What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thank you for your reply, and your work. It's a great product. I was wondering more specifically how one could perhaps look up the identities of the numeric address?

The easiest way is if you also have Diversion installed which in turn enables extended dnsmasq logging, then associated domains will show up under the stats UI.

And, I could enable ssh before using it, if it was too great a risk to leave it on all the time, but it would be aggravating.

SSH is fine to keep enabled so long as you keep it set to LAN only.
 
The easiest way is if you also have Diversion installed which in turn enables extended dnsmasq logging, then associated domains will show up under the stats UI.



SSH is fine to keep enabled so long as you keep it set to LAN only.

Thanks again for your time. I do have SSH set to LAN only. There must be something wrong with my setup with dnsmasq, though, because I can't see who the IP addresses belong to either on the graphical interface tab of the firewall (By the way, that is nice), or the amtm Skynet program stats, nothing but numbers. Except for the links to the reason for banning.

I went to the dnsmasq link, and there are so many options for it, I was too intimidated to change anything. I'm afraid I may be in over my head, but I think I would rather make a mistake than do nothing.
When I checked the entware packages that were installed or available, it didn't list dnsmasq, but diversion shows it is creating a log. Do I need to manually do something to activate dnsmasq maybe?

I have diversion and skynet scripts installed, but I may have missed something in the installation.
If I am asking in the wrong place, I apologize.
 
@Adamm Events.log stopped populating?

eventlog.jpg
 
There must be something wrong with my setup with dnsmasq, though, because I can't see who the IP addresses belong to either on the graphical interface tab of the firewall (By the way, that is nice), or the amtm Skynet program stats, nothing but numbers. Except for the links to the reason for banning.

Only certain entries will have an associated domain (usually outbound entries on port 80/443). The rest are direct IP connections from bots.

I went to the dnsmasq link, and there are so many options for it, I was too intimidated to change anything. I'm afraid I may be in over my head, but I think I would rather make a mistake than do nothing.
When I checked the entware packages that were installed or available, it didn't list dnsmasq, but diversion shows it is creating a log. Do I need to manually do something to activate dnsmasq maybe?

dnsmasq is included in the firmware, if you have Diversion installed that's all you need to worry about ;). Skynet was designed to be as simple as possible.

@Adamm Events.log stopped populating?

View attachment 21653

Looks like your logs were recently purged due to size limit, events.log is only populated every time Skynet has 24 entries in the syslog (essentially 24 hours)
 
Looks like your logs were recently purged due to size limit, events.log is only populated every time Skynet has 24 entries in the syslog (essentially 24 hours)
Alright that's probably what happened, this is the first time I saw the log purged completely.
 
I've pushed v7.1.2

Code:
Add ipinfo to whitelist
Variable cleanup
Speedup domain caching
Improve swap unmount code
Reset hits counter when logs are purged
Improve SWAP detection
Remove SWAP partition support (which was only ever meant to be temporary)
Fix inconsistent tabbing
Use echo instead of logger in swap install function
Open alientvault/speedguide when clicking on WebUI graph data (thanks @Jack Yaz)
Major formatting changes for shfmt compliance
Add curl timeout
Use xargs instead of eval during malware list update (thanks @Dabombber)
 
Google's SMTP servers are being blocked today.

Code:
admin@RT-AC88U-B1E8:/tmp/home/root# firewall stats search malware 108.177.15.108
################################################################################
#                                                                              #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗ #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║ #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║ #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗#
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚██#
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═#
#                                                                              #
#                                 Router Firewall And Security Enhancements    #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS#
#                                            20/02/2020 - v7.1.1               #
################################################################################


================================================================================


[i] Logging Data Detected in /tmp/mnt/entware/skynet/skynet.log - 10.0M
[i] Monitoring From Feb 19 06:25:27 To Feb 27 13:20:38
[i] 39450 Block Events Detected
[i] 5513 Unique IPs
[i] 0 Manual Bans Issued


================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

108.177.15.108       | https://iplists.firehol.org/files/coinbl_ips.ipset


Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



================================================================================


[#] 122435 IPs (+0) -- 1553 Ranges Banned (+0) || 16824 Inbound -- 427 Outbound]
 
I've pushed v7.1.2

  • Add ipinfo to whitelist
  • Variable cleanup
  • Speedup domain caching
  • Improve swap unmount code
  • Reset hits counter when logs are purged
  • Improve SWAP detection
  • Remove SWAP partition support (which was only ever meant to be temporary)
  • Fix inconsistent tabbing
  • Use echo instead of logger in swap install function
  • Open alientvault/speedguide when clicking on WebUI graph data (thanks @Jack Yaz)
  • Major formatting changes for shfmt compliance
  • Add curl timeout
  • Use xargs instead of eval during malware list update (thanks @Dabombber
Nice! Wish we could also click the number on the left... ;)

Now I don't know if it's possible to add { cursor: pointer; } in the code so when we hover a color bar we know we can click it? I guess it's CSS like anything else?
 
