Skynet Skynet - Router Firewall & Security Enhancements

[Cubyc]

No need to worry about the INBOUND blocks. That's SkyNet protecting you from the bad people on the internet. I would be more concerned with the OUTBOUND blocks, which would indicate a machine on your LAN at IP 192.168.11.181 (check your DHCP Lease log) is being blocked when it's trying to access 216.58.204.65. If someone was browsing to this at the time, it's probably OK. If not, then maybe you have some Malware. Seems like it's likely to be a blogspot.com site based on the details you can find online:

https://otx.alienvault.com/indicator/ip/216.58.204.65

I will reset it, is my iPhone and will watch logs again, maybe some app is causing this. Thank you for answering!

 

[Mutzli]

Sorry, but i can't figure out what is common between Taichung an Bayern. Why is skynet blocking german radio stations?

Skynet blocks whatever is in this blocking file. You might want to read up on what skynet is and how skynet works.

 

[EmeraldDeer]

I will reset it, is my iPhone and will watch logs again, maybe some app is causing this. Thank you for answering!

That IP is on a blacklist
BanMalware: coinbl_hosts_browser.ipset

# firewall stats search ip 216.58.204.65
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 27/03/2019 -                  Asus Firewall Addition By Adamm v6.8.4                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/ent/skynet/skynet.log - 1.3M
[i] Monitoring From Apr 25 09:00:03 To Apr 26 16:46:35
[i] 4793 Block Events Detected
[i] 1154 Unique IPs
[i] 0 Manual Bans Issued

216.58.204.65 is NOT in set Skynet-Whitelist.
216.58.204.65 is in set Skynet-Blacklist.
216.58.204.65 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_hosts_browser.ipset"


[i] IP Location - United States (Google LLC / AS15169)

 

[EmeraldDeer]

That IP is on a blacklist
BanMalware: coinbl_hosts_browser.ipset

But if you go to https://gitlab.com/ZeroDot1/CoinBlockerLists
to research, the lists are hostname not IP

# [CoinBlockerLists]
# (https://gitlab.com/ZeroDot1/CoinBlockerLists) Simple lists
# that can help prevent cryptomining in the browser or other
# applications. A hosts list to prevent browser mining only.
# The maintainer's file contains hostnames, which have been
# DNS resolved to IP addresses.

If it is a list of lookups which have been sorted, then good luck figuring this out

 

[Cubyc]

That IP is on a blacklist

Yes I bet it is since keeps getting blocked but wonder how got on my iphone, must be running in background on an application as I did not browse any website after I installed firmware and skynet , got OUTBOUND and INBOUND logs as soon as Skynet was installed

 

[visortgw]

But if you go to https://gitlab.com/ZeroDot1/CoinBlockerLists
to research, the lists are hostname not IP

Multiple hosts -- a mixture of legitimate and malicious -- unfortunately can be hosted on a single server/IP.

 

[elgreco29]

Skynet blocks whatever is in this blocking file. You might want to read up on what skynet is and how skynet works.

I think i really kniw how skynet works, but after more than two years in use with no issues, my familiy an i are confused why skynet blocks german radio stations.

 

[Butterfly Bones]

I think i really kniw how skynet works, but after more than two years in use with no issues, my familiy an i are confused why skynet blocks german radio stations.

The blocking lists are updated dynamically, some every hour. Skynet updates the blocking lists used every night with the "banmalware" cron job. Those radio stations were added in the last few hours or days, but obviously recent additions.

 

[elgreco29]

View attachment 17225
View attachment 17226

Thanks a lot, whitelistning this ip solved my problem.

 

[EeK]

Does anyone know why strictlylimitedgames.com and limitedrungames.com are blocked by Skynet?

 

[cmkelley]

Does anyone know why strictlylimitedgames.com and limitedrungames.com are blocked by Skynet?

See "Halp - BestApp.exe or BestWebsite.com Is Being Blocked;" in https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

As to the why: hosting providers don't give each host its own IP. So when a hosting provider is hosting bad actors, the people who create the block lists add the IP, and every host on the IP is blocked. Using the link above you can unlock the host(s) you want to get to.

N.B. the block lists are not created by, nor supplied with Skynet, it gets them from third parties.

 

[Adamm]

I've gone ahead and removed Taichung.ipset from the default filter list for now, there seems to be an increasing amount of false positives. We can reevaluate at later date.

 

[cmkelley]

I've gone ahead and removed Taichung.ipset from the default filter list for now, there seems to be an increasing amount of false positives. We can reevaluate at later date.

Somewhat OT rambling here ...

