Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Can you explain again how the purge work?

The 24 entries you are referring to is for the "Completed" logging after a command is executed. The regular entry purge mechanism is only executed after commands being executed or on the hourly cronjob.

Also, is there a way to temporary stop logging certain IP that is currently hitting the router so that the log is more cleaner?

No, if you need to view the a clean syslog for whatever reason just execute any random Skynet command.

 

[DonnyJohnny]

The 24 entries you are referring to is for the "Completed" logging after a command is executed. The regular entry purge mechanism is only executed after commands being executed or on the hourly cronjob.




No, if you need to view the a clean syslog for whatever reason just execute any random Skynet command.

Noted thanks... I remember wrongly.. so it is the hourly purge.
Damn crazy port scanners these days... they scanning the whole CIDR of my country I think or at least my isp. No matter what IP I refreshed, it is still the same ip scanning.

 

[john9527]

The regular entry purge mechanism is only executed after commands being executed or on the hourly cronjob.

You may want to think about a rate limit on the logging. I had to add one on my fork as just running a grc port scan would severely impact the router when logging dropped packets.

 

[DonnyJohnny]

You may want to think about a rate limit on the logging. I had to add one on my fork as just running a grc port scan would severely impact the router when logging dropped packets.

just curious.
most time the CPU for me stay relatively low at 5-6 while updating of banmalware. Normal is like 0.2-0.5
Logging severely impact is how severe? Like 50% CPU or what?

I just wonder how putting rate limit work, will event be temporary keep in memory and log later or dropped from logging (lose of log data)?

 

[john9527]

just curious.
most time the CPU for me stay relatively low at 5-6 while updating of banmalware. Normal is like 0.2-0.5
Logging severely impact is how severe? Like 50% CPU or what?

I just wonder how putting rate limit work, will event be temporary keep in memory and log later or dropped from logging (lose of log data)?

Never looked at the cpu utilization, sorry. Here's the thread, basically it appeared to lock out the httpd server.
https://www.snbforums.com/threads/f...lts-releases-v32e4.18914/page-228#post-287133

The rate limited logs are dropped, so are lost. But the limit I set that resolved the problem was rather high (4/sec) so still plenty to see what is going on.

 

[DonnyJohnny]

Never looked at the cpu utilization, sorry. Here's the thread, basically it appeared to lock out the httpd server.
https://www.snbforums.com/threads/f...lts-releases-v32e4.18914/page-228#post-287133

The rate limited logs are dropped, so are lost. But the limit I set that resolved the problem was rather high (4/sec) so still plenty to see what is going on.

just wondering if increasing the log-async for syslog will helps in i/o being lock down?

but i do agree 4/sec is quite good for normal situation and also to prevent self ddos due to excess logging.

 

[Adamm]

You may want to think about a rate limit on the logging. I had to add one on my fork as just running a grc port scan would severely impact the router when logging dropped packets.

I remember reading your post a few years back but was never able to reproduce it myself. I tried again just now and was still able to max my 100/40 connection. In any case the test only generates 2 entries per second so it would have fallen between your mentioned limit of 4/s. Did you have any specific method of testing that can reproduce this?

 

[john9527]

I remember reading your post a few years back but was never able to reproduce it myself. I tried again just now and was still able to max my 100/40 connection. In any case the test only generates 2 entries per second so it would have fallen between your mentioned limit of 4/s. Did you have any specific method of testing that can reproduce this?

I was using the 'GRC Shields Up - All service ports' test to recreate the problem. At the time, it would just flood the router. Maybe they throttled it since then if they had complaints.

 

[XIII]

I can't access a Squarespace hosted site (macsparky.com), because it's (shared?) IP address is "BanMalware" in the Skynet-Blacklist.

The IP address changes whenever I a perform a nslookup (4 different results in total?).

Do I need to whitelist them all (some are in the blacklist, others not), or is there a smarter way?

 

[skeal]

I can't access a Squarespace hosted site (macsparky.com), because it's (shared?) IP address is "BanMalware" in the Skynet-Blacklist.

The IP address changes whenever I a perform a nslookup (4 different results in total?).

Do I need to whitelist them all (some are in the blacklist, others not), or is there a smarter way?

