What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

You need to remove the Skynet line from /jffs/scripts/firewall-start

Thanks for the reply! As mentioned, I'm a newb at editing the jffs. Is there a command from terminal I use or do I need to use nano? If so, how would one do that using nano.

~EDIT~ OK, figured out. Thought I would have to do it through the terminal, but it's as simple as backing up your jffs. Opening with 7ZIP, navigate to the file, delete. Restore jffs, reboot router. Skynet back up and running.
 
Last edited:
I've been running skynet for a while and just doing upgrades... back when I started a 512MB was recommended. Today I updated skynet, and it says I need to increase my swapfile size to 1GB minimum immediately. Is there a convenient way for me to do this, without formatting my usb drive and starting from scratch?

Thanks in advance,
Kevin
 
I've been running skynet for a while and just doing upgrades... back when I started a 512MB was recommended. Today I updated skynet, and it says I need to increase my swapfile size to 1GB minimum immediately. Is there a convenient way for me to do this, without formatting my usb drive and starting from scratch?

Thanks in advance,
Kevin
Start here....couple people recommended and tried a few different ways....
https://www.snbforums.com/threads/r...firewall-security-enhancements.16798/page-313
 
Thanks a ton QuikSilver. For those interested in cutting to the chase and getting it done... visortgw's post was a quick and easy cure:

[Release] Skynet - Router Firewall & Security Enhancements

I just went with 2gb this time, to hopefully postpone when/if this happens again in the future. 2gb isn't a waste for me... since really all of my asus router stuff is only taking a few GB of a 32gb drive anyways... it is actually one less GB being wasted collecting dust, LOL.
 
Thanks a ton QuikSilver.
No problem. I remembered people posting about it but didn't remember the answer. That was the best I could do to help you quickly so I'm glad it help. ;)
 
I have tried to get this solved for a while, but I must admit that it is teasing me. It seems that whenever I have whitelisted a domain name, it takes around i week, then it is banned again.

So this is what I do - I open Skynet - Go for 12 -> 1 - > 1. Wait for the line to appears:

Watching Syslog For Log Entries (ctrl +c) To Stop

Feb 24 21:39:28 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=XX:XX SRC=192.XX.X.XX DST=51.145.143.28 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17747 DF PROTO=TCP SPT=42240 DPT=443 SEQ=3766935178 ACK=0 WIND)
Associated Domain(s) - [app.netatmo.net]


Got it - this domain, I want to allow. So I go back to main menu - Go for 4 -> 2

Input Domain To Whitelist:
: app.netatmo.net
[$] /jffs/scripts/firewall whitelist domain app.netatmo.net
=============================================================================================================

Adding app.netatmo.net To Whitelist
Whitelisting 51.145.143.28
Saving Changes


It seems to be saving. I'll try to connect again, and everything is working. However it seems that after a week (maybe after auto update for whitelisting?), it goes back again?

Why is that? Then I can go an unban the domain once again.


Besides that - can anyone explain to me what the different on "Unban"/"Whitelisting" in this matter is. I mean, it is blocked, so I might what to Unban it, or Whitelist? What to do when?

Thanks a lot!
Best. D.
 
I have tried to get this solved for a while, but I must admit that it is teasing me. It seems that whenever I have whitelisted a domain name, it takes around i week, then it is banned again.

So this is what I do - I open Skynet - Go for 12 -> 1 - > 1. Wait for the line to appears:

Watching Syslog For Log Entries (ctrl +c) To Stop

Feb 24 21:39:28 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=XX:XX SRC=192.XX.X.XX DST=51.145.143.28 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17747 DF PROTO=TCP SPT=42240 DPT=443 SEQ=3766935178 ACK=0 WIND)
Associated Domain(s) - [app.netatmo.net]


Got it - this domain, I want to allow. So I go back to main menu - Go for 4 -> 2

Input Domain To Whitelist:
: app.netatmo.net
[$] /jffs/scripts/firewall whitelist domain app.netatmo.net
=============================================================================================================

Adding app.netatmo.net To Whitelist
Whitelisting 51.145.143.28
Saving Changes


It seems to be saving. I'll try to connect again, and everything is working. However it seems that after a week (maybe after auto update for whitelisting?), it goes back again?

Why is that? Then I can go an unban the domain once again.


Besides that - can anyone explain to me what the different on "Unban"/"Whitelisting" in this matter is. I mean, it is blocked, so I might what to Unban it, or Whitelist? What to do when?

Thanks a lot!
Best. D.

Perhaps the IP is changing? Or they are using a CDN of sorts. I know it is a pain but can you check if the IP is different next time?

At the end of the day skynet works on IPs and not domains so it does a translation to an IP at that time.
 
Perhaps the IP is changing? Or they are using a CDN of sorts. I know it is a pain but can you check if the IP is different next time?

At the end of the day skynet works on IPs and not domains so it does a translation to an IP at that time.

Hi juched. Thanks for swift reply. I'll give it a try and keep an eye on the ip next time. Now I have something to look for :)
 
I installed Skynet a while back. Logged into my router for the first time in a while today. Looking at the logs, nothing from the past month seemed unusual, but about 30 minutes before I logged in, the system log shows messages about incoming traffic blocked, in: eth0, out: mac address (I think it's my router's, ASUSTEK when I looked it up). The source IP addresses are all over the place. I'm getting one every few seconds for the past hour. Is there anyway to understand this further? I don't see any messages like this about blocked traffic except today.
 
