Skynet Skynet - Router Firewall & Security Enhancements

[Zonkd]

I've pushed v6.7.8

Improve 'stats search device' and 'stats search iot'
Aesthetics

I hope this doesn't make you a saaad panda (pun intended )

Hahaha! Thanks Randy. This makes me a happy Panda for sure.

 

[Adamm]

Hi all, got a question maybe someone could help me out with. Ever since v6.6.2 the output display for firewall stats changed to where I get weird characters when I send the output to a file. I have this set up to where it emails me this output file but it's starting to get harder to read. Although console displays correctly I'm thinking it could this "wait animation" that's causing it. What do you think and is there a way to fix this?

The command I use is: sh /jffs/scripts/firewall stats >>/tmp/mail.txt

Below underline in red is the weird characters that gets included in my output file that get's emailed.

Thanks,
sone

That's all ASCII, which is why if you cat that file everything looks normal.

You can filter out most of the garbage with;

sh /jffs/scripts/firewall stats | sed -r 's/'$(echo -e "\033")'\[[0-9]{1,2}(;([0-9]{1,2})?)?[mK]//g' | strings > /tmp/mail.txt

 

[sone]

Oh my gosh! Thank you so much Adamm that worked perfectly!

 

[visortgw]

Any good method of banning an entire country?

From the main menu, select option [2] --> Ban followed by option [4] --> Country.

 

[visortgw]

do i need to seperate them with a comma? I want to block israel and nigeria

No. Lower case two character country codes separated by a space -- il ng.

 

[visortgw]

"Banned Countries; isr nig"

Configured correctly then?

No. https://graham.main.nc.us/~bhammel/graham/cntrys.html:

il ng​

 

[TripleRipple]

@Adamm I have the AiProtection - Two-Way IPS enabled on my router and I have Ban AiProtect enabled in Skynet.

I went into stats in Skynet and did a search for entries "from specific IP" and of course verified all the entries in the web management for AiProtection - Two-Way IPS in the log of the router are indeed in Skynet and now blocked.

My question is if I delete the log in web management of the router for AiProtection - Two-Way IPS would it remove those entries in Skynet as well?

I would assume no but I thought I would check as the log is a few pages now in the web management so I would like to clean it up and delete it. Should the web management log be maintained/left alone or deleted?

Also, how often does Skynet check AiProtection - Two-Way IPS logs and add them to SkyNet?

@Adamm.....is this a poor question, been answered already, or am I confusing things that may have been explained in a previous post? I did a search in this thread and found no results pertaining to my question.

 

[skeal]

I just want to say @Adamm this Skynet gets better and better all the time. You and @thelonelycoder have given the community so much, it's hard to imagine what real life, (without a supported Asus router) would be like. Thank you, both of you. I love the new added features that both scripts contribute. I must say that without AMTM my setup this morning would have been a major PITA. After reset to factory defaults, a new spiffy USB stick, I have no issues with the pre-routing duplicating in the port forward log anymore, and my router shuts down with a clean dismount of the USB drive with no added script. It now works like you guys talk about. All my issues it would seem were operator caused. Thanks for staying with me, and not telling me I'm crazy. Anyway credit where credit is due, you all are awesome.

 

[Adamm]

@Adamm.....is this a poor question, been answered already, or am I confusing things that may have been explained in a previous post? I did a search in this thread and found no results pertaining to my question.

The list is refreshed at the same time banmalware is run.

I just want to say @Adamm this Skynet gets better and better all the time. You and @thelonelycoder have given the community so much, it's hard to imagine what real life, (without a supported Asus router) would be like. Thank you, both of you. I love the new added features that both scripts contribute. I must say that without AMTM my setup this morning would have been a major PITA. After reset to factory defaults, a new spiffy USB stick, I have no issues with the pre-routing duplicating in the port forward log anymore, and my router shuts down with a clean dismount of the USB drive with no added script. It now works like you guys talk about. All my issues it would seem were operator caused. Thanks for staying with me, and not telling me I'm crazy. Anyway credit where credit is due, you all are awesome.

Thanks for the support, always nice to get positive feedback.

 

[thelonelycoder]

(...) and my router shuts down with a clean dismount of the USB drive with no added script. It now works like you guys talk about. All my issues it would seem were operator caused. Thanks for staying with me, and not telling me I'm crazy. Anyway credit where credit is due, you all are awesome.

