Skynet Skynet - Router Firewall & Security Enhancements

[Blackbox]

You would need to upload it to a service such as pastebin, then specify the raw file link accordingly.

sh /jffs/scripts/firewall banmalware www.google.com/filter.list

Replacing the URL with your own.

Thanks again Adamm.

Regarding storing blacklists as txt files locally on the USB drive, the reason why I asked was that in your documentary it says:

sh /jffs/scripts/firewall import blacklist file.txt "Apples" - This Bans All IPs From URL/Local File With The Comment Apples

Or did I get that wrong and it only works via an URL and no local files?

Also, when I use the command to use a filter list from a specified URL, does it replace the current filter list that is being used or does it add to the current list (which I would prefer):

sh /jffs/scripts/firewall banmalware google.com/filter.list This Uses The Filter List From The Specified URL

 

[Adamm]

Regarding storing blacklists as txt files locally on the USB drive, the reason why I asked was that in your documentary it says:

sh /jffs/scripts/firewall import blacklist file.txt "Apples" - This Bans All IPs From URL/Local File With The Comment Apples

Or did I get that wrong and it only works via an URL and no local files?

It works for both, there's no required path, you specify it within the command;

sh /jffs/scripts/firewall import blacklist /path/to/file.txt "Apples"

Also, when I use the command to use a filter list from a specified URL, does it replace the current filter list that is being used or does it add to the current list (which I would prefer):

sh /jffs/scripts/firewall banmalware google.com/filter.list This Uses The Filter List From The Specified URL

It replaces it completely, so base your custom one off the default one if you wish to keep those entries.

 

[consorts]

hi adam, i'm happy to report your latest 01/23 fixed my problem with skynet+diversion raising my cpu utilization. i installed skynet, ran the "enable plus hosts now" routine pre-diversion, did a soft reboot of my router, and am seeing a more acceptable cpu utilization histogram. now begins the difficult period of hearing my family bitch about what skynet just blocked... LOL, but that's not your problem. keep up the good work

 

[consorts]

i'm sure this gets asked a lot, but this thread is 200 pages long, so here it goes again...

what is the origin of the 170K ip's that adam defaults to in his banmalware list.
if i use banmalware/change filter list - does it add to or replace adam's default list.
(if "change" is not additive, then how can you block two or more lists at a time?)
if i use i-blocklist for a list link to "change" to, what file format and archieve format?
https://www.iblocklist.com/lists?fileformat=hosts&archiveformat=gz
based on i-blocklist descriptions, which would adam's default list be most similar to?
is there a public easy to decipher sight like i-blocklist that adam prefers, what is it?

if there's a faq that addresses most of this, please post a link to save you on retyping

btw adam, minor thing but you omitted (e) to exit on the banmalware submenu.

 

[Adamm]

what is the origin of the 170K ip's that adam defaults to in his banmalware list.

https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list

if i use banmalware/change filter list - does it add to or replace adam's default list.

It completely replaces it, so if you want the default stuff, base it off the default list above.

if i use i-blocklist for a list link to "change" to, what file format and archieve format?
https://www.iblocklist.com/lists?fileformat=hosts&archiveformat=gz
based on i-blocklist descriptions, which would adam's default list be most similar to?
is there a public easy to decipher sight like i-blocklist that adam prefers, what is it?

I highly suggest against using any list from iBlocklist, not only are they outdated, but they host stolen content from "premium" providers. They are essentially scamming users to sign up to their own premium services then offer zero support or upkeep.

 

[consorts]

thanks adam for the reassurance that your default is the best choice
to start with before we black/white listing to suit your own needs

just out of curiosity; diversion has it's own file size of IP's
1. Small ~840 KB, ~28'100 blocked hosts.
2. Standard ~1.81 MB, ~62'600 blocked hosts.
3. Medium ~7.7 MB, ~270'000 blocked hosts.
4. Large ~24.5 MB, ~766'000 blocked hosts.