No I think you can use the ban unban domain feature. You would enter "macsparky.com"

 

[Adamm]

I can't access a Squarespace hosted site (macsparky.com), because it's (shared?) IP address is "BanMalware" in the Skynet-Blacklist.

The IP address changes whenever I a perform a nslookup (4 different results in total?).

Do I need to whitelist them all (some are in the blacklist, others not), or is there a smarter way?

Use the following command, it will handle the heavy lifting.

sh /jffs/scripts/firewall whitelist domain macsparky.com

 

[Adamm]

I've pushed v6.1.4

Maximum log size increased to 10MB
Improve "ban country" function
Show "Invalid" entries under "debug watch"
Don't allow "debug watch" command if debug mode is disabled

Add toggle for Unban_PrivateIP ()
(Skynet by default scans the syslog for dropped entries from local IP's and whitelists them assuming its unintentional. If you don't know what this implies then best to keep it enabled)
sh /jffs/scripts/firewall debug unbanprivate (enable/disable)

Added toggle for invalid packet logging
(Skynet now has the ability in debug mode to not track invalid packets being dropped)
sh /jffs/scripts/firewall debug loginvalid (enable/disable)

 

[noworries]

What is the improvement to the "Ban Country Function?"

 

[Adamm]

What is the improvement to the "Ban Country Function?"

Nothing major, when the command is run rather then always attempting to remove previous country bans, it will check if there are any first (and if there aren't skip that section of the code). It will also display in brackets what country bans its removing.

 

[xtropodx]

UPDATED 07/04/2018

Currently this script only supports ARM/HND Asus Routers with IPSet v6

I'm about to download & look at using this but wanted to clarify this. What exactly does this relate to ie IPv6 ? My router is RT-AC3200 & I have IPv6 but it's disabled because my ISP currently doesn't support IPv6 for its customers. Would this still work if that's the case or is does this relate to something else?

Also if these scripts have an issue of some sort, is it possible to be used as a means to enter a router maliciously ?

Thanks.

 

[Adamm]

I'm about to download & look at using this but wanted to clarify this. What exactly does this relate to ie IPv6 ? My router is RT-AC3200 & I have IPv6 but it's disabled because my ISP currently doesn't support IPv6 for its customers. Would this still work if that's the case or is does this relate to something else?

Also if these scripts have an issue of some sort, is it possible to be used as a means to enter a router maliciously ?

Thanks.

IPSet v6 doesn’t mean IPv6. IPSet is a utility on the router used to store large sets of IP’s efficiently.

As for your second question, Skynets main goal is to block IP’s, it doesn’t give your router any bigger of an attack surface. If anything it keeps you more secure quite considerably via reputation lists from credible providers.

 

[xtropodx]

Ok thanks. How do I find out if the router has this IPSet v6 support then?

 

[Adamm]

Ok thanks. How do I find out if the router has this IPSet v6 support then?

All ARM/HND devices are compatible which yours is.

 

[DonnyJohnny]

@Adamm
Something is wrong with the generation of hourly report using the search function.
No matter 10,20,50,custom. It only give the reading of last hour.



Another question, what is the save function used for. I accidentally execute it. Could this be linked the hourly report being not correctly generated? After saved, where it was saved? How to remove the “saved”?

 

[Adamm]

@Adamm
Something is wrong with the generation of hourly report using the search function.
No matter 10,20,50,custom. It only give the reading of last hour.

The output is correct, your logs were purged at 9pm. There’s a few hour gap without reports, but it looks like you managed to amass 12,000 hits in 8hours so the syslog probably purged itself before Skynet could. Although that amount of hits (compared to my single user results) seems pretty high. By the looks of it your using extra lists, so may be worth investigating what’s list is causing the significiant amount of extra hits and if it’s nessesasy. But at the end of the day that’s user preference, so if it works for you then by all means go for it.

Another question, what is the save function used for. I accidentally execute it. Could this be linked the hourly report being not correctly generated? After saved, where it was saved? How to remove the “saved”?

Nothing to worry about, this just dumps the IPSet data from ram to the physical copy on your USB (skynet.ipset) which Skynet does every hour in a cronjob or commands that modify data.