Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Hi Adamm,

I doubt this has anything to do with 7.1.8 but when viewing stats on the console (not webui) I got the following message:

The provider we use for country lookups has a 1000 daily query limit on their free API. There is unfortunately no avoiding this (beyond changing your IP for the day or disabling country lookups), but under normal circumstances no user should be consistently hitting this unless they are constantly refreshing their stats.

 

[CriticJay]

The provider we use for country lookups has a 1000 daily query limit on their free API. There is unfortunately no avoiding this (beyond changing your IP for the day or disabling country lookups), but under normal circumstances no user should be consistently hitting this unless they are constantly refreshing their stats.

Yeah I've been troubleshooting an issue with my USB drive and finally determined it was faulty / replaced it with a new one, so I have been doing a lot of script un-install / re-install / re-install again, in the past 12 hours ... that could explain why they think I'm hammering them with requests.

 

[Skillz]

Safer then a password? Sure, but you are still exposing the service to the world, so in the event of a 0 day dropbear exploit you would be vulnerable. That's why using OpenVPN to access your lan is the recommended method

Is that because SSH is a root-level daemon and VPN isn't? My first thought was well, what about 0-day vpn exploit? I'm pretty new to this, so trying to understand your recommendation towards VPN.

 

[L&LD]

VPN is inherently more secure because it doesn't sit on the WAN, 'exposed'. Many layers of security in front of it.

 

[XIII]

VPN is inherently more secure because it doesn't sit on the WAN, 'exposed'. Many layers of security in front of it.

How can you remotely use OpenVPN if it's not on WAN?

(I'm also curious why many people say OpenVPN is safer than SSH for remote access; never understood why)

 

[L&LD]

I didn't say that.

It doesn't sit there, exposed.

 

[dugaduga]

Feature request: an option (preferably set as default) to forward blocked IP's to skynet localhost block warning html page, to give people a better idea of what is causing a false positive. Another option that enables users the ability to whitelist on that page would be cool too.

This would be nice because there are often many layers one must check to determine where a break occurs, starting with local machine, then diversion, then dnscrypt, etcetera... this would be great for websites, not so useful for most non browser usage, but still can save people a lot of time and energy troubleshooting.

 

[Adamm]

Is that because SSH is a root-level daemon and VPN isn't? My first thought was well, what about 0-day vpn exploit? I'm pretty new to this, so trying to understand your recommendation towards VPN.

One of the most simple reasons is layering. When using OpenVPN you now have two layers of protection someone has to exploit to gain root access to your network, not to mention OpenVPN is so widely used/audited. Plus the fact a majority of less tech savvy users don't use SSH keys and instead use passwords, which as we all know can be easily brute-forced.

 

[martinr]

Merlin wrote this 2 years ago in response to a question by XIII:

“The openvpn code was recently audited. I don't think dropbear code ever was.

The increased security lies in theunderlying code, not in theauthentication mechanism itself.“

https://www.snbforums.com/threads/r...-to-router-webui-over-http.47055/#post-411110

 

[XIII]

Merlin wrote this 2 years ago in response to a question by XIII

Completely forgot about that...

 

[slytho]

Hi! I've got a problem running SkyNet on my ASUS Router:

1. No WebUI button for Skynet is displayed in the router's admin panel although I use the latest firmware (>384.15).
   
2. Running the command "firewall settings webui enable" prints "[*] WebUI Integration Requires Logging to be Enabled", " WebUi Enabled" and "Generating Stats" but terminates with "/jffs/scripts/firewall: line 5659: arithmetic syntax error"
3. Running amtm to update Skynet returns "/jffs/scripts/firewall: line 40: arithmetic syntax error" and terminates. However, when I manually run "firewall update check" on the command line, the update is performed and no error message displayed.

Output of "firewall debug info":

Skynet Version; (14/06/2020) (3dd8c42e0baa6ba6800ae6c4dabc5a39)
iptables v1.4.15 - (eth0 @ 192.168.66.1)
ipset v6.32, protocol version: 6
IP Address; (###.###.###.###)
FW Version; 384.17_0 (Apr 26 2020) (4.1.27)
Install Dir; /tmp/mnt/usb_87_ext2/skynet (6.8G / 9.4G Space Available)
Syslog Location; () ()
Uptime; 0 days, 5 hours, 39 minutes.
Ram Available; (110M / 430M)

----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates [Disabled]
Malware List Auto-Updates [Disabled]
Logging [Disabled]
Filter Traffic [Selective]
Unban PrivateIP [Disabled]
Log Invalid Packets [Disabled]
Import AiProtect Data [Disabled]
Secure Mode [Disabled]
Fast Switch List [Disabled]
Syslog Location [Custom]
IOT Blocking [Disabled]
Country Lookup For Stats [Disabled]
CDN Whitelisting [Disabled]
Display WebUI [Disabled]

 

[Adamm]

[*] WebUI Integration Requires Logging to be Enabled"

( firewall settings logmode enable|disable ) Enable/Disable Logging

 

[XIII]

Completely forgot about that...

