Skynet Skynet - Router Firewall & Security Enhancements

[elorimer]

I'll look into adding a special configuration option to specify a custom syslog/syslog-1 location (Skynet only edits syslog to collect its own logs essentially). In my head that should resolve the issue or atleast give you a possible way of dealing with it rather then editing the script every time it updates.

If I follow, you aren't just collecting your own logs, you're removing the skynet messages from syslog. That duplicates what syslog-ng is doing. I think it is the destructive sed that might be the issue.

 

[elorimer]

Is there a way to keep Skynet from using syslog?

I have my syslog uploading to a syslog server through the GUI and it is now flooded with the logs of Skynet, I know Skynet self manages the syslog file on the router itself but is there a way to have it save this temp data somewhere else, or anyone know a way to keep from sending them to my syslog server? nearly 4000+ posts and searching for log I never saw the answer I was looking for...

Thanks for the great tool btw @Adamm!

EDIT:
Thought I had the answer using filtering on my server, but the QNAP syslog server is pretty poor and can't change the 'then' option, defaulted to send to the log which is pretty dumb imho.

EDIT 2: And later in the evening....

Realized QNAPs server is perty to look at, but zero customization (basic syslog not syslog-ng), will look into getting a rsyslog server running and I can do my own filtering

Install syslog-ng through entware? Then have syslog-ng send the cleaned file to your syslog server?

 

[Adamm]

If I follow, you aren't just collecting your own logs, you're removing the skynet messages from syslog. That duplicates what syslog-ng is doing. I think it is the destructive sed that might be the issue.

Well, to collect the logs and cleanup after ourselves its unavoidable with stock binaries. I'm not sure exactly how you guys have syslog-ng configured nor have I ever needed to use it myself, but from the documentation I can make a pretty educated guess.

I have two possible solutions that in theory should work (let me know if I am correct and which is preferrable);

1. Specify a setting that will change the default path to /opt/var/log/messages in all syslog instances.

2. Specify a setting allowing a user to specify a custom path. I assume you can configure syslog-ng to dump matching strings into their own file (/opt/var/log/skynet?).

Note we will still be using the inline sed command which will "destroy" symlinks.

 

[elorimer]

I think either would work. If you choose door #1, I'll adjust syslog-ng not to bother sorting skynet. If you choose door #2, I would specify either /opt/var/log/messages or .../skynet depending on what I did with syslog.ng.

The only symlink is in /tmp/syslog.log to point the webui back to .../messages.

 

[cmkelley]

I'll look into adding a special configuration option to specify a custom syslog/syslog-1 location (Skynet only edits syslog to collect its own logs essentially). In my head that should resolve the issue or atleast give you a possible way of dealing with it rather then editing the script every time it updates.

While I would appreciate not having to edit the script (although of course I have the editing seds scripted), it's not huge (for me), and for now it's as much a learning opportunity as anything else. I also don't want to increase your workload on this unnecessarily. Also, I'm sorry I didn't quite grok your answer, but it sounds like skynet is relying on the information being stripped from syslog to avoid double-counting?

 

[cmkelley]

Well, to collect the logs and cleanup after ourselves its unavoidable with stock binaries. I'm not sure exactly how you guys have syslog-ng configured nor have I ever needed to use it myself, but from the documentation I can make a pretty educated guess.

I have two possible solutions that in theory should work (let me know if I am correct and which is preferrable);

1. Specify a setting that will change the default path to /opt/var/log/messages in all syslog instances.

2. Specify a setting allowing a user to specify a custom path. I assume you can configure syslog-ng to dump matching strings into their own file (/opt/var/log/skynet?).

Note we will still be using the inline sed command which will "destroy" symlinks.

So, (2) is just a superset of (1), correct? The specified setting is which file gets scraped? If the user specifies /opt/var/log/messages in (2) that's the same as (1)?

I'm always a fan of not hardcoding stuff. I'd go with (2); someone in the process of getting syslog-ng working right (e.g. me, right now) would initially point it to /opt/var/log/messages, but once they get the sorting figured out they'd point it at the sorted file.