I installed Skynet a while back. Logged into my router for the first time in a while today. Looking at the logs, nothing from the past month seemed unusual, but about 30 minutes before I logged in, the system log shows messages about incoming traffic blocked, in: eth0, out: mac address (I think it's my router's, ASUSTEK when I looked it up). The source IP addresses are all over the place. I'm getting one every few seconds for the past hour. Is there anyway to understand this further? I don't see any messages like this about blocked traffic except today.
The entries are cleaned from the syslog every hour and put into the stats.
 
Still a Merlin FW noob… not sure why but I was not getting the fancy color charts on my RT-AX88U. AMTM alerted me of an AMTM and Skynet update. Did the updates, reset stats in Skynet, saved and it’s working. Very slick interface. PayPal donation incoming. Thanks
 
Skynet picked up a "nasty" for me - but I need help on how to track down what may have caused it.
The log showed an OUTBOUND block from my Win-10 PC on 192.168.1.51 to ip 169.239.220.35 which is known to be malicious.
Log extract here ...
Code:
Feb 24 22:08:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=xxxxxxxx SRC=192.168.1.51 DST=169.239.220.35 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=28006 DF PROTO=TCP SPT=61308 DPT=8080 SEQ=168377869 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)

Kept hammering away for several minutes - alternating between destination ports DPT8080 and DPT5060?

Comes in waves - and is still currently being blocked ... how do I trace what program / process on my PC is causing this?
Code:
Feb 26 08:53:46 RT-AC86U-8178 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=xxxxxxxxxx SRC=192.168.1.51 DST=169.239.220.35 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=48688 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=20
 
I installed Skynet a while back. Logged into my router for the first time in a while today. Looking at the logs, nothing from the past month seemed unusual, but about 30 minutes before I logged in, the system log shows messages about incoming traffic blocked, in: eth0, out: mac address (I think it's my router's, ASUSTEK when I looked it up). The source IP addresses are all over the place. I'm getting one every few seconds for the past hour. Is there anyway to understand this further? I don't see any messages like this about blocked traffic except today.

Welcome to the modern internet, where bots are constantly scanning your IP for vulnerabilities to exploit :p Skynet just makes it much more obvious what is actually going on in the background.

Still a Merlin FW noob… not sure why but I was not getting the fancy color charts on my RT-AX88U. AMTM alerted me of an AMTM and Skynet update. Did the updates, reset stats in Skynet, saved and it’s working. Very slick interface. PayPal donation incoming. Thanks

Appreciate the kind words! :cool:

Skynet picked up a "nasty" for me - but I need help on how to track down what may have caused it.
The log showed an OUTBOUND block from my Win-10 PC on 192.168.1.51 to ip 169.239.220.35 which is known to be malicious.
Log extract here ...
Code:
Feb 24 22:08:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=xxxxxxxx SRC=192.168.1.51 DST=169.239.220.35 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=28006 DF PROTO=TCP SPT=61308 DPT=8080 SEQ=168377869 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)

Kept hammering away for several minutes - alternating between destination ports DPT8080 and DPT5060?

Comes in waves - and is still currently being blocked ... how do I trace what program / process on my PC is causing this?
Code:
Feb 26 08:53:46 RT-AC86U-8178 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=xxxxxxxxxx SRC=192.168.1.51 DST=169.239.220.35 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=48688 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=20

So looks like a South African IP that's well known for IMAP brute-forcing. With the information provided it tried making HTTP connections (possibly to a proxy) on port 8080, and perhaps tried to make SIP connections on port 5060.

You can use these tips here to find out what process exactly is making the connections on a windows machine. Hopefully that helps
 
....
So looks like a South African IP that's well known for IMAP brute-forcing. With the information provided it tried making HTTP connections (possibly to a proxy) on port 8080, and perhaps tried to make SIP connections on port 5060.
You can use these tips here to find out what process exactly is making the connections on a windows machine. Hopefully that helps

Many thanks for the pointer ... will enjoy tracking it down ;).
 
Let us know what you find, please.

Will do ... but the "attacker" has gone to ground since 8:53 my local time ... so no activity since then.

I'm a bit clueless in this field - but reading up as much as I can. I gather its tricky to track this one down because anti-virus etc no help.
Deep scans on my PC have turned up nothing.

Waiting game for now - have deployed Wireshark with set filters to log only the offending ip address link - per my post above.
 
Will do ... but the "attacker" has gone to ground since 8:53 my local time ... so no activity since then.

I'm a bit clueless in this field - but reading up as much as I can. I gather its tricky to track this one down because anti-virus etc no help.
Deep scans on my PC have turned up nothing.

Waiting game for now - have deployed Wireshark with set filters to log only the offending ip address link - per my post above.
You can’t be that clueless if you’ve set up Wireshark and are standing by with a loaded shotgun.
 
Please excuse my ignorance, but how do you tell what the sites are that are being blocked or banned? How can I know that "my favorite website" is not being blocked?
TIA
One other question if I may: Should I disable ssh after using it, or leave it on?
 
Last edited:
Please excuse my ignorance, but how do you tell what the sites are that are being blocked or banned? How can I know that "my favorite website" is not being blocked?

Well it will stop loading for starters, plus show up in the logs indicating so.

One other question if I may: Should I disable ssh after using it, or leave it on?

I'd leave it enabled for if/when you need to interact with Skynet and/or other scripts.
 
Thank you for your reply, and your work. It's a great product. I was wondering more specifically how one could perhaps look up the identities of the numeric address?
And, I could enable ssh before using it, if it was too great a risk to leave it on all the time, but it would be aggravating.
I apologize for my inexperience, but this is all new to me within the last half year.
thanks again,
jts
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top