 

[skeal]

@Adamm I noticed that the IoT blocking is applied to the IP not the MAC. This is a bit problematic for the people that don't have reserved IP addresses for their IoT devices. Do I have this right? Have I missed something? The reason why I caught this was that I banned an IP and 2 days later I was blocking a different device with that same IP. Thanks again for your great script.

 

[Adamm]

@Adamm I noticed that the IoT blocking is applied to the IP not the MAC. This is a bit problematic for the people that don't have reserved IP addresses for their IoT devices. Do I have this right? Have I missed something? The reason why I caught this was that I banned an IP and 2 days later I was blocking a different device with that same IP. Thanks again for your great script.

I find dealing with IP's a lot more user-friendly then mac addresses. Generally speaking devices should keep local IP's almost indefinitely due to how they are assigned even if not specifically configured as static.

I think the better question here would be, is there any reason your device can't be assigned a static address either via the devices configuration or the router its-self? Takes about two clicks and is much easier imo then trying to find a mac address (or explain to less tech savvy users what a mac address even is!)

 

[skeal]

I find dealing with IP's a lot more user-friendly then mac addresses. Generally speaking devices should keep local IP's almost indefinitely due to how they are assigned even if not specifically configured as static.

I think the better question here would be, is there any reason your device can't be assigned a static address either via the devices configuration or the router its-self? Takes about two clicks and is much easier imo then trying to find a mac address (or explain to less tech savvy users what a mac address even is!)

Gotcha, that is what I did. I created reserve addresses for the IoT devices. Thanks @Adamm

 

[consorts]

is there any way to avoid seeing this system log dialog every hour?

Mar  1 18:00:07 Skynet: [#] 154700 IPs (+0) -- 1607 Ranges Banned (+0) || 5718 Inbound -- 259 Outbound Connections Blocked! [save] [7s]

 

[Adamm]

is there any way to avoid seeing this system log dialog every hour?

Mar  1 18:00:07 Skynet: [#] 154700 IPs (+0) -- 1607 Ranges Banned (+0) || 5718 Inbound -- 259 Outbound Connections Blocked! [save] [7s]

No, but Skynet will purge the entries daily. Do remember the syslog isn't intended for constant viewing, its meant for logs.

 

[gattaca]

I don't understand this unless the RT-86 is phoning home.

When I country-banned CN, I immediated started seeing a lot of these as OUTBOUND banned.
There's only 2 devices...my computer and the router AC86. Skynet says the top blocked device with 2545 hits is the RT-86U.

619x | 47.99.165.31 (CN) | https://otx.alienvault.com/indicator/ip/47.99.165.31 |
504x | 118.24.208.197 (CN) | https://otx.alienvault.com/indicator/ip/118.24.208.197 |
452x | 47.101.136.37 (CN) | https://otx.alienvault.com/indicator/ip/47.101.136.37 |
428x | 114.115.240.175 (CN) | https://otx.alienvault.com/indicator/ip/114.115.240.175 |
384x | 119.29.107.85 (CN) | https://otx.alienvault.com/indicator/ip/119.29.107.85 |
158x | 115.159.154.226 (CN) | https://otx.alienvault.com/indicator/ip/115.159.154.226 |
143x | 106.48.13.103 (CN) | https://otx.alienvault.com/indicator/ip/106.48.13.103 | may.day-p.nlb.e.chinacache.com.cn
126x | 106.48.15.24 (CN) | https://otx.alienvault.com/indicator/ip/106.48.15.24 | may.day-p.nlb.e.chinacache.com.cn
122x | 203.205.191.21 (CN) | https://otx.alienvault.com/indicator/ip/203.205.191.21 | tencentintlcdn.cedexis-test.com.jstoversea.sched.apcdns
119x | 106.48.13.102 (CN) | https://otx.alienvault.com/indicator/ip/106.48.13.102 | may.day-p.nlb.e.chinacache.com.cn

Comments? Thanks!

 

[dave14305]

@Adamm, would you care to elaborate on your avatar? Those eyes creep me out, not to mention that whole mustache thing.

 

[skeal]

@Adamm, would you care to elaborate on your avatar? Those eyes creep me out, not to mention that whole mustache thing.

+1 .....kind of South Parkish!!

 

[QuikSilver]

@Adamm, would you care to elaborate on your avatar? Those eyes creep me out, not to mention that whole mustache thing.

Believe its a Southpark character
Edit: I was right....haven't watched it in years!

 

[Xentrk]

Randy Marsh is the name of the character.