What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi Adamm,
I installed Skynet using amtm, but I can't seem to get it running. I'm running Merlin V384.10_2. Here's what I see for diagnostics:

Router Model; RT-AC68U

Skynet Version; (27/03/2019) (d44e095d7dbcf1946be09ced53b4367f)

iptables v1.4.15 - (eth0 @ 192.168.0.7)

ipset v6.32, protocol version: 6

IP Address; (192.168.0.28)

FW Version; 384.10_2 (Apr 3 2019) (2.6.36.4brcmarm)

Install Dir; /tmp/mnt/swap/skynet (1.4G / 3.7G Space Available)

SWAP File; /tmp/mnt/swap/myswap.swp (2.0G)

Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/swap/skynet


Internet-Connectivity | [Failed]

Cron Jobs | [Failed]

IPSets | [Failed]

IPTables Rules | [Failed]

Any guidance you can give would be appreciated.
 
Hi Adamm,
I installed Skynet using amtm, but I can't seem to get it running. I'm running Merlin V384.10_2. Here's what I see for diagnostics:

Router Model; RT-AC68U

Skynet Version; (27/03/2019) (d44e095d7dbcf1946be09ced53b4367f)

iptables v1.4.15 - (eth0 @ 192.168.0.7)

ipset v6.32, protocol version: 6

IP Address; (192.168.0.28)

FW Version; 384.10_2 (Apr 3 2019) (2.6.36.4brcmarm)

Install Dir; /tmp/mnt/swap/skynet (1.4G / 3.7G Space Available)

SWAP File; /tmp/mnt/swap/myswap.swp (2.0G)

Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/swap/skynet


Internet-Connectivity | [Failed]

Cron Jobs | [Failed]

IPSets | [Failed]

IPTables Rules | [Failed]

Any guidance you can give would be appreciated.

Check the syslog for errors during startup, it should give you the exact reason it’s failing to start (which seems to be an internet connectivity issue judging by the output you posted).
 
i can't login to chase dot com, when i "temp disable skynet", i'm then able to login without issues.

skynet is updated and everything so what do i do now to fix this short of leaving skynet disabled?
 
i can't login to chase dot com, when i "temp disable skynet", i'm then able to login without issues.

skynet is updated and everything so what do i do now to fix this short of leaving skynet disabled?

Use the following Code:
firewall whitelist range 159.53.232.0/24 "Chase"
 
Use the following Code:
firewall whitelist range 159.53.232.0/24 "Chase"

thanks, that didn't work at the command line, but i did use
4> whitelist and did both the 1> ip/range and 2> domain
and that seemed to fix it, so thanks again for posting :oops:

FTHirtx.jpg
 
thanks, that didn't work at the command line, but i did use
4> whitelist and did both the 1> ip/range and 2> domain
and that seemed to fix it, so thanks again for posting :oops:

FTHirtx.jpg
If you are interested in learning more about this for future use if you don't have quick access to this forum for immediate help, there is a long discussion in the last two pages of why this occurred and solutions. This problem was posted by someone else yesterday, and a few of us jumped in to help and educate. :)
 
Since I'm back from vacation, your best bet is to wait a week or so until I get over this cold and finish my installer for syslog-ng, which will include scripts to automatically move this stuff to it's own file. I'm thinking about releasing a version that's feature-incomplete (no uninstaller for instance) rather than waiting for it to be 100% since this keeps coming up. :)

I thought I could wrap it up while on vacation, but alas, that didn't materialize, and the wife and I caught bad colds last Saturday, which has kept my brain too fuzzy to have a decent go at finishing it.

HI cmkelley

Just wanna ask , how far your installer for syslog-ng project is growing?
May i have a try ?

