What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Unfortunately (or fortunately) Skynet does not leave its downloads for us to grep. So you would either download in your browser and search each one or write a wget loop script through the list and grep from there.

In the case of squarespace, I found it easier to give Skynet the DNS name ext-cust.squarespace.com and it would whitelist all four of the IP addresses.

From what I could gather from pi-hole tickets was that Squarespace hosts dozens or perhaps hundreds of customers on these IP addresses. One bad actor caused the lot to be banned. At least two local businesses which are not hacked or hosting malware use ext-cust.squarespace.com
Have you tried this command to find what list is blocking the IP?
Code:
( sh /jffs/scripts/firewall stats search malware 8.8.8.8 ) Search Malwarelists For Specified IP
 
Apparently the bambenek list (C2 IP Feed) is rated by bambenek themselves as:

Code:
FALSE POSITIVE RISK: High

See https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

I think that's a poor idea for something like Skynet to be using. Bambenek has a better list called "High-Confidence C2 IP Feed" which, coincidentally, doesn't list the IPs I'm having trouble with.
 
Thank you, but I've already been whitelisting and getting tired of doing it several times a day. That's why I was looking to find the source of the ban to see if it's one list in particular. It looks like https://iplists.firehol.org/files/bambenek_c2.ipset is the one giving me trouble, so I can just eliminate that list from my Skynet.
Those blocking lists are there for a reason, to stop bad actors from getting to your router / network. Problems arise with so much site co-hosting, which puts many URLs on the same IP. I recommend whitelisting the entire squarespace block that you know, or the URL that EmeraldDeer posted. Removing the complete list defeats too much safety from malicious blocking.
 
I wrote a wget script but it seems to hang randomly on the wget command. Anyways, I found the list with squarespace:
Code:
bambenek_c2.ipset:198.49.23.144
bambenek_c2.ipset:198.49.23.145
bambenek_c2.ipset:198.185.159.144
bambenek_c2.ipset:198.185.159.145
 
Those blocking lists are there for a reason, to stop bad actors from getting to your router / network. Problems arise with so much site co-hosting, which puts many URLs on the same IP. I recommend whitelisting the entire squarespace block that you know, or the URL that EmeraldDeer posted. Removing the complete list defeats too much safety from malicious blocking.
That list is known to have a high risk of false positives, and it's giving me problems in real life. Its utility is limited at best.
 
I'm using whatever is default. I have never changed anything. How do I determine which list is the source of the IP I'm currently having trouble with? Today's irritation is hosted on Squarespace's 198.185.159.0/24 block.

Code:
skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search malware 198.185.159.144
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 25/02/2019 -           Asus Firewall Addition By Adamm v6.7.8                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 2.0M
[i] Monitoring From Mar 11 20:31:59 To Mar 13 16:44:18
[i] 8776 Block Events Detected
[i] 1343 Unique IPs
[i] 0 Manual Bans Issued


=============================================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

198.185.159.144      | https://iplists.firehol.org/files/bambenek_c2.ipset


Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



=============================================================================================================


[#] 159331 IPs (+0) -- 1719 Ranges Banned (+0) || 3204 Inbound -- 32 Outbound Connections Blocked! [stats] [11s]

https://github.com/Adamm00/IPSet_ASUS#help

Unfortunately (or fortunately) Skynet does not leave its downloads for us to grep. So you would either download in your browser and search each one or write a wget loop script through the list and grep from there.

You sure about that :cool:

Apparently the bambenek list (C2 IP Feed) is rated by bambenek themselves as:

Code:
FALSE POSITIVE RISK: High

See https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

I think that's a poor idea for something like Skynet to be using. Bambenek has a better list called "High-Confidence C2 IP Feed" which, coincidentally, doesn't list the IPs I'm having trouble with.

I guess the quality of that list has dropped, I noticed a few false positives myself this week. Ill go ahead and remove it from the default list for now and reevaluate at a later date.
 
It's not just that list. Two different local newspapers are also blocked because of https://iplists.firehol.org/files/taichung.ipset. I just can't figure out why months and months of no issues and then suddenly all of these sites I visit on a regular basis are appearing on multiple blocklists used by Skynet? Makes me think of an interesting DOS attack by injecting IPs into blocklists.
 
It's not just that list. Two different local newspapers are also blocked because of https://iplists.firehol.org/files/taichung.ipset. I just can't figure out why months and months of no issues and then suddenly all of these sites I visit on a regular basis are appearing on multiple blocklists used by Skynet? Makes me think of an interesting DOS attack by injecting IPs into blocklists.
I noticed beginning yesterday as well but for 9t5google.com. The reason listed is telnet scans from the IP.
Code:
Associated Domain(s);

9to5google.com
venturebeat.com

============================================================================

Exact Matches;

--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

192.0.66.2           | https://iplists.firehol.org/files/taichung.ipset
 
Interesting. That's the very same IP that hosts my two local newspapers.
 
Interesting. That's the very same IP that hosts my two local newspapers.
That is the issue with host for many sites, co-hosting on the same IP. One great resource that @Adamm uses in his reports can be used to further analyze who hosts the site and if it is safe to whitelist. AlienVault Online Threat Exchange (OTX). Here is the OTX URL for that site:
https://otx.alienvault.com/indicator/ip/192.0.66.2
I can quickly see that they host at least 5000 sites on that same IP. You can see if it is considered malicious or not, and any vulnerabilities reported. Great tool to supplement Skynet! :thumbsup:
 
Any lists that are going to ban sites should probably make sure they're not hosting major sites like the Denver Post, 9to5google.com, the Orange County Register, the Daily News, Venture Beat, Boston Herald, Tech Crunch, San Jose Mercury News, and fivethirtyeight.com, which are all hosted on that single IP.
 
I am trying to open up the ssh port on my device, i turned off secure mode in Skynet

[8] --> Secure Mode | [Disabled]
And i am trying to configure SSH, but i can never get to the machine.

I am sure i am doing something wrong, but i don't know what.
 

Attachments

  • Screen Shot 2019-03-13 at 7.20.01 PM.png
    Screen Shot 2019-03-13 at 7.20.01 PM.png
    84.1 KB · Views: 438
I am trying to open up the ssh port on my device, i turned off secure mode in Skynet

Its much safer and recommended to keep SSH access as LAN only and use OpenVPN to access your home network remotely.
 
Its much safer and recommended to keep SSH access as LAN only and use OpenVPN to access your home network remotely.
i want ssh access to a machine on my network nit the router. i understand its nit safe. ill set it up with no password etc.
 
i want ssh access to a machine on my network nit the router. i understand its nit safe. ill set it up with no password etc.

Depends on the machine. What are you trying to connect to if not the router?
 
Depends on the machine. What are you trying to connect to if not the router?
I am trying to port forward the sshd on my mac mini to the outside world. I really don't need access to everything just that one machine. I used to have the machine accessible but now i can't. I can turn off Skynet, but i really would like to keep it on.

if the answer is to turn off skynet then i'll have to think about what i should do.
 
i want ssh access to a machine on my network nit the router. i understand its nit safe. ill set it up with no password etc.

My point still stands, setup the OpenVPN server, connect via that, then ssh to your mac mini's local ip.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top