What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Skynet v5.3.9:
"Skynet: [Complete] 152 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [47s]"
Is this normal? With the previous version (few days ago with v5.3.7 if I remember correctly) I recall I've seen much more IPs over there...
Yes, it clears at intervals that I have not been able to determine when or why and not finding on searching through this thread.

Code:
Oct 30 02:00:08 Skynet: [Complete] 133498 IPs / 2886 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1265 Inbound / 386 Outbound Connections Blocked! [7s]
Oct 30 02:25:38 Skynet: [Complete] 183 IPs / 0 Ranges Banned. -133315 New IPs / -2886 New Ranges Banned. 1292 Inbound / 386 Outbound Connections Blocked! [38s]

And Skynet is now....
Code:
Oct 30 09:57:15 Skynet: [INFO] New Version Detected - Updating To v5.4.0... ... ...
Oct 30 09:57:17 Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall
 
Skynet v5.3.9:
"Skynet: [Complete] 152 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [47s]"
Is this normal? With the previous version (few days ago with v5.3.7 if I remember correctly) I recall I've seen much more IPs over there...

Update to v5.40 and rerun banmalware. There was a bug due to the firmwares old baked in wget version so lists weren't properly downloading.
 
Update to v5.40 and rerun banmalware. There was a bug due to the firmwares old baked in wget version so lists weren't properly downloading.
Wow, I already updated but just ran the banmalware command.
Code:
Oct 30 17:00:01 Skynet: [Complete] 185 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 7 Inbound / 0 Outbound Connections Blocked! [1s]
Oct 30 17:31:08 Skynet: [Complete] 147946 IPs / 3028 Ranges Banned. 147761 New IPs / 3028 New Ranges Banned. 7 Inbound / 0 Outbound Connections Blocked! [64s]
 
Update to v5.40 and rerun banmalware. There was a bug due to the firmwares old baked in wget version so lists weren't properly downloading.

I've updated to 5.4.0 and getting a similar issue. I'm running skynet on a usb stick, seems like it's looking for it in /tmp/skynet

Code:
Removing Previous Malware Bans  [0s]
Downloading filter.list     [0s]
Whitelisting Shared Domains     [1s]
Consolidating Blacklist     xargs: invalid option -- P
BusyBox v1.25.1 (2017-10-04 15:01:12 EDT) multi-call binary.

Usage: xargs [OPTIONS] [PROG ARGS]

Run PROG on every item given by stdin

    -p    Ask user whether to run each command
    -r    Don't run command if input is empty
    -0    Input is separated by NUL characters
    -t    Print the command on stderr before execution
    -e[STR]    STR stops input processing
    -n N    Pass no more than N args to PROG
    -s N    Pass command line of no more than N bytes
    -I STR    Replace STR within PROG ARGS with input line
    -x    Exit if size is exceeded
cat: can't open '/tmp/skynet/*': No such file or directory
Filtering IPv4 Addresses     [0s]
Filtering IPv4 Ranges         [0s]
Applying Blacklists         [0s]
Saving Changes             [0s]

For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL )

Skynet: [Complete] 274 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [14s]
 
I've updated to 5.4.0 and getting a similar issue. I'm running skynet on a usb stick, seems like it's looking for it in /tmp/skynet

Code:
Removing Previous Malware Bans  [0s]
Downloading filter.list     [0s]
Whitelisting Shared Domains     [1s]
Consolidating Blacklist     xargs: invalid option -- P
BusyBox v1.25.1 (2017-10-04 15:01:12 EDT) multi-call binary.

Usage: xargs [OPTIONS] [PROG ARGS]

Run PROG on every item given by stdin

    -p    Ask user whether to run each command
    -r    Don't run command if input is empty
    -0    Input is separated by NUL characters
    -t    Print the command on stderr before execution
    -e[STR]    STR stops input processing
    -n N    Pass no more than N args to PROG
    -s N    Pass command line of no more than N bytes
    -I STR    Replace STR within PROG ARGS with input line
    -x    Exit if size is exceeded
cat: can't open '/tmp/skynet/*': No such file or directory
Filtering IPv4 Addresses     [0s]
Filtering IPv4 Ranges         [0s]
Applying Blacklists         [0s]
Saving Changes             [0s]

For False Positive Website Bans Use; ( sh /jffs/scripts/firewall whitelist domain URL )

Skynet: [Complete] 274 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [14s]

What's the output of;

"which xargs"
 
Okay v5.4.1 is live. Update and should work as per usual

Skynet: [Complete] 148789 IPs / 3031 Ranges Banned. 148515 New IPs / 3031 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [50s]

thank you kind sir!
 
@Adamm mind if I experimentally include Skynet stats in the AB router stats feature?
If yes, what is the best command to show as much as possible in one command?
firewall stats
firewall stats search autobans

I'm just thinking aloud here, not sure I'll do it.
 
v5.4.1:
Code:
Oct 31 08:24:34 Skynet: [INFO] New Version Detected - Updating To v5.4.1... ... ...
Oct 31 08:24:36 Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall
Oct 31 08:24:38 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/USB )
Oct 31 08:24:59 Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [21s]
 
@Adamm mind if I experimentally include Skynet stats in the AB router stats feature?
If yes, what is the best command to show as much as possible in one command?
firewall stats
firewall stats search autobans

I'm just thinking aloud here, not sure I'll do it.