Only certain entries will have an associated domain (usually outbound entries on port 80/443). The rest are direct IP connections from bots.



dnsmasq is included in the firmware, if you have Diversion installed that's all you need to worry about ;). Skynet was designed to be as simple as possible.



Looks like your logs were recently purged due to size limit, events.log is only populated every time Skynet has 24 entries in the syslog (essentially 24 hours)

It appears that Skynet is blocking my VPN provider, windscribe, at least paritally. I can't connect to VPN on my iphone or ipad, but my desktop and laptop seem to be connecting most of the time.
Is it better to whitelist, or to unban? They have various IP addresses, so do I just input the name, such as "windscribe dot com" or "whisker-galaxy dot com"? I realize these are probably elementary, but I've never done it.

Also, what is the term in alienvault to "add to pulse"? Will that help to whitelist my VPN provider for others in the future?
thanks again for your time.
jts

edit: It may be something else, and the references to the VPN provider may be a bogey using it. I don't know. I did update to the latest version of Skynet, but I still can't connect with iPhone or Ipad. .
 
Last edited:
It appears that Skynet is blocking my VPN provider, windscribe, at least paritally. I can't connect to VPN on my iphone or ipad, but my desktop and laptop seem to be connecting most of the time.
Is it better to whitelist, or to unban? They have various IP addresses, so do I just input the name, such as "windscribe dot com" or "whisker-galaxy dot com"? I realize these are probably elementary, but I've never done it.

Also, what is the term in alienvault to "add to pulse"? Will that help to whitelist my VPN provider for others in the future?
thanks again for your time.
jts

edit: It may be something else, and the references to the VPN provider may be a bogey using it. I don't know. I did update to the latest version of Skynet, but I still can't connect with iPhone or Ipad. .

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging
Code:
sh /jffs/scripts/firewall settings logmode enable
2.) Open the blocked application/website and use the command;

Code:
sh /jffs/scripts/firewall debug watch
Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;
Code:
DST=175.115.37.52
4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/
5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
sh /jffs/scripts/firewall whitelist ip 175.115.37.52
 
There must be something wrong with my setup with dnsmasq, though, because I can't see who the IP addresses belong to either on the graphical interface tab of the firewall (By the way, that is nice), or the amtm Skynet program stats, nothing but numbers. Except for the links to the reason for banning.

Look in AddOns / Diversion Stats
 

Thanks again for your help. Are these commands typed at the Putty terminal or PC interface? Please excuse my ignorance, this is fairly new to me. Were it not for the "cook book" recipe for installing these scripts, I wouldn't even be here. Maybe I shouldn't be, I am no doubt over my head.

There is a selection in Skynet for whitelisting. Do I select that and then type in the commands or script?
thanks again,
jts

Edit: BTW, I should have already said that I am using:
RT-AC86U, RT-AC68U Aimesh node, diversion, skynet, windscribe client (partial) with OpenVPN.
 
Last edited:
Look in AddOns / Diversion Stats

5string, Thanks for the help. Where is the AddOns / Diversion Stats found? I didn't find it in the amtm, entware packages, diversion, or the router interface.
I am about as green as they come, and I thought I was fairly knowledgeable in computers, but know very little about networking except what I have picked up, mostly here.
thanks again,
jts
 
Thanks again for your help. Are these commands typed at the Putty terminal or PC interface?

Terminal

5string, Thanks for the help. Where is the AddOns / Diversion Stats found? I didn't find it in the amtm, entware packages, diversion, or the router interface.
I am about as green as they come, and I thought I was fairly knowledgeable in computers, but know very little about networking except what I have picked up, mostly here.
thanks again,
jts

Ignore that post, the information is incorrect.
 
... Please excuse my ignorance, this is fairly new to me. Were it not for the "cook book" recipe for installing these scripts, I wouldn't even be here. Maybe I shouldn't be, I am no doubt over my head....
.
Don’t apologise: many of us started out like that (and some of us still feel that way. ;). Problem is there’s always a tacit, assumed foundation of knowledge and experience required. I spend a lot of my time trawling through YouTube videos and tutorials just to understand some of the questions on this forum let alone making sense of the answers! All one can do is plod on and work on the basis that if you fling enough sh!t at a wall, some of it eventually sticks.
 
Skynet is enabled but has stopped monitoring and shows 0 IPs blocked in 24rs which is very weird.

What is causing this now totally baffled I have tried to reinstall skynet but its still the same. Is there anyway I can return to 7.1.1

Code:
0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Block!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]:
Go into option 3 to download/update the lists again. Look for errors and post the results.
 
Skynet is enabled but has stopped monitoring and shows 0 IPs blocked in 24rs which is very weird.

0 IPs (+0) -- 0 Ranges Banned (+0)

There is your issue, run the malware list update again.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top