Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

All looks fine, very strange as by IPTables logic this should have been DROP'ed at the second rule as the source port matched the defined list, but maybe I'm missing something obvious here. So I'll spend tomorrow looking at possible causes/solutions.

Would you mind also running the second command I posted so I can see if this is happening frequently on your setup on ports that it shouldn't.

Oops, I missed the second one. I never mind helping someone help me! Thank you!

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 972.0K
Monitoring From Dec 15 04:00:56 To Dec 16 13:23:23
3360 Block Events Detected
901 Unique IPs
242 Autobans Issued
3 Manual Bans Issued

First Autoban Issued On Oct 3 21:04:52
Last Autoban Issued On Dec 16 10:57:34

First Autoban Issued;
Oct  3 21:04:52 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=164.132.120.90 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=6008 DPT=28971 SEQ=2057568776 ACK=2684092417 WINDOW=17520 RES=0x00 ACK SYN URGP=0

10 Most Recent Autobans;
Dec  9 07:53:12 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=147.135.225.24 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=25565 DPT=40264 SEQ=1481334739 ACK=135019169 WINDOW=17520 RES=0x00 ACK SYN URGP=0
Dec 10 06:11:42 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=109.227.71.234 DST=75.128.66.165 LEN=44 TOS=0x00 PREC=0x00 TTL=46 ID=31778 PROTO=TCP SPT=3601 DPT=23 SEQ=1266696869 ACK=0 WINDOW=59332 RES=0x00 SYN URGP=0 OPT (020405A0)
Dec 10 20:41:44 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=104.99.238.162 DST=75.128.66.165 LEN=1500 TOS=0x00 PREC=0x00 TTL=56 ID=44553 DF PROTO=TCP SPT=49320 DPT=257 SEQ=3587440720 ACK=2628519796 WINDOW=33043 RES=0x1c CWR ECE URG SYN URGP=237 OPT (D22800000101080A17B446C9)
Dec 11 08:16:03 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=144.217.15.39 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=5000 DPT=39987 SEQ=1810950507 ACK=1281425409 WINDOW=17520 RES=0x00 ACK SYN URGP=0
Dec 12 14:24:55 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=91.134.188.54 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=1370 DPT=3676 SEQ=4043036481 ACK=975503361 WINDOW=17520 RES=0x00 ACK SYN URGP=0
Dec 13 08:38:52 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=171.244.21.53 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=TCP SPT=1993 DPT=32065 SEQ=4022603132 ACK=2781347841 WINDOW=0 RES=0x00 ACK SYN URGP=0
Dec 13 19:50:18 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=192.95.54.21 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=25565 DPT=51647 SEQ=5105455 ACK=1518353892 WINDOW=17520 RES=0x00 ACK SYN URGP=0
Dec 14 09:44:09 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=121.52.205.133 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=59109 PROTO=TCP SPT=27780 DPT=60389 SEQ=689103479 ACK=688678535 WINDOW=65535 RES=0x00 ACK SYN URGP=0
Dec 15 19:28:22 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=137.74.4.208 DST=75.128.66.165 LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=7777 DPT=54316 SEQ=2420734347 ACK=3122921473 WINDOW=17520 RES=0x00 ACK SYN URGP=0
Dec 16 10:57:34 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=173.194.166.231 DST=75.128.66.165 LEN=1472 TOS=0x00 PREC=0x00 TTL=56 ID=13745 PROTO=TCP SPT=443 DPT=37566 SEQ=2645267603 ACK=3434604900 WINDOW=123 RES=0x00 ACK URGP=0 OPT (0101080AB5A63D3C6A72EE17)

Skynet: [Complete] 157419 IPs / 2000 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2387 Inbound / 112 Outbound Connections Blocked! [2s]

 

[Adamm]

Oops, I missed the second one. I never mind helping someone help me! Thank you!

So I thought about this for awhile, the only possible way I can see this happening is if during the very brief 1-2s period when the rules are loading in, the IP in question sent in invalid packet, at which time the rule for packets on port 443 didn't exist yet, so rather then being dropped it was banned. This would only occur if Skynet was mid-way through its boot process so its a very edge case and a bit of a long shot. Regardless I've fixed this flaw in v5.6.4

After updating, would you mind unbanning all current autobans via the following command, so if this issue does arise again in future we can debug it easier and rule out this as a cause.

sh /jffs/scripts/firewall unban autobans

 

[Butterfly Bones]

So I thought about this for awhile, the only possible way I can see this happening is if during the very brief 1-2s period when the rules are loading in, the IP in question sent in invalid packet, at which time the rule for packets on port 443 didn't exist yet, so rather then being dropped it was banned. This would only occur if Skynet was mid-way through its boot process so its a very edge case and a bit of a long shot. Regardless I've fixed this flaw in v5.6.4

After updating, would you mind unbanning all current autobans via the following command, so if this issue does arise again in future we can debug it easier and rule out this as a cause.

sh /jffs/scripts/firewall unban autobans

Thank you again and as always for the replies.
OK, updated.

