Skynet Skynet - Router Firewall & Security Enhancements

[visortgw]

Now I get it. I thought those were the resolved url's that the connections originated from or were going to. It's telling me to use those websites to look up more info on these addresses then....

Exactly!

 

[tomsk]

Cant say I use syslog-ng myself, but the issue sounds like its with syslog-ng not Skynet. We access the file in a very standard way so I have a hard time seeing a point of failure on our end.

Hi Adamm

prior to installing Skynet the symbolic links were working

lrwxrwxrwx    1 tOmsK  root            25 Jul 24 08:14 syslog.log -> /opt/var/log/messages.log
lrwxrwxrwx    1 tOmsK  root            27 Jul 24 08:14 syslog.log-1 -> /opt/var/log/messages.log-1

after installing Skynet the links were gone

-rw-------    1 tOmsK root        396995 Jul 24 09:01 syslog.log
-rw-rw-rw-    1 tOmsk root       1005323 Jul 24 09:01 syslog.log-1

I dont see any code in Skynet which is responsible for this on its own, but is it invoking another process which might be causing this to happen?

 

[DonnyJohnny]

I see 300 to 500 scans per hour from the people running scripts trying to find an opening. Welcome to the modern internet. Thank Skynet for the protection it provides!

I even have like 1-2k per hour some time back. So excessive that I have to disable log. Hahaha. My country are prone to scanning for vulnerabilities and attacks.
In any case, internet noise is very common and with so many unsecured IoT in the market. It will get worse.
Just Ensure do not open unnecessary service to the WAN, example, https over Wan, FTP, ssh, telnet, webserver. Etc.

 

[Adamm]

Hi Adamm

prior to installing Skynet the symbolic links were working

The minimal sed binary doesn't play nice with symbolic links, I believe this is more of an issue with syslog-ng's design as it replaces your syslog with a symbolic link. Skynet modifys the syslog in every function using sed. There is unfortunately no avoiding it.

 

[deddc23efb]

I know you guys dont like to hear this stuff, but I once again spent an hour chasing down a shopify based website that Skynet was blocking. It's not technically Skynet's fault, but the reliance on uncurated lists of IPs makes this tool too delicate. I'm going to turn it off.

 

[Tekneek]

I know you guys dont like to hear this stuff, but I once again spent an hour chasing down a shopify based website that Skynet was blocking. It's not technically Skynet's fault, but the reliance on uncurated lists of IPs makes this tool too delicate. I'm going to turn it off.

You could look up Shopify's IP ranges and whitelist them, but do what makes sense for you.

 

[agilani]

So is there any kind of threat assessment or analytical software packages that can build reports based on log data pulled from Skynet? It would be quite useful to see a day, week or month at-a-glance to see trends, highlight abnormal activity, or allow one to dig deeper into a specific event or set alerts for trigger events. Skynet is already doing the work, just looking for the analytical side.

you can use graylog or elk stack. you'd need to enable full traffic logging, forward the logs to the elk or graylog listener and create a custom log parser, then generate custom reports

 

[agilani]

I know you guys dont like to hear this stuff, but I once again spent an hour chasing down a shopify based website that Skynet was blocking. It's not technically Skynet's fault, but the reliance on uncurated lists of IPs makes this tool too delicate. I'm going to turn it off.

It shouldn't take an hour to look at the syslog output and see what is being blocked and add it to the whitelist....

Also mom and pop e-commerce websites are notorious for not being patched and they get popped. I don't know that i would consider that a false positive.

 

[JaimeZX]

Here's a good one. I have Skynet blocking all Russian IPs. But DNSCrypt sometimes uses Adgard DNS.... hosted in Russia. Which confuses the $#¡+ out of Alexa.

Am I better off pulling Adgard out of DNSCrypt or whitelisting it in Skynet?

Edit: Hm. Okay, so I see Adguard is an Anycast DNS. Still... I guess it's annoying when Anycast wants to route the DNS query through a blocked IP. Since I can't see how the router handles blocked DNS requests, not sure how to fix it.

 

[tomsk]

The minimal sed binary doesn't play nice with symbolic links, I believe this is more of an issue with syslog-ng's design as it replaces your syslog with a symbolic link. Skynet modifys the syslog in every function using sed. There is unfortunately no avoiding it.

Thanks Adamm.... that seems to be the issue. I replaced all the paths to the original syslog locations with the paths to the actual syslog-ng logs and it all seems to be working now.

 

[DonnyJohnny]

Here's a good one. I have Skynet blocking all Russian IPs. But DNSCrypt sometimes uses Adgard DNS.... hosted in Russia. Which confuses the $#¡+ out of Alexa.

Am I better off pulling Adgard out of DNSCrypt or whitelisting it in Skynet?

Edit: Hm. Okay, so I see Adguard is an Anycast DNS. Still... I guess it's annoying when Anycast wants to route the DNS query through a blocked IP. Since I can't see how the router handles blocked DNS requests, not sure how to fix it.

Why would you want to use adguard dns when we have a better ad block solution from ab-solution?
You would notice Russia have like 8702 ip blocks. I would safety say it is in the TOP 5 ip owners. Mean there is likely a lot of stuff hosted using their servers. Even we know USA, Brazil, China, Russia, UK are the biggest culprit for attacks but we can’t really block them due to the sheers numbers of ip they own and host.
In most cases, the Skynet banmalware list is good enough and our router firewall will down off invalid queries.
If really there is a real ddos, our noob router definitely can’t take the beat. Lol. Who in the first place want to ddos you. Hahaha.