I'm using small because standard blocks too many retail referrals.
how much do your 170K hosts already correspond with these lists,
like your 170K+28K nets how many IP's once repeats are pruned.
is your 170K somehow optimized to work better with Standard 63K
which is diversions default file choice

 

[Adamm]

thanks adam for the reassurance that your default is the best choice
to start with before we black/white listing to suit your own needs

just out of curiosity; diversion has it's own file size of IP's
1. Small ~840 KB, ~28'100 blocked hosts.
2. Standard ~1.81 MB, ~62'600 blocked hosts.
3. Medium ~7.7 MB, ~270'000 blocked hosts.
4. Large ~24.5 MB, ~766'000 blocked hosts.

I'm using small because standard blocks too many retail referrals.
how much do your 170K hosts already correspond with these lists,
like your 170K+28K nets how many IP's once repeats are pruned.
is your 170K somehow optimized to work better with Standard 63K
which is diversions default file choice

Diversion is a DNS based blocking solution, Skynet is an IP based blocking solution.

Both achieve similar goals but block different types of datasets. @thelonelycoder and myself both work closely together to compliment each-others scripts and ensure the best possible user experience.

So it’s hard to give you a direct answer as we are essentially comparing apples to oranges. Rest assured both scripts were designed to support one another with minimal overlapping.

 

[j0shimi]

Hi all, I've been using Diversion Standard+ lately and today isntalled Skynet, do I need to change any settings in either install to make them work together and do I need to change any settings within my Asus Merlin Router?

By default I don't use AIProtection but see it is referenced on the Skynet front page? Cheers!

 

[skeal]

Hi all, I've been using Diversion Standard+ lately and today isntalled Skynet, do I need to change any settings in either install to make them work together and do I need to change any settings within my Asus Merlin Router?

By default I don't use AIProtection but see it is referenced on the Skynet front page? Cheers!

Read the post above yours. #3946

 

[Adamm]

Hi all, I've been using Diversion Standard+ lately and today isntalled Skynet, do I need to change any settings in either install to make them work together and do I need to change any settings within my Asus Merlin Router?

Both should work fine straight out of the box with no additional configuration.

By default I don't use AIProtection but see it is referenced on the Skynet front page? Cheers!

One of the many features of Skynet is improving AiProtect functionality. You can read about other features in the readme

 

[martinr]

Hi all, I've been using Diversion Standard+ lately and today isntalled Skynet, do I need to change any settings in either install to make them work together and do I need to change any settings within my Asus Merlin Router?

By default I don't use AIProtection but see it is referenced on the Skynet front page? Cheers!

Have a read of Adamm’s post above yours; I think it answers many of your queries. No problem running AIProtection with Skynet and Diversion. And if you don’t wish to run AIProtection, that’s not a problem. The AIProtection reference you mention is probably the ability of Skynet to incorporate data from AIProtection, should you wish. No need to change any router settings.

 

[Adamm]

I've pushed v6.7.0

This version focuses on IOT security. Recently I acquired an Annke DW81KE CCTV System (support SNBForums and use their Amazon link ) which gave me a great opportunity to test and implement IOT rules to prevent devices from calling home and not having to rely on the built in remote access features. As it stands, the current implementation will prevent devices from accessing WAN with two exceptions;

1) Most IOT devices directly connect to NTP servers to set the clock, so NTP traffic is allowed.
2) Remote access via the routers OpenVPN server.

What this means is you can lock down any IOT device that you don't want accessing WAN, but still have the ability to access it via LAN devices or remotely via VPN. This should significantly enhance security of more... obscure devices such as DVR systems, cameras, printers and anything else IOT related without losing any functionality.

To configure your "IOT Blacklist" you can use the following commands (or the respective menu options);

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8 ) Unban|Ban Single IOT Device (or CIDR) From Accessing WAN
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban Multiple IOT Device(s) (or CIDR) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

Stats for blocked packets will also show up in the appropriate section.

