Skynet Skynet - Router Firewall & Security Enhancements

[dandle]

Works on my end. Please give me the full output along with;

sh /jffs/scripts/firewall debug info

Hi

So what I'm finding is that standard http domains are being blocked but https are not. Is that expected? Anyway around that? I've done an nslookup on sites themselves and manually entered the IP to block but as long as it's a https domain it's not blocked.

 

[Adamm]

Hi

So what I'm finding is that standard http domains are being blocked but https are not. Is that expected? Anyway around that? I've done an nslookup on sites themselves and manually entered the IP to block but as long as it's a https domain it's not blocked.

The blocking is IP based, so regardless if the site uses HTTPS or not it should be blocked as its not port specific.

Make sure you are banning all domain IP's, I suggest using;

sh /jffs/scripts/firewall ban domain xxxxxx.com

 

[dandle]

The blocking is IP based, so regardless if the site uses HTTPS or not it should be blocked as its not port specific.

Make sure you are banning all domain IP's, I suggest using;

sh /jffs/scripts/firewall ban domain xxxxxx.com

Thanks, You were quite right

 

[Adamm]

I've pushed v5.6.1 - Mostly a minor update, this improves the USB selection code with the modifications @thelonelycoder made in his implementation, and corrects a bug with the "stats search malware" command.

The third change is we include a few more lists in banmalware, this should only amount to a few thousand extra IPs. Two are reputation lists from NormShield who are similar to AlienVault who we already source from (%47 of the NormShield list of 10000+ entries are already covered by AlienVault).

The other list added is coinbl. This list is made up of mostly malicious coin-mining that happens without user authentication on websites and hidden inside programs. Recently this has been a pretty hot topic as many large companies (and malware) have tried to sneak coin-mining software embedded in their websites and applications using up precious computer resources. With that being said, I am unsure if this will effect legitimate coin-mining as I don't do it myself to test and there are so many different coins out there. So if by chance you are a user who does this, let me know if this interferes with legitimate operations and we can assess the situation further, but for %99.99 of users this won't be an issue.

 

[HardCat]

I've pushed v5.6.1 - Mostly a minor update, this improves the USB selection code with the modifications @thelonelycoder made in his implementation, and corrects a bug with the "stats search malware" command.

The third change is we include a few more lists in banmalware, this should only amount to a few thousand extra IPs. Two are reputation lists from NormShield who are similar to AlienVault who we already source from (%47 of the NormShield list of 10000+ entries are already covered by AlienVault).

The other list added is coinbl. This list is made up of mostly malicious coin-mining that happens without user authentication on websites and hidden inside programs. Recently this has been a pretty hot topic as many large companies (and malware) have tried to sneak coin-mining software embedded in their websites and applications using up precious computer resources. With that being said, I am unsure if this will effect legitimate coin-mining as I don't do it myself to test and there are so many different coins out there. So if by chance you are a user who does this, let me know if this interferes with legitimate operations and we can assess the situation further, but for %99.99 of users this won't be an issue.

@Adamm - minor spelling error.

Line 2305 echo "No Compadible Partitions Found - Exiting!"

Should read "No Compatible Partitions Found - Exiting!"

 

[Adamm]

@Adamm - minor spelling error.

Line 2305 echo "No Compadible Partitions Found - Exiting!"

Should read "No Compatible Partitions Found - Exiting!"

Thanks for pointing out my terrible 5am spelling Fixed.

 

[elradix]

i have following error when updating the ban malware list option 3 and then 1
this is on the latest version v5.6.1

Downloading filter.list     [0s]
Whitelisting Shared Domains     Consolidating Blacklist     /jffs/scripts/firewall: line 2386: can't fork

Router Model; R7000
Skynet Version; v5.6.1 (15/12/2017)
iptables v1.4.14 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 380.69_0 (Dec 12 2017) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/opt/skynet (10.2G / 14.6G Space Available)
SWAP File; /opt/swap (2.0G)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/opt

 

[Adamm]

i have following error when updating the ban malware list option 3 and then 1
this is on the latest version v5.6.1

Does this happen every time you run the command? This issue is mainly only prevalent on the AC86U

 

[elradix]

Does this happen every time you run the command? This issue is mainly only prevalent on the AC86U

yes, tried 10 times same error

 

[Adamm]

yes, tried 10 times same error

Okay I pushed v5.6.2 with the same workaround I used for the AC86U. Also further improved SWAP management but that's mostly under the hood.

Let me know if that resolves the issue.

 

[elradix]

Okay I pushed v5.6.2 with the same workaround I used for the AC86U. Also further improved SWAP management but that's mostly under the hood.

Let me know if that resolves the issue.

issue resolved, thank you

 

[Alfred]

Hello Adamm,

Regarding your notice:
______________________________________
UPDATED 15/12/2017

Currently this script is only supported for Asus Routers with IPSet v6 (AC56U and later)

Minimum supported Firmware Versions
MerlinWRT v380.68 (or newer)
Johns Fork V26E3 (or newer)
______________________________________
My AC66U with MerlinWRT v380.68_4 has ipset version 4.5
So I am afraid I cannot use Skynet.
Maybe AC56U should be AC68U ?