Dec 17 07:45:01 Skynet: [INFO] New Version Detected - Updating To v5.6.4...
Dec 17 07:45:08 Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall
Dec 17 07:45:09 rc_service: service 24527:notify_rc restart_firewall
Dec 17 07:45:09 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Dec 17 07:45:10 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Dec 17 07:45:10 Skynet: [INFO] Startup Initiated... ( debug banmalware autoupdate usb=/tmp/mnt/SNB )
Dec 17 07:45:33 Skynet: [Complete] 155197 IPs / 1910 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [23s]

Then unban autobans:

Dec 17 07:46:39 Skynet: [Complete] 155085 IPs / 1910 Ranges Banned. -112 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [41s]

The router had 2+ days up time before this occurrence, after updating Merlin software. Just in case there is anything incorrect, this is my update procedure:

• turn off "Enable JFFS custom scripts and configs" in Administration and apply
• shut down the router with power button
• pull the two Sandisk USB drives
• boot and update router firmware
• turn on "Enable JFFS custom scripts and configs" in Administration and apply
  
• shut down router with power button
• run fsck on USB drives with my Linux laptop
• insert USB drives back to the router
• power it up.

I've had fairly consistent USB drive corruption after 2-3 reboots or power cycles, as I have posted elsewhere in the forums. I'm using ext2, just to cover all bases. That is why I run fsck on firmware updates, or after power cycles.

 

[Adamm]

Thank you again and as always for the replies.
OK, updated.

Dec 17 07:45:01 Skynet: [INFO] New Version Detected - Updating To v5.6.4...
Dec 17 07:45:08 Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall
Dec 17 07:45:09 rc_service: service 24527:notify_rc restart_firewall
Dec 17 07:45:09 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Dec 17 07:45:10 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Dec 17 07:45:10 Skynet: [INFO] Startup Initiated... ( debug banmalware autoupdate usb=/tmp/mnt/SNB )
Dec 17 07:45:33 Skynet: [Complete] 155197 IPs / 1910 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [23s]

Then unban autobans:

Dec 17 07:46:39 Skynet: [Complete] 155085 IPs / 1910 Ranges Banned. -112 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [41s]

The router had 2+ days up time before this occurrence, after updating Merlin software. Just in case there is anything incorrect, this is my update procedure:

• turn off "Enable JFFS custom scripts and configs" in Administration and apply
• shut down the router with power button
• pull the two Sandisk USB drives
• boot and update router firmware
• turn on "Enable JFFS custom scripts and configs" in Administration and apply
  
• shut down router with power button
• run fsck on USB drives with my Linux laptop
• insert USB drives back to the router
• power it up.

I've had fairly consistent USB drive corruption after 2-3 reboots or power cycles, as I have posted elsewhere in the forums. I'm using ext2, just to cover all bases. That is why I run fsck on firmware updates, or after power cycles.

Okay looks good, let's hope this change resolves the incorrect autobans.

As for update procedure, I can only speak from my own experience and others may disagree, but for the last 4 years I simply just update the router via the GUI without any additional steps and have never had any issues or drive curruption even with cheap USBs. Also being a developer I tend to reboot my device sometimes dozens of times per day when debugging and never have run into problems.

And in the event of a major firmware update I just factory reset for good measure.

I run a pretty basic setup with just Skynet and AB installed, occasionally I'll have a openvpn client running when testing but that's about it. So I mean do whatever you feel like works best for you, but personally I feel systems are smart enough to handle hard reboots or updates with minimal interference.

 

[Makaveli]

Instead of doing all that why not just unmount the drive then pull the USB key out. Then do the firmware update, then put the drive back in and restart the scripts.

I find if I don't do this I get corruption on the thumb drive.

 

[Adamm]

Also I'd like to thank everyone, Skynet hit a pretty significant milestone of 100,000 views on this thread and from the limited anilitics GitHub provides we are growing quite the active userbase.

Skynet started as a personal script I wrote way back in 2014 to easily manage ipset after petitioning for it to be added to padavans firmware, then eventually @RMerlin also followed through (let's not forget @john9527 either who has been a big part of porting and implementing additional IPSet functionality). These guys are the real MVPs.

Until this year it was honestly badly written as I only ever indended it for personal use, but for whatever reason interest picked up in this area so I decided to put effort into rewriting it completly, adding dozens of extra features in the process, and well here we are today being one of the most popular scripts for this firmware. Also a shoutout to @thelonelycoder for his colaberation in making Skynet and AB-Solution work seamlessly together.

Thanks to all the loyal users who continue to use the script and point out my stupid bugs from time to time

Let's see what 2018 holds for the future of Skynet!

(p.s for any AC86U users I do have some good news. I received confirmation one will be getting shipped this week. No exact eta just yet but as soon as it arrives I will be spending as much time as nessesary to work out the last few kinks in fully supporting this device)

 

[yk101]

@Adamm thanks a lot bud! This is easily one of the most useful scripts for @RMerlin’s firmware. Thanks for all of the hard work and tireless efforts!

