Skynet Skynet - Router Firewall & Security Enhancements

[Droma]

Adamm what this banmalware do ? I forgot ask.

 

[yk101]

Adamm what this banmalware do ? I forgot ask.

banmalware command will update the ban lists.


Sent from my iPhone using Tapatalk

 

[Adamm]

Adamm what this banmalware do ? I forgot ask.

It downloads a bunch of reputation lists from credible security companies and blocks the IPs. This blocks a lot of known scanners, malware and other shady traffic on the internet.

 

[Droma]

thanks a lot

 

[Droma]

Adamm I have run the banmwalware and still Paladins can't log in to serwers. When I disable Skynet than Paladins works and login to serwers without problems. Any other advice, please .

 

[DonnyJohnny]

Adamm I have run the banmwalware and still Paladins can't log in to serwers. When I disable Skynet than Paladins works and login to serwers without problems. Any other advice, please .

You would need to run Paladins while in Skynet debug mode and see for yourself what are the ip that was blocked and u may want to verify the blocked ip via AlienVault. After that, whitelist if needed.

How?
https://github.com/Adamm00/IPSet_ASUS/wiki#applicationexe-or-websitecom-is-blocked

 

[Droma]

Thanks DonnyJohnny I will try this tommorow.

 

[DonnyJohnny]

Just for many Skynet lovers to know... Skynet by Adamm is just a tool making use of Firehol ipset consolidated from various reputable sources. If you have great issue with websites or applications being blocked by Banmalware list, please reason out your finding that it is a false positive and submit your finding to the site below for follow up.

https://github.com/firehol/blocklist-ipsets/issues

 

[Droma]

I found this ip what was blocked. I have added IP: 50.7.12.245 - for Paladins and work now. I have added new issue on the link above.
thanks for help.
Regards

 

[vibroverbus]

FWIW as posted here, I was having tons of real false positive issues for a while (and by 'real false positives' I mean sites that would appear but then be cleared off the lists very quickly - often by the time you go to check it the site isn't listed anymore...) but it seems this isn't quite as bad lately. I don't know if that is because one or two of the lists that weren't so great have improved their screening or updates or what, but it seems like a notable difference. Also using the 'whitelist domain' function of the script has been very helpful when one still pops up... I wrote a few scripts myself to go find the most recent bans lookup the domain name etc. and try to figure out if one or another of the lists was the one causing poor results, but at this point when i get a complaint I just whitelist-domain the host and it does the job.

 

[OOo]

Figured it out, in Putty right click>paste

Using Putty to install Skynet but for some strange reason I cannot copy paste the install Skynet string into Putty?? I can paste elsewhere. Tried everything I can think off. Never had issue before. Any ideas?

 

[OOo]

grep: /jffs/scripts/firewall-start: No such file or directory
grep: /jffs/scripts/firewall-start: No such file or directory
grep: /jffs/scripts/firewall-start: No such file or directory
Installing Skynet v6.0.4

Looking For Available Partitions...
[1]  --> /tmp/mnt/ABSolution - (/dev/sda1)
[2]  --> /tmp/mnt/ENTWARE - (/dev/sda2)

Please Enter Partition Number Or e To Exit
[0-2]:

Novice here...received above error upon trying to install Skynet. Don't see any docs to get me past this issue.
thanks

 

[Adamm]

grep: /jffs/scripts/firewall-start: No such file or directory
grep: /jffs/scripts/firewall-start: No such file or directory
grep: /jffs/scripts/firewall-start: No such file or directory
Installing Skynet v6.0.4

Looking For Available Partitions...
[1]  --> /tmp/mnt/ABSolution - (/dev/sda1)
[2]  --> /tmp/mnt/ENTWARE - (/dev/sda2)

Please Enter Partition Number Or e To Exit
[0-2]:

Novice here...received above error upon trying to install Skynet. Don't see any docs to get me past this issue.
thanks

You can safely ignore that error and continue with installation. Simple oversight on my behalf that I forgot to silence

 

[ScottW]

Having a bizarre problem that I can't track down.

The problem is 100% reproducible, but only when Skynet is running. Disable Skynet (via menu option "Temporarily Disable Skynet") and the problem disappears. Restart Skynet and the problem comes back.

Following the log (menu 11, 2, 1) shows nothing being blocked when the problem occurs. So it seems nothing is being blocked, BUT the problem doesn't occur when Skynet is disabled. ??? Looking at stats ("Firewall Stats"), there are no devices listed under "Top 10 Blocked Devices (Outbound)".

The problem is with an Amazon Echo device playing the news briefing. The briefing begins normally, then stops after about 5 seconds. Try again, same thing -- stops after about 5 seconds. Disable Skynet, it works fine. Restart Skynet, start the briefing and it quits after 5 seconds.

Is there anything else Skynet is doing with iptables that might explain this? It looks to me like the iptables rules log everything that is blocked, yet I'm seeing nothing logged when the problem is reproduced.

What else can I do to track this down?

EDIT: I tried repeatedly running ' netstat-nat -r state -x -s "device_name" ' and each time the failure occurs I see a connection to one of various Amazon servers in SYN_SENT state. Not sure if that is meaningful or not, but makes it look like the connection request is not getting out (or acknowledgement isn't coming back). Again, this only happens when Skynet is active.

 

[Adamm]

Having a bizarre problem that I can't track down.

The problem is 100% reproducible, but only when Skynet is running. Disable Skynet (via menu option "Temporarily Disable Skynet") and the problem disappears. Restart Skynet and the problem comes back.