But somehow I do remember this (even older) post from him:

Dropbear has a fairly good track record security-wise. It has less esoteric features than OpenSSH, which means simpler codebase, therefore less possible attack vectors. I personally trust it open on the WAN, especially if one disables password login and uses RSA or ECDSA keys to authenticate.

https://www.snbforums.com/threads/enable-ssh-brute-force-protection-not-working.42792/#post-365167

 

[Wishmaster1965]

My install is inbound only

Running 384.17

Question I have, I am seeing my /opt/var/log/firewall.log file sitting at zero bytes, is this normal ?

 

[Adamm]

My install is inbound only

Running 384.17

Question I have, I am seeing my /opt/var/log/firewall.log file sitting at zero bytes, is this normal ?

Whats the output of;

firewall debug info

 

[Wishmaster1965]

Whats the output of;

firewall debug info

################################################################################
# #
# ███████╗██╗ ██╗██╗ ██╗███╗ ██╗███████╗████████╗ ██╗ #
# ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗ ██║██╔════╝╚══██╔══╝ ██║ #
# ███████╗█████╔╝ ╚████╔╝ ██╔██╗ ██║█████╗ ██║ ██║ #
# ╚════██║██╔═██╗ ╚██╔╝ ██║╚██╗██║██╔══╝ ██║ ╚██╗#
# ███████║██║ ██╗ ██║ ██║ ╚████║███████╗ ██║ ╚██#
# ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═#
# #
# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS#
# 14/06/2020 - v7.1.8 #
################################################################################


================================================================================


Router Model; RT-AC68U
Skynet Version; v7.1.8 (14/06/2020) (991a53cc1ed94b4eb02837b1651e999f)
iptables v1.4.15 - (ppp0 @ 192.168.1.254)
ipset v6.32, protocol version: 6
IP Address; (84.92.56.81) - (2001:470:1f1d:5e0::/64)
FW Version; 384.17_0 (Apr 25 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/asus/skynet (11.1G / 14.2G Space Available)
SWAP File; /tmp/mnt/asus/myswap.swp (2.0G)
Banned Countries; ru,kp,iq,ir,cn,sa,br
Uptime; 2 days, 3 hours, 14 minutes.
Ram Available; (79M / 249M)


--------------- | ------------ | ---------------
| Device Name | | | Local IP | | | MAC Address |
--------------- | ------------ | ---------------

Philips-hue | 192.168.1.4 | 00:17:88:71:04:ebe
Unknown | 192.168.1.16 | 34:7e:5c:19:76:90e
amazon-f7c2f8531 | 192.168.1.18 | 3c:18:a0:a9:17:c5e
VU-Duo2 | 192.168.1.42 | 00:1d:ec:05:bd:68e
SonosZP | 192.168.1.70 | 00:0e:58:cb:20:cce
TVBOX | 192.168.1.100 | 18:60:24:22:a6:15e
TP-LINK | 192.168.1.133 | e8:de:27:99:cf:0be
NAS-Thecus | 192.168.1.200 | 00:14:fd:13:43:66e
amazon-1c9815784 | 192.168.1.206 | 24:4c:e3:6c:20:ece


-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
Profile.add Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Selective]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Import AiProtect Data | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]

17/17 Tests Sucessful


================================================================================


[#] 320361 IPs (+0) -- 1782 Ranges Banned (+0) || 900 Inbound -- 0 Outbound Con]

 

[slytho]

( firewall settings logmode enable|disable ) Enable/Disable Logging

Oh, I forgot to mention, I tried that and it brings up the same error message - and still no logging:
"/jffs/scripts/firewall: line 5659: arithmetic syntax error"

I can't even uninstall Skynet because of it. The process stops after these error messages.

The code in line 5659 is as follows:
5657 Spinner_End
5658 Display_Header "9"
5659 if [ "$nolog" != "2" ]; then Print_Log "$@"; echo; fi
5660 if [ "$nocfg" != "1" ]; then Write_Config; fi

The code in line 40 is as follows:
40 if [ -z "${skynetloc}" ] && tty >/dev/null 2>&1; then
41 set "install"
42 fi

 

[Adamm]

Oh, I forgot to mention, I tried that and it brings up the same error message - and still no logging:
"/jffs/scripts/firewall: line 5659: arithmetic syntax error"

I can't even uninstall Skynet because of it. The process stops after these error messages.