 

[menaceinc]

Yes, both Skynet itsself and the banmalware function have an autoupdate feature. Re-run the install command to configure it.

Thanks!

The latest update seemed to cause problem of displaying "Your Story". If I disabled Skynet, Instagram is fine.

ps. my previous problem was resolved after last 2 updates.

 

[Adamm]

Thanks!

The latest update seemed to cause problem of displaying "Your Story". If I disabled Skynet, Instagram is fine.

ps. my previous problem was resolved after last 2 updates.

These banmalware lists are dynamic so the content from them will change daily, sometimes that may mean false positives are incorrrctly added and/or discovered in removed. When you run into future issues follow the following steps.

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

1.) Enable Debug Mode via the installer

sh /jffs/scripts/firewall install

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[thelonelycoder]

BTW @Adamm nvram get productid is not always the Router Model.

My RT-AC1900P runs on RT-AC68U firmware and is reported as such in Skynet.
But this is not correct. In AB-Solution I use this code to display the correct router model:

[ -z "$(nvram get odmpid)" ] && routerName=$(nvram get productid) || routerName=$(nvram get odmpid)

odmpid is empty for non SKU models, while the others have it, like my BestBuy's RT-AC1900P.

 

[Adamm]

BTW @Adamm nvram get productid is not always the Router Model.

My RT-AC1900P runs on RT-AC68U firmware and is reported as such in Skynet.
But this is not correct. In AB-Solution I use this code to display the correct router model:

[ -z "$(nvram get odmpid)" ] && routerName=$(nvram get productid) || routerName=$(nvram get odmpid)

odmpid is empty for non SKU models, while the others have it, like my BestBuy's RT-AC1900P.

Thanks for pointing that out, I've pushed the changes accordingly.

 

[thelonelycoder]

Thanks for pointing that out, I've pushed the changes accordingly.

Tested and works, thanks.

 

[teknowiz]

I was having issues updating a app that relays on github and tracked issue to Skynet blocking outbound ssl connection to github.It appears github ip address is being blocked for some reason on one of the default malware ban lists.

Possible CIDR Matches;
https://iplists.firehol.org/files/firehol_le
vel3.netset - 192.30.253.112/31

 

[Adamm]

I was having issues updating a app that relays on github and tracked issue to Skynet blocking outbound ssl connection to github.It appears github ip address is being blocked for some reason on one of the default malware ban lists.

Possible CIDR Matches;
https://iplists.firehol.org/files/firehol_le
vel3.netset - 192.30.253.112/31

Thanks for pointing this out. I assume there at some point recently was malware using the github API which caused part of their IP block to be blacklisted. I've added "192.30.252.0/22" (192.30.252.0 - 192.30.255.255) which is all owned by GitHub to the default whitelist in the latest update.

 

[teknowiz]

Thanks for pointing this out. I assume there at some point recently was malware using the github API which caused part of their IP block to be blacklisted. I've added "192.30.252.0/22" (192.30.252.0 - 192.30.255.255) which is all owned by GitHub to the default whitelist in the latest update.

Thanks for the quick fix. Updated Skynet and it seems to work fine now.

 

[teknowiz]

Running into another issue today with IP address 172.217.1.4 being blocked for some reason. This IP address is for gmail mobile website and when searching stats I can’t find it listed on malware list or auto bans.

 

[Adamm]

Running into another issue today with IP address 172.217.1.4 being blocked for some reason. This IP address is for gmail mobile website and when searching stats I can’t find it listed on malware list or auto bans.

Are you sure that Skynet is whats blocking it? Every time Skynet blocks anything it will be posted to the syslog (if debug mode is on).

And if you are sure, please post the corresponding logs.

 

[teknowiz]

Are you sure that Skynet is whats blocking it? Every time Skynet blocks anything it will be posted to the syslog (if debug mode is on).

And if you are sure, please post the corresponding logs.

Definetly seems to be Skynet as debug log was showing the IP being blocked but searching malware and autoban list showed no results. Also tested by temp disabling Skynet and site worked fine after that. Also attempt to force update Skynet incase of issues but same result. Seems 172.217.2.100 also being blocked so perhaps issue impacting all IP on 172.217.XXX.XXX range. Will post debug log when I get home.

 

[Adamm]

Definetly seems to be Skynet as debug log was showing the IP being blocked but searching malware and autoban list showed no results. Also tested by temp disabling Skynet and site worked fine after that. Also attempt to force update Skynet incase of issues but same result. Seems 172.217.2.100 also being blocked so perhaps issue impacting all IP on 172.217.XXX.XXX range. Will post debug log when I get home.

The following command will tell you if an IP is banned (even if its part of a CIDR range not just the specific IP)

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

 

[pattiri]

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

I think this is one of the most useful commands of Skynet about troubleshooting so maybe it would be better to add this line into the "Usage" part of the #1 entry of this topic. Somewhere that everyone can see it easily