I'd also like to give Annke a shout out as their support team was a pleasure to work with and I can happily report in the last week on monitoring my devices traffic, there was not a single rogue packet. If you are in the market for an affordable CCTV system they have some great hardware.


Note; While this feature has been extensively tested, I only had a limited number of devices to test with (thanks @ItsJarrett for being a beta tester). I am sure there will be devices with other requirements (SMTP etc) and I will look at adding more features down the road based on user feedback.

I would also like to add VLAN support in the future but as it currently stands this is completely undocumented and uncharted territory on HND devices due to the lack of the robocfg utility. So if anyone makes some headway there, feel free to reach out to me.

 

[martinr]

I've pushed v6.7.0

This version focuses on IOT security. Recently I acquired an Annke DW81KE CCTV System (support SNBForums and use their Amazon link ) which gave me a great opportunity to test and implement IOT rules to prevent devices from calling home and not having to rely on the built in remote access features. As it stands, the current implementation will prevent devices from accessing WAN with two exceptions;

1) Most IOT devices directly connect to NTP servers to set the clock, so NTP traffic is allowed.
2) Remote access via the routers OpenVPN server.

What this means is you can lock down any IOT device that you don't want accessing WAN, but still have the ability to access it via LAN devices or remotely via VPN. This should significantly enhance security of more... obscure devices such as DVR systems, cameras, printers and anything else IOT related without losing any functionality.

To configure your "IOT Blacklist" you can use the following commands;

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8 ) Unban|Ban Single IOT Device (or CIDR) From Accessing WAN
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban Multiple IOT Device(s) (or CIDR) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

I'd also like to give Annke a shout out as their support team was a pleasure to work with and I can happily report in the last week on monitoring my devices traffic, there was not a single rogue packet. If you are in the market for an affordable CCTV system they have some great hardware.


Note; While this feature has been extensively tested, I only had a limited number of devices to test with (thanks @ItsJarrett for being a beta tester). I am sure there will be devices with other requirements (SMTP etc) and I will look at adding more features down the road based on user feedback.

I would also like to add VLAN support in the future but as it currently stands this is completely undocumented and uncharted territory on HND devices due to the lack of the robocfg utility. So if anyone makes some headway there, feel free to reach out to me.

This will answer, in such a simple way, all those posts asking for help to prevent devices accessing the Internet.

 

[martinr]

I've pushed v6.7.0

This version focuses on IOT security. Recently I acquired an Annke DW81KE CCTV System (support SNBForums and use their Amazon link ) which gave me a great opportunity to test and implement IOT rules to prevent devices from calling home and not having to rely on the built in remote access features. As it stands, the current implementation will prevent devices from accessing WAN with two exceptions;

1) Most IOT devices directly connect to NTP servers to set the clock, so NTP traffic is allowed.
2) Remote access via the routers OpenVPN server.

What this means is you can lock down any IOT device that you don't want accessing WAN, but still have the ability to access it via LAN devices or remotely via VPN. This should significantly enhance security of more... obscure devices such as DVR systems, cameras, printers and anything else IOT related without losing any functionality.

To configure your "IOT Blacklist" you can use the following commands (or the respective menu options);

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8 ) Unban|Ban Single IOT Device (or CIDR) From Accessing WAN
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban Multiple IOT Device(s) (or CIDR) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

Stats for blocked packets will also show up in the appropriate section.

I'd also like to give Annke a shout out as their support team was a pleasure to work with and I can happily report in the last week on monitoring my devices traffic, there was not a single rogue packet. If you are in the market for an affordable CCTV system they have some great hardware.


Note; While this feature has been extensively tested, I only had a limited number of devices to test with (thanks @ItsJarrett for being a beta tester). I am sure there will be devices with other requirements (SMTP etc) and I will look at adding more features down the road based on user feedback.