The code in line 5659 is as follows:
5657 Spinner_End
5658 Display_Header "9"
5659 if [ "$nolog" != "2" ]; then Print_Log "$@"; echo; fi
5660 if [ "$nocfg" != "1" ]; then Write_Config; fi

The code in line 40 is as follows:
40 if [ -z "${skynetloc}" ] && tty >/dev/null 2>&1; then
41 set "install"
42 fi

Not sure why you toggled so many settings unnecessarily, seems like a case of pebkac. I suggest you manually delete your Skynet config files, reboot and start fresh.

rm -rf /tmp/mnt/usb_87_ext2/skynet

My install is inbound only

Running 384.17

Question I have, I am seeing my /opt/var/log/firewall.log file sitting at zero bytes, is this normal ?

################################################################################
# #
# ███████╗██╗ ██╗██╗ ██╗███╗ ██╗███████╗████████╗ ██╗ #
# ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗ ██║██╔════╝╚══██╔══╝ ██║ #
# ███████╗█████╔╝ ╚████╔╝ ██╔██╗ ██║█████╗ ██║ ██║ #
# ╚════██║██╔═██╗ ╚██╔╝ ██║╚██╗██║██╔══╝ ██║ ╚██╗#
# ███████║██║ ██╗ ██║ ██║ ╚████║███████╗ ██║ ╚██#
# ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═#
# #
# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS#
# 14/06/2020 - v7.1.8 #
################################################################################


================================================================================


Router Model; RT-AC68U
Skynet Version; v7.1.8 (14/06/2020) (991a53cc1ed94b4eb02837b1651e999f)
iptables v1.4.15 - (ppp0 @ 192.168.1.254)
ipset v6.32, protocol version: 6
IP Address; (84.92.56.81) - (2001:470:1f1d:5e0::/64)
FW Version; 384.17_0 (Apr 25 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/asus/skynet (11.1G / 14.2G Space Available)
SWAP File; /tmp/mnt/asus/myswap.swp (2.0G)
Banned Countries; ru,kp,iq,ir,cn,sa,br
Uptime; 2 days, 3 hours, 14 minutes.
Ram Available; (79M / 249M)


--------------- | ------------ | ---------------
| Device Name | | | Local IP | | | MAC Address |
--------------- | ------------ | ---------------

Philips-hue | 192.168.1.4 | 00:17:88:71:04:ebe
Unknown | 192.168.1.16 | 34:7e:5c:19:76:90e
amazon-f7c2f8531 | 192.168.1.18 | 3c:18:a0:a9:17:c5e
VU-Duo2 | 192.168.1.42 | 00:1d:ec:05:bd:68e
SonosZP | 192.168.1.70 | 00:0e:58:cb:20:cce
TVBOX | 192.168.1.100 | 18:60:24:22:a6:15e
TP-LINK | 192.168.1.133 | e8:de:27:99:cf:0be
NAS-Thecus | 192.168.1.200 | 00:14:fd:13:43:66e
amazon-1c9815784 | 192.168.1.206 | 24:4c:e3:6c:20:ece


-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
Profile.add Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Selective]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Import AiProtect Data | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]

17/17 Tests Sucessful


================================================================================


[#] 320361 IPs (+0) -- 1782 Ranges Banned (+0) || 900 Inbound -- 0 Outbound Con]

You don't have a custom syslog location set so your logs are being sent to /tmp/syslog.log as per usual.

 

[martinr]

But somehow I do remember this (even older) post from him:

Dropbear has a fairly good track record security-wise. It has less esoteric features than OpenSSH, which means simpler codebase, therefore less possible attack vectors. I personally trust it open on the WAN, especially if one disables password login and uses RSA or ECDSA keys to authenticate.

https://www.snbforums.com/threads/enable-ssh-brute-force-protection-not-working.42792/#post-365167

And an obscure port as a bonus?

 

[slytho]

Not sure why you toggled so many settings unnecessarily, seems like a case of pebkac. I suggest you manually delete your Skynet config files, reboot and start fresh.

Actually, I didn't toggle any. Up to today I didn't even know how to interact with Skynet on the command line. Anyway, I'll try what you suggested and set it up again from scratch ...

Edit:
I performed the rm command. And now? How can I uninstall Skynet? It's still shown in amtm as installed.