Greetings ivi
 
Check the syslog for errors during startup, it should give you the exact reason it’s failing to start (which seems to be an internet connectivity issue judging by the output you posted).
I think I figured it out, and I feel like a dope. I'm running the router in AP mode at the moment, so no firewall code is launching. I am thinking about subnetting my wifi traffic, which would allow me to run the router with firewall operational. I'm also considering changing my topology to run the ISP box in bridge mode with the RT-AC68U acting as my primary router/firewall. To do that I would have to figure out some wiring issues, as the ISP box is in the basement and the RT-AC68U is on the second floor... Anyway, thanks for your time, Adamm!
 
@Adamm,

Is Fast Switch setting in Skynet related to the fs setting of Diversion? What URL do I enter here? That of a host list from Diversion or something else from Skynet? Thank you!

Code:
Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 11

Select Setting To Toggle:
[1]  --> Autoupdate            | [Enabled]                   
[2]  --> Banmalware            | [daily]                     
[3]  --> Debug Mode            | [Enabled]                   
[4]  --> Filter Traffic        | [all]                       
[5]  --> Unban PrivateIP       | [Enabled]                   
[6]  --> Log Invalid Packets   | [Enabled]                   
[7]  --> Ban AiProtect         | [Enabled]                   
[8]  --> Secure Mode           | [Enabled]                   
[9]  --> Fast Switch           | [Disabled]                   
[10] --> Syslog Location       | [Default]                   
[11] --> IOT Blocking          | [Enabled]                   
[12] --> Stats Country Lookup  | [Enabled]                   

[1-12]: 9

Select Fast Switch Option:
[1]  --> Enable
[2]  --> Disable

[1-2]: 1

Input Custom Filter List URL:
[URL]:
 
Is Fast Switch setting in Skynet related to the fs setting of Diversion? What URL do I enter here? That of a host list from Diversion or something else from Skynet?

( sh /jffs/scripts/firewall settings fs google.com/filter.list|disable ) Configure/Disable Fast Banmalware List Switching
 
Hi,
since a few days skynet blocks german some radio-stations (like bayern 2 and bayern 3, the public ones). The private radio stations are working well. Anybody ideas how to get out the ip´s of radio stations for putting them in the white list of skynet?
 
Ok, this seems to be hard work, because there are a lot of public radio stations in Germany. Why know? A few days ago all was is working fine.
 
Ok, this seems to be hard work, because there are a lot of public radio stations in Germany. Why know? A few days ago all was is working fine.
Code:
# firewall stats search ip 62.27.60.49
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 27/03/2019 -                  Asus Firewall Addition By Adamm v6.8.4                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/ent/skynet/skynet.log - 1.2M
[i] Monitoring From Apr 25 09:00:03 To Apr 26 14:12:29
[i] 4462 Block Events Detected
[i] 1075 Unique IPs
[i] 0 Manual Bans Issued

62.27.60.49 is NOT in set Skynet-Whitelist.
62.27.60.49 is in set Skynet-Blacklist.
62.27.60.49 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: taichung.ipset"


Associated Domain(s);
2601:18f:800:b426:e4f7:f3f1:d709:7abf


[i] IP Location - Germany (ecotel communication ag / AS12312)
 
Chase2.png

taichung_again.png
 
At some point a replacement for Taichung should be considered
Code:
# firewall whitelist ip 62.27.60.49 "Bayern"
 