 

[Adamm]

I think either would work. If you choose door #1, I'll adjust syslog-ng not to bother sorting skynet. If you choose door #2, I would specify either /opt/var/log/messages or .../skynet depending on what I did with syslog.ng.

The only symlink is in /tmp/syslog.log to point the webui back to .../messages.

So, (2) is just a superset of (1), correct? The specified setting is which file gets scraped? If the user specifies /opt/var/log/messages in (2) that's the same as (1)?

I'm always a fan of not hardcoding stuff. I'd go with (2); someone in the process of getting syslog-ng working right (e.g. me, right now) would initially point it to /opt/var/log/messages, but once they get the sorting figured out they'd point it at the sorted file.

I've pushed an update if you (and other syslog-ng users) wouldn't mind testing. No version change yet until I can confirm the feature works as intended.

You can configure it via the following commands (or the respective menu options).

sh /jffs/scripts/firewall settings syslog /tmp/syslog.log

sh /jffs/scripts/firewall settings syslog1 /tmp/syslog.log-1

Replacing the file path to your custom one.

 

[cmkelley]

I've pushed an update if you (and other syslog-ng users) wouldn't mind testing. No version change yet until I can confirm the feature works as intended.

You can configure it via the following commands (or the respective menu options).

sh /jffs/scripts/firewall settings syslog /tmp/syslog.log

sh /jffs/scripts/firewall settings syslog1 /tmp/syslog.log-1

Replacing the file path to your custom one.

Will do tonight (I'm in California, at work today).

 

[Maverickcdn]

Install syslog-ng through entware? Then have syslog-ng send the cleaned file to your syslog server?

Looks like Adamm is testing out alternate log file destinations now.

I actually just got unlazy found a couple hours and properly configured a rsyslog server on my server and it is pulling the router syslog now with rules filtering BLOCKED messages out and saving them to a network drive for easy export and sorting in Excel... what I was looking for, just didnt realize how poor the QNAP built-in syslog server was. Im just a GUI over CLI kinda guy.

Thanks again to everyones contributions here especially @RMerlin and @Adamm

 

[OKLY]

I've pushed an update if you (and other syslog-ng users) wouldn't mind testing. No version change yet until I can confirm the feature works as intended.

You can configure it via the following commands (or the respective menu options).

sh /jffs/scripts/firewall settings syslog /tmp/syslog.log

sh /jffs/scripts/firewall settings syslog1 /tmp/syslog.log-1

Replacing the file path to your custom one.

So now I can specify a custom path to write the syslog directly to my mounted USB drive?

 

[cmkelley]

I've pushed an update if you (and other syslog-ng users) wouldn't mind testing. No version change yet until I can confirm the feature works as intended.

You can configure it via the following commands (or the respective menu options).

sh /jffs/scripts/firewall settings syslog /tmp/syslog.log

sh /jffs/scripts/firewall settings syslog1 /tmp/syslog.log-1

Replacing the file path to your custom one.

Sooooo, what is the difference between syslog.log and syslog.log-1? Is log-1 just Asus' single "rotated" log? I'd rather not go through the disable syslog-ng / re-enable syslogd just to find out. Googling didn't help ...

Right now I'm pointing "syslog.log" at syslog-ng's /opt/var/messages and "syslog.log-1" at the (non-existent) default location.

 

[dave14305]

Sooooo, what is the difference between syslog.log and syslog.log-1? Is log-1 just Asus' single "rotated" log? I'd rather not go through the disable syslog-ng / re-enable syslogd just to find out. Googling didn't help ...

Right now I'm pointing "syslog.log" at syslog-ng's /opt/var/messages and "syslog.log-1" at the (non-existent) default location.

Yes, it's a single rotated log, only created if syslog.log is a regular file.