You're more then welcome to use any data you like, its all stored in $location/skynet.log

Code:
sh /jffs/scripts/firewall stats

Would probably show the best "overview" of stats. Where as the "search autobans" just shows when the router initially auto-banned IP's.
 
@Adamm, one quick question - shouldn't "Top 10 blocks (Outbound)" *include* "Top 10 HTTP(s) Blocks (Outbound)"? In my twisted mind, "top 10" should either be classified by protocol (TCP/UDP/HTTP) or include all outbound blocks...

Code:
Top 10 HTTP(s) Blocks (Outbound);
2091x https://otx.alienvault.com/indicator/ip/78.140.158.253
2091x https://otx.alienvault.com/indicator/ip/195.234.99.231
22x https://otx.alienvault.com/indicator/ip/192.0.78.25
22x https://otx.alienvault.com/indicator/ip/192.0.78.24
11x https://otx.alienvault.com/indicator/ip/192.35.177.64
11x https://otx.alienvault.com/indicator/ip/162.255.119.249
8x https://otx.alienvault.com/indicator/ip/23.23.174.132
7x https://otx.alienvault.com/indicator/ip/184.168.47.225
1x https://otx.alienvault.com/indicator/ip/23.21.237.34

Top 10 Blocks (Outbound);
1006x https://otx.alienvault.com/indicator/ip/185.108.128.5
679x https://otx.alienvault.com/indicator/ip/211.197.11.9
672x https://otx.alienvault.com/indicator/ip/211.197.11.4
610x https://otx.alienvault.com/indicator/ip/211.104.154.4
604x https://otx.alienvault.com/indicator/ip/211.104.154.5
597x https://otx.alienvault.com/indicator/ip/211.104.154.6
586x https://otx.alienvault.com/indicator/ip/78.140.158.253
571x https://otx.alienvault.com/indicator/ip/211.197.11.6
555x https://otx.alienvault.com/indicator/ip/211.197.11.10
532x https://otx.alienvault.com/indicator/ip/211.104.154.3
 
@Adamm, one quick question - shouldn't "Top 10 blocks (Outbound)" *include* "Top 10 HTTP(s) Blocks (Outbound)"? In my twisted mind, "top 10" should either be classified by protocol (TCP/UDP/HTTP) or include all outbound blocks...

When designing the stats output I decided that HTTP(s) needed its own category due to the nature of the blocks and that including them in the overall category was sort of unnecessary and confusing.
 
When designing the stats output I decided that HTTP(s) needed its own category due to the nature of the blocks and that including them in the overall category was sort of unnecessary and confusing.
Don't know if I agree. "overall" = "all" IMO. That being said, maybe subject should be "Top 10 Blocks (Outbound ex HTTP);"
In any case, script is great, and thanks for your great work - Skynet is a lifesaver.
 
@Adamm I updated and found these results in the log
Code:
Oct 31 08:12:12 Skynet: [INFO] New Version Detected - Updating To v5.4.1... ... ...
Oct 31 08:12:14 Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall
Oct 31 08:12:14 rc_service: service 9991:notify_rc restart_firewall
Oct 31 08:12:14 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan3000_vlan3000)!
Oct 31 08:12:15 custom_script: Running /jffs/scripts/firewall-start (args: vlan3000)
Oct 31 08:12:15 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/EXT4 )
Oct 31 08:12:36 Skynet: [Complete] 185 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [21s]
Then I ran the banmalware command again and it produced this
Code:
Oct 31 08:13:34 Skynet: [Complete] 155923 IPs / 3054 Ranges Banned. 155738 New IPs / 3054 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [31s]
Earlier last night it did this
Code:
Oct 31 02:00:06 Skynet: [Complete] 147001 IPs / 3023 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 648 Inbound / 8 Outbound Connections Blocked! [6s]
Oct 31 02:25:18 Skynet: [Complete] 185 IPs / 0 Ranges Banned. -146816 New IPs / -3023 New Ranges Banned. 668 Inbound / 8 Outbound Connections Blocked! [18s]
Any ides what may have caused this sudden update of bans and no update command given?
 
Any ides what may have caused this sudden update of bans and no update command given?

The reason it dropped 146k entries at 2:25am was due to a bug which was fixed in (v5.4.1) that prevented lists from being properly downloaded. Your boot args suggest Skynet is set for daily banmalware updating, so this happened during the daily cronjob.

After you updated at 8:12am to v5.4.1 , banmalware would have been fixed functioning as per usual, so when you issued the command at 8:31am it reapplied the "missing" entries.
 
The reason it dropped 146k entries at 2:25am was due to a bug which was fixed in (v5.4.1) that prevented lists from being properly downloaded. Your boot args suggest Skynet is set for daily banmalware updating, so this happened during the daily cronjob.

After you updated at 8:12am to v5.4.1 , banmalware would have been fixed functioning as per usual, so when you issued the command at 8:31am it reapplied the "missing" entries.
Thanks @Adamm! This is one amazing script man!
 
@Adamm v5.4.1 gives the following error when I run the banmalware option.

Code:
Removing Previous Malware Bans  [0s]
Downloading filter.list         [0s]
Whitelisting Shared Domains     /jffs/scripts/firewall: line 2034: can't fork

I'm currently only blocking 7 IPs :(
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top