I wonder if we've hit the law of unintended consequences here ... with the rise of IP-based blocking, the spammers move to legit hosting providers to avoid the blockers, which is then countered by automatic blocking of IPs, leading to blocking of legit providers. In the short term, some number of people give up on IP-based blocking due to the false positives on other sites they visit hosted at the same IP. In the long term of course, legit hosting providers are going to have to do a faster job of detecting and shutting down spammers. It'll be a continuous cat-and-mouse (it already is).

But even then, poor non-profits don't always have the technical know-how available to figure out how legit a hosting provider is ... they're concerned about spending the least amount of money. For instance, the church down the street from me happens to be co-hosted on a site that got blocked, which annoyed my wife ("Why can't I get to the church website anymore?") - I can't blame the church, they're small, someone has probably volunteered to keep the website up to date, but they can't be expected to research hosting providers.

None of this places any blame on Skynet or other blockers. It's just going to be a part of blocking the bad guys unless and until the next better idea comes along and we start playing whack-a-mole with that.

 

[thelonelycoder]

None of this places any blame on Skynet or other blockers. It's just going to be a part of blocking the bad guys unless and until the next better idea comes along and we start playing whack-a-mole with that.

Take note of that dear users of blockers!

 

[EeK]

See "Halp - BestApp.exe or BestWebsite.com Is Being Blocked;" in https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

As to the why: hosting providers don't give each host its own IP. So when a hosting provider is hosting bad actors, the people who create the block lists add the IP, and every host on the IP is blocked. Using the link above you can unlock the host(s) you want to get to.

N.B. the block lists are not created by, nor supplied with Skynet, it gets them from third parties.

Thanks for the response, @cmkelley.

I'd read that post you linked before asking the question, and had tried following the "tutorial" through amtm's menu, instead of commands. However, the debug didn't provide me with "DST=" or anything like it when testing the blocked connection.

Because I didn't have an IP to test, I couldn't use AlienVault's search tool. Since the two websites I mentioned were listed under "associated domains" (and I regularly browse them), I ended up whitelisting the domains themselves.

I didn't know about the hosting provider issue that you mentioned, and was afraid those domains had been compromised, somehow. I assume other bad actors are hosted under the same blocked IP, so what I did - whitelisting the specific domains, rather than the IP - would be the best option in cases like this?

 

[cmkelley]

Thanks for the response, @cmkelley.

I'd read that post you linked before asking the question, and had tried following the "tutorial" through amtm's menu, instead of commands. However, the debug didn't provide me with "DST=" or anything like it when testing the blocked connection.

Because I didn't have an IP to test, I couldn't use AlienVault's search tool. Since the two websites I mentioned were listed under "associated domains" (and I regularly browse them), I ended up whitelisting the domains themselves.

I didn't know about the hosting provider issue that you mentioned, and was afraid those domains had been compromised, somehow. I assume other bad actors are hosted under the same blocked IP, so what I did - whitelisting the specific domains, rather than the IP - would be the best option in cases like this?

Not only is it your best option, it's pretty much your only option other than giving up on Skynet.

 

[Treadler]

I recommend against disabling AiProtect. Skynets goal is to enhance built in functionality, not replace it. There is no good reason to keep it disabled.






Skynet works fine with other user scripts such as diversion and stubby, no additional steps required.

More newbie questions: why then does Skynet default to ‘Ban AiProtect’ = ‘enabled’?
(#7 in ‘settings’)
Should it be set to ‘disabled’ to enable AiProtect?

 

[Adamm]

Another newbie question: why then does Skynet default to ‘Ban AiProtect’ = ‘enabled’?
(#7 in ‘settings’)
Should it be set to ‘disabled’ to enable AiProtect?

You are misunderstanding the feature, it adds all IP's flagged by AiProtect to Skynets blacklist

( sh /jffs/scripts/firewall settings banaiprotect enable|disable ) Enable/Disable Banning IPs Flagged By AiProtect

 

[Treadler]

You are misunderstanding the feature, it adds all IP's flagged by AiProtect to Skynets blacklist

( sh /jffs/scripts/firewall settings banaiprotect enable|disable ) Enable/Disable Banning IPs Flagged By AiProtect

Very cool!
Thank you for your patience.

 

[martinr]

You are misunderstanding the feature, it adds all IP's flagged by AiProtect to Skynets blacklist

( sh /jffs/scripts/firewall settings banaiprotect enable|disable ) Enable/Disable Banning IPs Flagged By AiProtect

It’s not the first time the function of Ban AIProtect has been misunderstood, Adam. Would something like “Add AIProtect bans” or “Include AIProtect bans” or something similar be more self-explanatory?