 

[Blackbox]

Skynet is working correctly, I guess you missed the error;

Router Model; RT-AX88U
Skynet Version; v6.6.6 (13/01/2019) (7b9be528df4c0df260c44f6357aec36b)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.9_alpha2-g665419b4b (Jan 14 2019) (4.1.51)
Install Dir; /tmp/mnt/Elements/skynet (1022.1G / 1.7T Space Available)
SWAP File; /tmp/mnt/Elements/myswap.swp (512.0M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/Elements/skynet

143805 IPs (+0) -- 1601 Ranges Banned (+0) || 358 Inbound -- 0 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 5

Select Where To Import List:
[1]  --> Blacklist
[2]  --> Whitelist

[1-2]: 1

Input URL/Local File To Import:

[File]: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/p2p/spy.txt

[$] /opt/bin/firewall import blacklist https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/p2p/spy.txt


=============================================================================================================


[i] This Function Extracts All IPs And Adds Them ALL To Blacklist
[i] Remote Custom List Detected: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/p2p/spy.txt
[*] 404 Error Detected - Stopping Import

These lists are all formatted incorrectly so they fail to import, you need to have 1 IP per line, use one of the default lists as an example;

https://iplists.firehol.org/files/alienvault_reputation.ipset

I believe the telemetry lists you are referring to are formatted correctly elsewhere on the repo in question;

https://github.com/crazy-max/WindowsSpyBlocker/tree/master/data/firewall





The functionality is implemented in another way, we don't store raw data locally. Skynet uses the IPSet comment extension to identify all its entries and you can view them using the respective commands. You can either import them as mentioned above in a one time hit, or you can implement your own "banmalware filter" so they are auto renewed using the default filter list as a reference to create your own.

I understand the documentation could be improved (it's a one man show), but all the things you listed are possible if you read through the possible commands and menu items listed here.

Thanks so much for the detailed help Adamm. All makes sense, let me read into all the functions.

Just one more quick question, if I want to import my own filter list and I save the file on the USB drive locally, how would I refer to the file (path) in a command?

 

[Adamm]

Thanks so much for the detailed help Adamm. All makes sense, let me read into all the functions.

Just one more quick question, if I want to import my own filter list and I save the file on the USB drive locally, how would I refer to the file (path) in a command?

You would need to upload it to a service such as pastebin, then specify the raw file link accordingly.

sh /jffs/scripts/firewall banmalware www.google.com/filter.list

Replacing the URL with your own.

 

[Adamm]

So now I can specify a custom path to write the syslog directly to my mounted USB drive?

This feature doesn't modify where syslog is stored nor where logs are directed. It is for people who have a custom location already configured and to "inform" skynet of it.

 

[Adamm]

Sooooo, what is the difference between syslog.log and syslog.log-1? Is log-1 just Asus' single "rotated" log? I'd rather not go through the disable syslog-ng / re-enable syslogd just to find out. Googling didn't help ...

Right now I'm pointing "syslog.log" at syslog-ng's /opt/var/messages and "syslog.log-1" at the (non-existent) default location.

Correct, syslog-1 is just the rotated log. If your setup doesn't require this, leaving it as default (or pointing it to a blank dummy file) should be fine.

 

[cmkelley]

Correct, syslog-1 is just the rotated log. If your setup doesn't require this, leaving it as default (or pointing it to a blank dummy file) should be fine.

Cool. Been running that way for a few hours now ... all seem to be working correctly, messages is getting correctly scraped. It seems to be fine pointing at a file that doesn't exist (syslog.log-1) as well, doesn't even need a blank dummy file.

 

[Adamm]

Cool. Been running that way for a few hours now ... all seem to be working correctly, messages is getting correctly scraped. It seems to be fine pointing at a file that doesn't exist (syslog.log-1) as well, doesn't even need a blank dummy file.

Thanks for the feedback, I've updated the version number to 6.6.7 to reflect these changes.

Use multiple threads for BanAiProtect
Implement TravisCI for extra code validation
Add extra PrivateIP check to banmalware
Add "stats search connections" command based on upcoming WebUI implementation
POSIX improvements
Whitelist entware domains by default
Add configurable syslog path for syslog-ng

 

[elorimer]

I tried the update (before you updated the version number), pointing to /opt/var/log/messages and doing nothing about syslog.log-1. Saw the change on the hour, scraping out the skynet messages. So I've deleted the syslog-ng filter and destination, and also my kludge of a chron job to restore the symlink, both not necessary. Nice!

 

[el pescador]

Trying to remove CDN-Whitelist entries from the comment section seems to hang skynet.