Skynet Skynet - Router Firewall & Security Enhancements

[popxunga]

We don't have to re-enable after upgrading either, correct?
(just making sure)

Read the post #2693.
Edit: for reboot.

 

[Mojolacerator]

Read the post #2693.
Edit: for reboot.

Perhaps my wording was too vague, my apologies.

"We don't have to re-enable after upgrading Skynet either, correct?
(just making sure)"

 

[popxunga]

Perhaps my wording was too vague, my apologies.

"We don't have to re-enable after upgrading Skynet either, correct?
(just making sure)"

Nope... Your wording was OK.
I misread it... sorry for that; thus my edit.
I presume that the feature will persist across upgrades. However I can't confirm as I'm not a Skynet user ... yet
Better wait for confirmation.

 

[Mojolacerator]

You REALLY should give Skynet a try....................

 

[popxunga]

You REALLY should give Skynet a try....................

And I will very soon. Thanks.

 

[skeal]

@Adamm You keep out doing yourself. This is already an excellent script and adding these things to it make life for all of us a whole lot better! Secure your router with Skynet people!!

 

[Adamm]

Is it possible to allow specific exceptions?

I would like to allow SSH on WAN via keys only, but prevent password based access (SSH, WebUI).

Not at this time, honestly there's no good reason not to use a VPN tunnel for remote access anyway.

 

[dvohwinkel]

@Adamm would it be possible for you to add in some basic checks like if the language of the router changed? and maybe some other settings that would indicate if your router got hacked?

And an email notification if suspicious changes were made.

 

[goatdog]

Ok, I am getting this strange condition... not really but I can't block this particular IP because.... might be a bug...
This IP entry seems to some how exist in skynet entries both white list and blacklist but I can't find it anywhere. except in the manual ipset....

34.236.254.103 is in set Skynet-Whitelist.
34.236.254.103 is in set Skynet-Blacklist.


34.236.254.103
===============
admin@somegoatGate:/tmp/mnt/sda1/skynet# cat skynet.ipset | grep -i 34.236.254.103
add Skynet-Blacklist 34.236.254.103 comment "ManualBan: malware"
=========================
Input IP To Ban:

[IP]: 34.236.254.103

Input Comment For Ban:

[Comment]: ban

Banning 34.236.254.103
ipset v6.32: Element cannot be added to the set: it's already added
Saving Changes

Skynet: [Complete] 107114 IPs / 1675 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 473 Inbound /
112 Outbound Connections Blocked! [ban] [6s]
========================


[1-7]: 4

Remove From Whitelist:
[1] --> All Non-Default Entries
[2] --> IP/Range
[3] --> Entries Matching Comment

[1-3]: 2

Input IP Or Range To Remove:

[IP/Range]: 34.236.254.103

Removing 34.236.254.103 From Whitelist
ipset v6.32: Element cannot be deleted from the set: it's not added
Saving Changes

================================================
Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 2.6M
Monitoring From May 29 23:05:36 To Jun 1 13:42:29
9965 Block Events Detected
1538 Unique IPs
0 Autobans Issued
4 Manual Bans Issued

34.236.254.103 is in set Skynet-Whitelist.
34.236.254.103 is in set Skynet-Blacklist.
34.236.254.103 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;

Blacklist Reason;
"ManualBan: malware"


34.236.254.103 First Tracked On
34.236.254.103 Last Tracked On
0 Blocks Total
==========================================
PING 34.236.254.103 (34.236.254.103): 56 data bytes
64 bytes from 34.236.254.103: seq=0 ttl=44 time=15.336 ms
64 bytes from 34.236.254.103: seq=1 ttl=44 time=15.330 ms
64 bytes from 34.236.254.103: seq=2 ttl=44 time=16.736 ms
64 bytes from 34.236.254.103: seq=3 ttl=44 time=16.472 ms

 

[Adamm]

Ok, I am getting this strange condition... not really but I can't block this particular IP because.... might be a bug...
This IP entry seems to some how exist in skynet entries both white list and blacklist but I can't find it anywhere. except in the manual ipset....

34.236.254.103 is in set Skynet-Whitelist.
34.236.254.103 is in set Skynet-Blacklist.


34.236.254.103
===============
admin@somegoatGate:/tmp/mnt/sda1/skynet# cat skynet.ipset | grep -i 34.236.254.103
add Skynet-Blacklist 34.236.254.103 comment "ManualBan: malware"
=========================
Input IP To Ban:

[IP]: 34.236.254.103

Input Comment For Ban:

[Comment]: ban

Banning 34.236.254.103
ipset v6.32: Element cannot be added to the set: it's already added
Saving Changes

Skynet: [Complete] 107114 IPs / 1675 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 473 Inbound /
112 Outbound Connections Blocked! [ban] [6s]
========================


[1-7]: 4

Remove From Whitelist:
[1] --> All Non-Default Entries
[2] --> IP/Range
[3] --> Entries Matching Comment

[1-3]: 2

Input IP Or Range To Remove:

[IP/Range]: 34.236.254.103

Removing 34.236.254.103 From Whitelist
ipset v6.32: Element cannot be deleted from the set: it's not added
Saving Changes

================================================
Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 2.6M
Monitoring From May 29 23:05:36 To Jun 1 13:42:29
9965 Block Events Detected
1538 Unique IPs
0 Autobans Issued
4 Manual Bans Issued