I would also like to add VLAN support in the future but as it currently stands this is completely undocumented and uncharted territory on HND devices due to the lack of the robocfg utility. So if anyone makes some headway there, feel free to reach out to me.

I wonder if, under a separate, heading, it would take a simple additional step to have a feature that would allow administrators to lock down specified devices for a specified time period? I’m thinking of the fairly regular posts asking how they might turn off Internet access for their children’s devices during the night after finding that Parental Controls doesn’t let them do what they want.

 

[Adamm]

I wonder if, under a separate, heading, it would take a simple additional step to have a feature that would allow administrators to lock down specified devices for a specified time period? I’m thinking of the fairly regular posts asking how they might turn off Internet access for their children’s devices during the night after finding that Parental Controls doesn’t let them do what they want.

You could use this feature indirectly for that, it actually implements its IPTables rules in a similar way except the ban is based on the local IP rather then MAC address. In its current form your best bet would be to just create a cronjob that runs the ban then unban command at your specified times.

With that being said I'll keep this in mind for future updates.

 

[daviworld]

I've pushed v6.7.0

This version focuses on IOT security. Recently I acquired an Annke DW81KE CCTV System (support SNBForums and use their Amazon link ) which gave me a great opportunity to test and implement IOT rules to prevent devices from calling home and not having to rely on the built in remote access features. As it stands, the current implementation will prevent devices from accessing WAN with two exceptions;

1) Most IOT devices directly connect to NTP servers to set the clock, so NTP traffic is allowed.
2) Remote access via the routers OpenVPN server.

What this means is you can lock down any IOT device that you don't want accessing WAN, but still have the ability to access it via LAN devices or remotely via VPN. This should significantly enhance security of more... obscure devices such as DVR systems, cameras, printers and anything else IOT related without losing any functionality.

To configure your "IOT Blacklist" you can use the following commands (or the respective menu options);

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8 ) Unban|Ban Single IOT Device (or CIDR) From Accessing WAN
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban Multiple IOT Device(s) (or CIDR) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

Stats for blocked packets will also show up in the appropriate section.

I'd also like to give Annke a shout out as their support team was a pleasure to work with and I can happily report in the last week on monitoring my devices traffic, there was not a single rogue packet. If you are in the market for an affordable CCTV system they have some great hardware.


Note; While this feature has been extensively tested, I only had a limited number of devices to test with (thanks @ItsJarrett for being a beta tester). I am sure there will be devices with other requirements (SMTP etc) and I will look at adding more features down the road based on user feedback.

I would also like to add VLAN support in the future but as it currently stands this is completely undocumented and uncharted territory on HND devices due to the lack of the robocfg utility. So if anyone makes some headway there, feel free to reach out to me.

Thanks Adamm, I have a wireless Annke cam at home, that I've went through great lengths to restrict, this will make my router maintenance much leaner!

Sent from my LG-H830 using Tapatalk

 

[consorts]

just curious - why ip's halved?

Jan 28 02:00:09 Skynet: [#] 170975 IPs (+0) -- 1846 Ranges Banned (+0) || 1790 Inbound -- 147 Outbound Connections Blocked! [save] [9s]
Jan 28 02:01:10 Diversion: updated Small+ blocking list from 9 hosts files, 440288 domains are now blocked, from /opt/share/diversion/file/update-bf.div
Jan 28 02:01:16 dnsmasq[13352]: ignoring nameserver 192.168.1.1 - local interface
Jan 28 02:27:17 Skynet: [#] 96220 IPs (-74755) -- 1379 Ranges Banned (-467) || 1848 Inbound -- 147 Outbound Connections Blocked! [banmalware] [137s]
Jan 28 03:00:04 Skynet: [#] 96220 IPs (+0) -- 1379 Ranges Banned (+0) || 1941 Inbound -- 147 Outbound Connections Blocked! [save] [4s]

 

[Adamm]

just curious - why ip's halved?

snip
Jan 28 02:27:17 Skynet: [#] 96220 IPs (-74755) -- 1379 Ranges Banned (-467) || 1848 Inbound -- 147 Outbound Connections Blocked! [banmalware] [137s]
snip

Looks like when the banmalware update happened for whatever reason the process was slowed down extensively (connectivity issues would be my first guess), this should take 20-40 seconds at most, so Skynet skipped the lists in question.