 

[Jack Yaz]

Hello Adamm,

Regarding your notice:
______________________________________
UPDATED 15/12/2017

Currently this script is only supported for Asus Routers with IPSet v6 (AC56U and later)

Minimum supported Firmware Versions
MerlinWRT v380.68 (or newer)
Johns Fork V26E3 (or newer)
______________________________________
My AC66U with MerlinWRT v380.68_4 has ipset version 4.5
So I am afraid I cannot use Skynet.
Maybe AC56U should be AC68U ?

I think the 56U is newer than the 66U, the original anyway. I think the sticking point is ARM vs MIPS

 

[Alfred]

I think the 56U is newer than the 66U, the original anyway. I think the sticking point is ARM vs MIPS

I think you are correct. Sounds familiar:
https://www.snbforums.com/threads/iphash-maxelem-not-supported-in-ipset-v4-5.35076/

 

[Adamm]

My AC66U with MerlinWRT v380.68_4 has ipset version 4.5
So I am afraid I cannot use Skynet.
Maybe AC56U should be AC68U ?

I think the 56U is newer than the 66U, the original anyway. I think the sticking point is ARM vs MIPS

Yes, the AC56U is newer then the AC66U despite Asus's confusing naming convention (The AC56U was the first ARM model). Skynet supports every model released after this that runs MerlinWRT.

 

[Butterfly Bones]

The third change is we include a few more lists in banmalware, this should only amount to a few thousand extra IPs. Two are reputation lists from NormShield who are similar to AlienVault who we already source from (%47 of the NormShield list of 10000+ entries are already covered by AlienVault).

The other list added is coinbl. This list is made up of mostly malicious coin-mining that happens without user authentication on websites and hidden inside programs. Recently this has been a pretty hot topic as many large companies (and malware) have tried to sneak his coin-mining software embedded in their websites and applications using up precious computer resources. With that being said, I am unsure if this will effect legitimate coin-mining as I don't do it myself to test and there are so many different coins out there. So if by chance you are a user who does this, let me know if this interferes with legitimate operations and we can assess the situation further, but for %99.99 of users this won't be an issue.

This change is giving me fits. I got a new phone (Pixel 2 XL) and trying to learn all the tricks and tips, via Google update emails, etc. I keep getting outbound blocks to so many sites, especially those listed as "Made for Google".

I have used the DPMDP (Google Play Music Desktop Player) and it is now being blocked every so often on song changes in radio stations. As a test I tried Spotify and get outbound blocks there too.

I have whitelisted about 15 sites for outbound blocks so far that OTX identifies as Google sites and non-malicious. I just keep getting more and more outbound blocks. I do not want to whitelist all of Google since that defeats much of the function of AB-Solutions.

I rarely had that problem after a few weeks of tweaking after installing Skynet, it ran pretty smoothly, maybe 4 or 5 things to remedy each week. Now this is so aggressive I spend all my time in an SSH link to Skynet. Ugh.

 

[elnash]

Hi, I have a problem and that is that when I use the Skynet I blocked the connection to an xbox one. He would tell me how to make room for him to take nonexion with Skynet activated. Thanks in advance. regards!!!!

 

[Adamm]

This change is giving me fits. I got a new phone (Pixel 2 XL) and trying to learn all the tricks and tips, via Google update emails, etc. I keep getting outbound blocks to so many sites, especially those listed as "Made for Google".

I have used the DPMDP (Google Play Music Desktop Player) and it is now being blocked every so often on song changes in radio stations. As a test I tried Spotify and get outbound blocks there too.

I have whitelisted about 15 sites for outbound blocks so far that OTX identifies as Google sites and non-malicious. I just keep getting more and more outbound blocks. I do not want to whitelist all of Google since that defeats much of the function of AB-Solutions.

I rarely had that problem after a few weeks of tweaking after installing Skynet, it ran pretty smoothly, maybe 4 or 5 things to remedy each week. Now this is so aggressive I spend all my time in an SSH link to Skynet. Ugh.

Use the following command to tell which lists the IPs are being sourced from;

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

As I've said in the past, any lists that lead to excessive false positives I'm more than happy to remove, but for this I need feedback.

 

[Adamm]

Hi, I have a problem and that is that when I use the Skynet I blocked the connection to an xbox one. He would tell me how to make room for him to take nonexion with Skynet activated. Thanks in advance. regards!!!!

Refer to post 2 of this thread about identifying banned IP's and whitelisting them.

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

1.) Enable Debug Mode via the installer

sh /jffs/scripts/firewall install

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

Also use the command in my previous post about identifying the list the IP was sourced from. If any list leads to excessive false positives I'm more then happy to remove them.

 

[Butterfly Bones]

Use the following command to tell which lists the IPs are being sourced from;

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

As I've said in the past, any lists that lead to excessive false positives I'm more than happy to remove, but for this I need feedback.

OK, now what?

xxxxxxx@RT-AC68U-B088:/tmp/home/root# sh /jffs/scripts/firewall stats search malware 192.124.249.18

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 184.0K
Monitoring From Dec 15 04:00:56 To Dec 15 09:43:54
407 Block Events Detected
170 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

Exact Matches;

Possible CIDR Matches;

Skynet: [Complete] 157845 IPs / 2015 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 97 Inbound / 0 Outbound Connections Blocked! [9s]