Skynet Skynet - Router Firewall & Security Enhancements

[QuikSilver]

I've pushed v7.1.9

Detect malware IOC that prevents AiProtect from updating by setting apps_wget_timeout=3O

That was fast! Just read @RMerlin 's comment and saw a skynet upgrade to detect it.

 

[Wayne Hutchinson]

OK, I am re-posting to this thread:
Hi Adamm,
I am interested in installing Skynet but am a novice with unix usage can you please put together a install and usage post?
I have looked at your thread but want to make sure I get it right.

Thanks

 

[L&LD]

@Wayne Hutchinson, see post 1.

 

[Wayne Hutchinson]

Thanks, I did not see that it would install from the web.

I am now seeing the following error when I try to use ssh;
This is the first time using ssh since rebuilding the Asus.
What is causing this

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4Hm/VB7J5stqkYZge8eJt26iRgHHOiuWZay2wkDkNQc.
Please contact your system administrator.
Add correct host key in C:\\Users\\hutch/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\hutch/.ssh/known_hosts:1
ECDSA host key for 192.168.1.1 has changed and you have requested strict checking.
Host key verification failed.

 

[dave14305]

Thanks, I did not see that it would install from the web.

I am now seeing the following error when I try to use ssh;
This is the first time using ssh since rebuilding the Asus.
What is causing this

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4Hm/VB7J5stqkYZge8eJt26iRgHHOiuWZay2wkDkNQc.
Please contact your system administrator.
Add correct host key in C:\\Users\\hutch/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\hutch/.ssh/known_hosts:1
ECDSA host key for 192.168.1.1 has changed and you have requested strict checking.
Host key verification failed.

It's due to the factory reset. Delete and try again.

del C:\Users\hutch\.ssh\known_hosts

 

[thecheapseats]

I've pushed v7.1.9

that was fast... thx...

 

[tomsk]

Thanks, I did not see that it would install from the web.

I am now seeing the following error when I try to use ssh;
This is the first time using ssh since rebuilding the Asus.
What is causing this

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:4Hm/VB7J5stqkYZge8eJt26iRgHHOiuWZay2wkDkNQc.
Please contact your system administrator.
Add correct host key in C:\\Users\\hutch/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\hutch/.ssh/known_hosts:1
ECDSA host key for 192.168.1.1 has changed and you have requested strict checking.
Host key verification failed.

You can just remove the old key

 

[L&LD]

@thecheapseats, the update to the update was even faster (depending on when you did the update on your router, check again for another 'no version change' update for a possible newer script.

 

[thecheapseats]

yes... got it...

 

[Wayne Hutchinson]

Thanks dave14305 got ssh to work again.
Now to the next part, the usb flash drive, All I have available is a ADATA 16gb,
I plunged it but it ask's - Please enter partition number 0-1? when I run the install
It's the only drive connected is there a preference?

 

[L&LD]

@Wayne Hutchinson, before inserting (or plunging) the USB drive you want amtm to use, I suggest formatting it in a PC with NTFS format to fully erase it.

Afterward, you may want to follow the amtm Step-by-Step guide (please see the link in my signature below) to properly format the USB drive using amtm. Just remember to ignore the 'install amtm' part. amtm has been included in RMerlin firmware since 384.15_0 release final.

 

[Wallace_n_Gromit]

That was fast! Just read @RMerlin 's comment and saw a skynet upgrade to detect it.

That's why I love this place! Jaw-dropping [fast] updates, immediate support. Something new to learn everyday. Helpful community. Great and knowledgeable networking/coders. Don't have to wait for the 2nd Tuesday of every month for buggy security updates [read Windows 10].

 

[Wayne Hutchinson]

Thanks, I'm up and running. So far so good.

 

[Joe Doe]

What is the output of;

sh /jffs/scripts/firewall debug info

And the exact output when you get the error.

>> /jffs/scripts/firewall: line 5668: arithmetic syntax error

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
Profile.add Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]

 

[Adamm]

>> /jffs/scripts/firewall: line 5668: arithmetic syntax error

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
Profile.add Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]

Thats not the complete output

 

[CriticJay]

Hi @Adamm

Noticed something odd during a recent uninstall/reinstall and thought I would mention it in case it was an actual bug and not a one-off glitch.

I have a single list on my exclusions - the firehol level3. When I did a Skynet backup, skynet uninstall, skynet reinstall, skynet restore from backup; most of my configuration settings appeared to be back except for that list which I used to exclude.

Not a big deal to re-enter that exclusion but thought I would mention regardless

 

[Joe Doe]

Thats not the complete output

Here's the entire output. It stops after the arithmetic error.

 

[Mutzli]

Hi @Adamm, would it be possible to have an option in Skynet to import banned IP addresses from Suricata's fast.log like the option you have for importing AiProtect data into Skynet? Right now I manually enter the IP addresses from the fast.log file into Skynet which isn't a huge deal yet, but could become cumbersome in the future if there are a lot of recorded IPs from Suricata.

 

[Adamm]

Here's the entire output. It stops after the arithmetic error.

Why do you have almost every setting disabled including settings that aren't even relevant for your installation (i.e Custom syslog location), no wonder you are getting errors. I suggest uninstalling Skynet followed by a reinstall to correct these and only change settings if you are aware of what it actually does.

 

[Adamm]

Hi @Adamm, would it be possible to have an option in Skynet to import banned IP addresses from Suricata's fast.log like the option you have for importing AiProtect data into Skynet? Right now I manually enter the IP addresses from the fast.log file into Skynet which isn't a huge deal yet, but could become cumbersome in the future if there are a lot of recorded IPs from Suricata.

I've yet to dabble with Suricata, but this does sound feasible, although I would need users to send me their full fast.log so I can phrase them.