 

[bearever]

Why would you want to use adguard dns when we have a better ad block solution from ab-solution?
You would notice Russia have like 8702 ip blocks. I would safety say it is in the TOP 5 ip owners. Mean there is likely a lot of stuff hosted using their servers. Even we know USA, Brazil, China, Russia, UK are the biggest culprit for attacks but we can’t really block them due to the sheers numbers of ip they own and host.
In most cases, the Skynet banmalware list is good enough and our router firewall will down off invalid queries.
If really there is a real ddos, our noob router definitely can’t take the beat. Lol. Who in the first place want to ddos you. Hahaha.

In my case I use Adguard DNS as it allows me to specify which devices to have ad block protection easier through DNS filtering. I only need to have basic Ad block protection for my family’s PCs but not Apple TVs and gaming console.

Ab-Solution did not work well with smartdns and I was having issues streaming with some of the streaming services.



Sent from my iPhone using Tapatalk Pro

 

[johnathonm]

Hi everyone,

I hope you are well. I was wondering if anyone knew the CIDR's for apple and it's various stores/cdn's. Skynet seems to keep blacklisting apple ip's and I don't know what is what to add to the blacklist. I also can't find a clear list on the web.

Adamm, if you do read this, I have also had skynet blacklist DNS servers when using the all-servers command in dnsmasq. I had to manually remove the dns servers from the blacklist and whitelist them.

Thanks in advance.

Johnathon

 

[agilani]

Hi everyone,

I hope you are well. I was wondering if anyone knew the CIDR's for apple and it's various stores/cdn's. Skynet seems to keep blacklisting apple ip's and I don't know what is what to add to the blacklist. I also can't find a clear list on the web.

Adamm, if you do read this, I have also had skynet blacklist DNS servers when using the all-servers command in dnsmasq. I had to manually remove the dns servers from the blacklist and whitelist them.

Thanks in advance.

Johnathon

find the ip that is being blocked outbound, do a whois lookup for it to find its subnet mask and verify that it is a legitimate address you want to communicate with. Whitelist the whole range. I did that for the apple face-time subnets that were blacklisted.

For example, i saw the following address blocked by skynet in sysylog 17.173.254.223

Jul 18 19:12:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=14091 PROTO=UDP SPT=16403 DPT=16386 LEN=24

whois shows this belongs to apple in cupertino and the address is part of the following CIDR
https://www.abuseipdb.com/whois/17.173.254.223
NetRange: 17.0.0.0 - 17.255.255.255
CIDR: 17.0.0.0/8

whitelist the entire range in skynet

 

[JaimeZX]

Why would you want to use adguard dns when we have a better ad block solution from ab-solution?
You would notice Russia have like 8702 ip blocks. I would safety say it is in the TOP 5 ip owners. Mean there is likely a lot of stuff hosted using their servers. Even we know USA, Brazil, China, Russia, UK are the biggest culprit for attacks but we can’t really block them due to the sheers numbers of ip they own and host.
In most cases, the Skynet banmalware list is good enough and our router firewall will down off invalid queries.
If really there is a real ddos, our noob router definitely can’t take the beat. Lol. Who in the first place want to ddos you. Hahaha.

I'd be blocking *.China too, if I didn't have Chinese in-laws that do all kinds of browsing when they visit. I might sit down and try to whitelist all the servers they use when they're here but I dunno how big of a chore that'd be. (WeChat > Tencent so that's worthless, then whatever news they read...)

I just picked the Adguard because it seemed like a good idea at the time. I re-did the DNSCrypt rules to pick "top half." Hopefully fewer issues now; I haven't had enough time pass yet to see if there's a big change.

 

[spiff`]

find the ip that is being blocked outbound, do a whois lookup for it to find its subnet mask and verify that it is a legitimate address you want to communicate with. Whitelist the whole range. I did that for the apple face-time subnets that were blacklisted.

For example, i saw the following address blocked by skynet in sysylog 17.173.254.223

Jul 18 19:12:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=14091 PROTO=UDP SPT=16403 DPT=16386 LEN=24

whois shows this belongs to apple in cupertino and the address is part of the following CIDR
https://www.abuseipdb.com/whois/17.173.254.223
NetRange: 17.0.0.0 - 17.255.255.255
CIDR: 17.0.0.0/8

whitelist the entire range in skynet

I had the same thing happening where a Ipad was doing a keep alive check back into apple for something, but being blocked. Didn't effect functionality that I was aware of though.

 

[jamesnmandy]

My daughter's ipod and iPhone are constantly sending packets to Apple and they are blocked by Skynet. But she hasn't mentioned any features not working so I've left it as is.

I had the same thing happening where a Ipad was doing a keep alive check back into apple for something, but being blocked. Didn't effect functionality that I was aware of though.

 

[agilani]

My daughter's ipod and iPhone are constantly sending packets to Apple and they are blocked by Skynet. But she hasn't mentioned any features not working so I've left it as is.

Looks like its mostly facetime. Probably won't get or receive facetime notifications or calls.

 

[jamesnmandy]

That's what I thought but they were using FaceTime all day today with no major issues she said.

Looks like its mostly facetime. Probably won't get or receive facetime notifications or calls.

 

[johnathonm]

Adamm,

I have to say that skynet is really going overboard in it's bans over the course of its current revisions. I repeatedly blocks my DNS servers, even though I have them whitelisted because I am using the all-servers flag and then today it decided to block the ENTIRE european union domain range. Is it possible to not have the program black an ip address if it's whitelisted and, furthermore, instead of knocking out whole CIDR's just block the IP's that are hitting the router? It has done this now with Apple repeatedly, even though it was whitelisted and it continues to do it. I love the concept of what you're doing but right now it's got its aggressiveness set to over 9000, become selfaware and is on its way to launching a nuclear strike against russia to trigger judgement day.

I don't know what else to do but I will have to abandon skynet with it having this level of aggressiveness.

Any help, guidance, config tweaks would be appreciated.

Thank you,

J