting providers attract the wrong kind of customer.



Whatever seems relevant to the talk I guess. Stats commands are probably the only "visually appealing" features, the rest is sort of just inputting different types of data to be blocked/unblocked. Then again I'm pretty critical of my own work

Thanks for the reply. I'll also tell them you are active on the forum and provide fantastic support and very helpful!

 

[MarCoMLXXV]

Somehow my favorite threads, like this one, randomly stop giving me notifications of unread posts, so I missed just about everything in past 24-48 hours here... I keep pressing "Unwatch " and "Watch thread" again to keep getting notifications. Annoying...

Nevertheless: for some reason, I'm getting complaints from junior that he isn't capable of watching YT on the Apple TV or streamed to Chromecast anymore since a few days. Because of his age, he's only allowed to watch Youtube on the big screen, as Google's Parental Controls (what Parental Controls ?!?) suck big time.

@Xentrk You posted some Google hosts to block, but I can't seem to find them. Can you point me in the right direction?

As watching Youtube on PC, iPad and iPhone works fine, I will need to do some debugging, might even need to sniff some packets, to find out what's going wrong all of a sudden, as we've never had any issues streaming and live with an (otherwise lovely) autistic kid without YouTube (he plays every clip over and over again) will probably cause some major headache over the weekend in the network management department (that would be me ).

So... Halp... Anyone? Please?

Edit: just checked the router's logfiles, the AppleTV's fixed IP doesn't show up anywhere over the past 72 hours, with Skynet in debug mode by default. The Chromecast only shows up for some DHCP-REQUEST and -ACK messages. Any advice on how to track this down? My head's a mess today (and it will only get worse if I don't get this sorted...)

 

[pattiri]

@Adamm is there a possiblity that Skynet can block UPnP?

2-3 days ago I've noticed both port forwarding and UPnP was not working on my router. Router was up for about 20 days so I've rebooted it and port forwarding started to work but UPnP didn't.

Yesterday I've reset my router to factory settings and I've installed AB-Solution and DNScrypt but not Skynet and UPnP is working OK now. So I've some doubts if I should install Skynet or not

Maybe I should have try uninstalling Skynet before resetting to factory default but I didn't.

 

[Adamm]

@Adamm is there a possiblity that Skynet can block UPnP?

I use UPnP just fine, I think its probably more todo with something else you had installed. Skynet doesn't interfere with much beyond a few IPTables rules.