Following the log (menu 11, 2, 1) shows nothing being blocked when the problem occurs. So it seems nothing is being blocked, BUT the problem doesn't occur when Skynet is disabled. ??? Looking at stats ("Firewall Stats"), there are no devices listed under "Top 10 Blocked Devices (Outbound)".

The problem is with an Amazon Echo device playing the news briefing. The briefing begins normally, then stops after about 5 seconds. Try again, same thing -- stops after about 5 seconds. Disable Skynet, it works fine. Restart Skynet, start the briefing and it quits after 5 seconds.

Is there anything else Skynet is doing with iptables that might explain this? It looks to me like the iptables rules log everything that is blocked, yet I'm seeing nothing logged when the problem is reproduced.

What else can I do to track this down?

EDIT: I tried repeatedly running ' netstat-nat -r state -x -s "device_name" ' and each time the failure occurs I see a connection to one of various Amazon servers in SYN_SENT state. Not sure if that is meaningful or not, but makes it look like the connection request is not getting out (or acknowledgement isn't coming back). Again, this only happens when Skynet is active.

The only thing I can suggest is to follow this guide. Skynet when in debug mode will always print when a connection is blocked, there is never an exception to this rule. So if it is Skynet blocking something, it will be logged.

 

[ScottW]

The only thing I can suggest is to follow this guide. Skynet when in debug mode will always print when a connection is blocked, there is never an exception to this rule. So if it is Skynet blocking something, it will be logged.

Thanks, Adamm. I've used the guide before to successfully find/fix blocks, so I understand the process. It just isn't reporting anything as blocked when this happens.

I agree, looking at the iptables rules Skynet inserts -- anything blocked should also get reported. But watching the log shows nothing when I reproduce the problem. And the problem is 100% consistent -- it always fails when Skynet is active, but always works when I disable Skynet. I even removed all the blocks and bans (including banmalware) -- and the problem still occurs with skynet active, but not with it disabled. And it occurs whether debug logging is on or off.

With Skynet active, the streaming stops abruptly at about 5 seconds. Doing nothing else but "9-Temporarily Disable Skynet", the problem is gone and everything works consistently, time after time. Then doing nothing else but "8-Restart Skynet", the problem comes back immediately. Debug output shows nothing blocked.

Since nothing shows up in debug output, it makes me think there is something more obscure happening (i.e., a bug) in iptables. It really seems like a connection is being closed prematurely -- i.e., the content begins streaming, then abruptly stops at about 5 seconds. But only when Skynet is active, so it has to be related to the rules Skynet adds interacting with how the Amazon device opens/closes/reopens its streaming content connections. I just don't know enough about iptables to track it down.

----EDIT----
I removed all bans, so Skynet reports thus:
0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!

The problem still occurs when Skynet is active, even with 0 blocks defined. After using "9-Temporarily Disable", the problem disappears. It comes back as soon as Skynet is restarted. No debug output at all when the problem occurs.

 

[john9527]

The problem still occurs when Skynet is active, even with 0 blocks defined. After using "9-Temporarily Disable", the problem disappears. It comes back as soon as Skynet is restarted. No debug output at all when the problem occurs.

Do an
iptables -Z (zeros the counters)
then
iptables -nvL (after the problem and see if you can identify which rule is firing)

EDIT:
@Adamm is there a special table he should look at?

 

[Adamm]

@Adamm is there a special table he should look at?

Either the second or fourth rule in the raw table (although this would also crossover to the syslog entries if there were hits).

iptables --line -t raw -vnL

admin@RT-AC86U-2EE8:/tmp/home/root# iptables --line -t raw -vnL
Chain PREROUTING (policy ACCEPT 1033K packets, 349M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      245 16499 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
2      245 16499 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst
3     1685 79859 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
4     1685 79859 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src

 

[john9527]

I'd also check the default filter table. One thought I had is that Skynet may somehow be fighting with the ASUS 'Protection Server' code (which is now closed source).

 

[ScottW]

Ok... I deleted all blocking rules from Skynet, but have it active:

Router Model; RT-AC88U
Skynet Version; v6.0.4 (23/03/2018)
iptables v1.4.14 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 380.69_0 (Dec 11 2017) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ASUS/skynet (13.3G / 14.4G Space Available)
SWAP File; /tmp/mnt/ASUS/myswap.swp (256.3M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/ASUS/skynet

0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!

Next, I did an iptables -Z to zero counters.

Then I reproduced the problem several times, running "iptables -nvL" (per John's tip) to see what counters (if any) were incrementing. Finally, I ran "iptables --line -t -raw -vnL" per Adamm's instruction.

The "iptables -nvL" identifies some entries entries added to the "logdrop" chain by skynet being incremented each time the problem occurs:

Chain logdrop (8 references)
 pkts bytes target     prot opt in     out     source               destination        
   33  5640 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Skynet-Whitelist src
    3   124 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport sports 80,443,143,993,110,995,25,465 state INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x19
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x11
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x04
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x14
    3   124            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            recent: SET name: TRACKINVALID side: source
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID recent: UPDATE seconds: 300 hit_count: 2 name: TRACKINVALID side: source LOG flags 7 level 4 prefix "[BLOCKED - NEW BAN] "
    0     0 SET        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID recent: UPDATE seconds: 300 hit_count: 2 name: TRACKINVALID side: source add-set Skynet-Master src
    3   124 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

The output from "iptables --line -t -raw -vnL" after all that was:

admin@ASUS88U:/tmp/mnt/ASUS# iptables --line -t raw -vnL
Chain PREROUTING (policy ACCEPT 64696 packets, 80M bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
2        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst
3        0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
4        0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src

All way beyond my understanding of iptables.... All help appreciated!