Can anyone please help me. I installed on my AC3200 last firmware with diversion, skynet and stubby and keep getting :
[BLOCKED - OUTBOUND] IN=br0 OUT and [BLOCKED - INBOUND] IN=eth0 OUT
Is my router hacked? but how as i did not connected any device yet and did not visited any websites other than my router and speedtest, is like skynet is trying to connect SSH and is blocking by itself as I have no other explanation why I get these.
Re-formated USB again, flashed firmware and re-installed skynet but as soon it starts these messages pop in ever few seconds in my General Log from my router:
Code:
Apr 26 20:44:09 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=13248 PROTO=TCP SPT=47569 DPT=10940 SEQ=1315582516 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:44:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=107.170.201.70 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=45984 DPT=27019 SEQ=266757155 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 26 20:45:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=36968 PROTO=TCP SPT=47569 DPT=11324 SEQ=1608881948 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:46:29 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=52608 PROTO=TCP SPT=47569 DPT=6415 SEQ=2185166791 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:46:52 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=198.108.67.59 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=38 ID=2141 PROTO=TCP SPT=34593 DPT=2382 SEQ=1309689697 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:49:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54565 DPT=443 SEQ=3218075528 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B728720000000004020000)
Apr 26 20:50:04 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B78E170000000004020000)
Apr 26 20:50:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B791FF0000000004020000)
Apr 26 20:50:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B795EA0000000004020000)
Apr 26 20:50:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B79DBD0000000004020000)
Apr 26 20:52:36 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=46.232.112.20 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=61559 PROTO=TCP SPT=48083 DPT=13944 SEQ=1382935879 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:52:40 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=92.118.37.86 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=19484 PROTO=TCP SPT=41116 DPT=36981 SEQ=3391878945 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:52:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=81.22.45.185 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=21379 PROTO=TCP SPT=40466 DPT=2350 SEQ=3612504549 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:53:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=139.162.126.103 DST=80.193.42.71 LEN=57 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=UDP SPT=53538 DPT=53 LEN=37
Apr 26 20:53:36 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=45.227.254.18 DST=80.193.42.71 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=24649 PROTO=TCP SPT=47569 DPT=8401 SEQ=671574992 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 20:53:39 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=139.59.154.219 DST=80.193.42.71 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=49223 PROTO=TCP SPT=34153 DPT=22 SEQ=1739069709 ACK=1615319642 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Apr 26 20:54:15 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=f7:32:e2:a4:cb:20:cc:46:d6:a7:54:1a:08:00 SRC=185.176.27.6 DST=80.193.42.71 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=18739 PROTO=TCP SPT=50797 DPT=1026 SEQ=27223673 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 26 21:00:08 Skynet: [#] 137219 IPs (+0) -- 1581 Ranges Banned (+0) || 392 Inbound -- 313 Outbound Connections Blocked! [save] [8s]
 
Sorry, but i can't figure out what is common between Taichung an Bayern. Why is skynet blocking german radio stations?
 
Can anyone please help me. I installed on my AC3200 last firmware with diversion, skynet and stubby and keep getting :
[BLOCKED - OUTBOUND] IN=br0 OUT and [BLOCKED - INBOUND] IN=eth0 OUT
Is my router hacked? but how as i did not connected any device yet and did not visited any websites other than my router and speedtest, is like skynet is trying to connect SSH and is blocking by itself as I have no other explanation why I get these.
Re-formated USB again, flashed firmware and re-installed skynet but as soon it starts these messages pop in ever few seconds in my General Log from my router:
Code:
Apr 26 20:49:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54565 DPT=443 SEQ=3218075528 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B728720000000004020000)
Apr 26 20:50:04 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B78E170000000004020000)
Apr 26 20:50:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B791FF0000000004020000)
Apr 26 20:50:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B795EA0000000004020000)
Apr 26 20:50:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=f7:32:e2:a4:cb:20:68:db:ca:03:34:6e:08:00 SRC=192.168.11.181 DST=216.58.204.65 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54625 DPT=443 SEQ=65539496 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303070101080A13B79DBD0000000004020000)
No need to worry about the INBOUND blocks. That's SkyNet protecting you from the bad people on the internet. I would be more concerned with the OUTBOUND blocks, which would indicate a machine on your LAN at IP 192.168.11.181 (check your DHCP Lease log) is being blocked when it's trying to access 216.58.204.65. If someone was browsing to this at the time, it's probably OK. If not, then maybe you have some Malware. Seems like it's likely to be a blogspot.com site based on the details you can find online:

https://otx.alienvault.com/indicator/ip/216.58.204.65
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top