You can run banmalware manually or wait for the next cronjob to re-generate the list.[/CODE]

 

[EmeraldDeer]

Looks like when the banmalware update happened for whatever reason the process was slowed down extensively (connectivity issues would be my first guess), this should take 20-40 seconds at most, so Skynet skipped the lists in question.

You can run banmalware manually or wait for the next cronjob to re-generate the list.[/CODE]

Jan 24 02:27:42 router Skynet: [#] 113716 IPs (+24254) -- 1567 Ranges Banned (+202) || 2199 Inbound -- 0 Outbound Connections Blocked! [banmalware] [162s]
Jan 25 02:28:56 router Skynet: [#] 160443 IPs (+46727) -- 1704 Ranges Banned (+137) || 4792 Inbound -- 0 Outbound Connections Blocked! [banmalware] [236s]
Jan 26 02:29:13 router Skynet: [#] 140613 IPs (-19830) -- 1420 Ranges Banned (-284) || 7260 Inbound -- 0 Outbound Connections Blocked! [banmalware] [253s]
Jan 27 02:26:43 router Skynet: [#] 150303 IPs (+9690) -- 1621 Ranges Banned (+201) || 572 Inbound -- 36 Outbound Connections Blocked! [banmalware] [103s]
Jan 28 02:27:51 router Skynet: [#] 151871 IPs (+1568) -- 1490 Ranges Banned (-131) || 94 Inbound -- 0 Outbound Connections Blocked! [banmalware] [171s]

And it looks like the total nightly maintenance can take up to four minutes and be OK.

 

[Adamm]

Jan 24 02:27:42 router Skynet: [#] 113716 IPs (+24254) -- 1567 Ranges Banned (+202) || 2199 Inbound -- 0 Outbound Connections Blocked! [banmalware] [162s]
Jan 25 02:28:56 router Skynet: [#] 160443 IPs (+46727) -- 1704 Ranges Banned (+137) || 4792 Inbound -- 0 Outbound Connections Blocked! [banmalware] [236s]
Jan 26 02:29:13 router Skynet: [#] 140613 IPs (-19830) -- 1420 Ranges Banned (-284) || 7260 Inbound -- 0 Outbound Connections Blocked! [banmalware] [253s]
Jan 27 02:26:43 router Skynet: [#] 150303 IPs (+9690) -- 1621 Ranges Banned (+201) || 572 Inbound -- 36 Outbound Connections Blocked! [banmalware] [103s]
Jan 28 02:27:51 router Skynet: [#] 151871 IPs (+1568) -- 1490 Ranges Banned (-131) || 94 Inbound -- 0 Outbound Connections Blocked! [banmalware] [171s]

And it looks like the total nightly maintenance can take up to four minutes and be OK.

Err, that's unusual. The process on newer devices should only take ~20s. Would you mind giving me the output from manually running banmalware?

skynet@RT-AX88U-DC28:/tmp/home/root# sh /jffs/scripts/firewall banmalware
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 27/01/2019 -           Asus Firewall Addition By Adamm v6.7.0                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [4s]
[i] Consolidating Blacklist         | [9s]
[i] Filtering IPv4 Addresses        | [2s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [3s]
[i] Refreshing AiProtect Bans       | [1s]
[i] Saving Changes                  | [2s]

[i] For Whitelisting Assistance -
[i] https://www.snbforums.com/threads/skynet-asus-firewall-addition.16798/#post-115872


=============================================================================================================


[#] 154037 IPs (+1125) -- 1657 Ranges Banned (+21) || 645 Inbound -- 42 Outbound Connections Blocked! [banmalware] [23s]