34.236.254.103 is in set Skynet-Whitelist.
34.236.254.103 is in set Skynet-Blacklist.
34.236.254.103 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;

Blacklist Reason;
"ManualBan: malware"


34.236.254.103 First Tracked On
34.236.254.103 Last Tracked On
0 Blocks Total
==========================================
PING 34.236.254.103 (34.236.254.103): 56 data bytes
64 bytes from 34.236.254.103: seq=0 ttl=44 time=15.336 ms
64 bytes from 34.236.254.103: seq=1 ttl=44 time=15.330 ms
64 bytes from 34.236.254.103: seq=2 ttl=44 time=16.736 ms
64 bytes from 34.236.254.103: seq=3 ttl=44 time=16.472 ms

Its because the entry is covered by a very large CIDR range in the Amazon CDN whitelist, which without a stupid amount of code is hard to calculate in bash;

34.224.0.0/12 comment "CDN-Whitelist"

 

[Adamm]

@Adamm would it be possible for you to add in some basic checks like if the language of the router changed? and maybe some other settings that would indicate if your router got hacked?

And an email notification if suspicious changes were made.

I considered it but the language being changed to Korean(?) alone isn't enough to detect anything suspicious going on, it would also be a hassle for anyone who uses that language legitimately.

 

[goatdog]

Its because the entry is covered by a very large CIDR range in the Amazon CDN whitelist, which without a stupid amount of code is hard to calculate in bash;

34.224.0.0/12 comment "CDN-Whitelist"

Thanks for the quick reply. and explanation. So if a malware server lived within those amazon ips , skynet won't be able to block it right?

 

[Adamm]

Thanks for the quick reply. and explanation. So if a malware server lived within those amazon ips , skynet won't be able to block it right?

Skynet whitelists some major CDN providers to prevent false positives, so in this case yes that’s correct.

 

[dvohwinkel]

I considered it but the language being changed to Korean(?) alone isn't enough to detect anything suspicious going on, it would also be a hassle for anyone who uses that language legitimately.

I was thinking more that the first time it ran it would set the language to watch for.. or maybe you could have an option that would set the current language. Then it would notice if that language was changed and if so just send you an email alert to that fact.. but I also worry that this is a bit of feature creep for a firewall program and not the unix way of a program that does one thing and one thing REALLY well.

 

[jasonho]

Will skynet work with asus airprotection?
I check with the log from firewall, i see many block reocrd, but the autoban list is empty, is it correct?

 

[DonnyJohnny]

Will skynet work with asus airprotection?
I check with the log from firewall, i see many block reocrd, but the autoban list is empty, is it correct?

It compliment each other. No conflict. Aiprotection is blocking based on signature from trendmicro when Skynet got its ip list from firehol which compiled from many reputable source.

And now after 6.2.2, those ip blocked by ai protection will be able to add into Skynet blacklist if the function is enable under Debug option.

Autoban function is auto adding of ip to ban list that is sending very frequent invalid packet within certain period of time. What ever the case, invalid packet are default dropped even when it is not in ban list. So no worry.

 

[xtropodx]

All that's required is a USB drive that's at-least 500MB, After downloading it just works.
After installation (or reboot) you should see output similar the following indicating the script is working.

Mar 19 23:39:16 Skynet: [INFO] Startup Initiated... ( skynetloc=/tmp/mnt/Elements/skynet )
Mar 19 23:39:36 Skynet: [Complete] 105668 IPs / 1489 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [20s]

At the risk of sounding daft, is this all that's needed? Because I don't see this section anywhere. I see references to skynet, but nothing that states it's started or initiated. Is there a way to check to make sure it is working, say a week or month later?

Thanks.

 

[Adamm]

At the risk of sounding daft, is this all that's needed? Because I don't see this section anywhere. I see references to skynet, but nothing that states it's started or initiated. Is there a way to check to make sure it is working, say a week or month later?

Thanks.

If you went through the installer all should be working, you can confirm with the following command.

sh /jffs/scripts/firewall debug info

If all tests pass, Skynet is working.

 

[jasonho]

It compliment each other. No conflict. Aiprotection is blocking based on signature from trendmicro when Skynet got its ip list from firehol which compiled from many reputable source.

And now after 6.2.2, those ip blocked by ai protection will be able to add into Skynet blacklist if the function is enable under Debug option.

Autoban function is auto adding of ip to ban list that is sending very frequent invalid packet within certain period of time. What ever the case, invalid packet are default dropped even when it is not in ban list. So no worry.

Thanks for your clear explanation

 

[xtropodx]

If you went through the installer all should be working, you can confirm with the following command.

sh /jffs/scripts/firewall debug info

If all tests pass, Skynet is working.

Firstly, thank you. Finally got it working. As a first time user, may I suggest...

Perhaps a check or prompt in the installation process that the "Enable JFFS custom scripts and configs" setting is on first before rebooting the router, if that's even possible? Not knowing what I was doing & missing this minor setting caused me no end of grief trying to get all this to even initiate, let alone work. See attached for what I mean (first 2 goes managed to install & router rebooted but then router refused to connect to internet despite repeated reboots).

On side note: is there a way to reset the SWAP file?

Thanks