Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

@Adamm
In the recent changes in github, I see "Detect new malware strand".
What is this?

List of legitimate processes on router

I recently noticed a binary running from /tmp and found out that the router has hacked. It is sort of self-installing trojan or something, whatever. I was able to track it down and cleanup its loader from /jffs However, during the discovery I realized that it there is a lot of processes which...

www.snbforums.com

 

[QuikSilver]

@Adamm
In the recent changes in github, I see "Detect new malware strand".
What is this?

EDIT: I see @Adamm replied before me.
Believe it refers to this..

Skynet - Skynet - Router Firewall & Security Enhancements

And an obscure port as a bonus? Yes. The firmware even encourages that (these days): Using a different port than the default port 22 is recommended to avoid port scan attacks. And to get back on topic: would be nice if SkyNet allows SSH over WAN in Secure Mode, if those conditions were met...

www.snbforums.com

Question about Trend Micro Signature "update failed"

wget: --timeout: Invalid time period '3O' Bad news - your router got infected by malware. That particular malware was setting the timeout to 3O (letter O), to prevent updates from working properly. Do a complete factory default reset, wipe out the JFFS partition, and reconfigure everything...

www.snbforums.com

 

[ugandy]

as a possible enhancement, could the skynet webui page, list manual bans in place, and any IOT devices blocked?
thx

 

[brec]

My GUI Firewall settings page has lost its Skynet tab. I haven't been there in a while. Today I temporarily disabled (menu item 9) then restarted (menu item 8), but I don't know whether the GUI tab was there before that. Settings/Display WebUI is and has been enabled.

 

[dave14305]

My GUI Firewall settings page has lost its Skynet tab. I haven't been there in a while. Today I temporarily disabled (menu item 9) then restarted (menu item 8), but I don't know whether the GUI tab was there before that. Settings/Display WebUI is and has been enabled.

Make sure Skynet logging is enabled and check the syslog for any errors.

 

[brec]

Make sure Skynet logging is enabled and check the syslog for any errors.

Thanks. I did have logging off. After a bunch of rebooting related to updating to Merlin, I have the GUI tab.

 

[JT Strickland]

Can someone tell me the command to uninstall skynet from the putty console? I've got everything back up, I think, but skynet times out because it can't find the swap file. I can't uninstall it to reinstall it from amtm.
tia,
jts
Never mind, found it. Shoulda looked first. My bad.
But it bothers me that "no such file or directory" and "bad number" show up. Anyway here goes.

 

[truglodite]

I just updated my ac86u to .19 firmware, and it buggered off all my scripts where I had to restore jffs and all. Everything else seems to be working as it should, except skynet seems to be broken now. The problem is I can't access it from AMTM to try to reinstall it. It keeps saying "USB not found...". Of course I have the USB working as diversion is installed, swap file working, etc. Skynet shows green under AMTM like it is installed, but can't get inside skynet to do anything.

Any fix for this?

 

[dave14305]

I just updated my ac86u to .19 firmware, and it buggered off all my scripts where I had to restore jffs and all. Everything else seems to be working as it should, except skynet seems to be broken now. The problem is I can't access it from AMTM to try to reinstall it. It keeps saying "USB not found...". Of course I have the USB working as diversion is installed, swap file working, etc. Skynet shows green under AMTM like it is installed, but can't get inside skynet to do anything.

Any fix for this?

Delete the Skynet line from /jffs/scripts/firewall-start. It should let you start over after that.

 

[truglodite]

Yep, that got it sorted. Thank you very much dave!!!

 

[dave14305]

To file in the “easier said than done” folder: maybe on startup, if the skynetloc is not found after the built-in delay, initiate a search for the skynet.cfg under /tmp/mnt and update skynetloc in /jffs/scripts/firewall-start.

 

[Adamm]

To file in the “easier said than done” folder: maybe on startup, if the skynetloc is not found after the built-in delay, initiate a search for the skynet.cfg under /tmp/mnt and update skynetloc in /jffs/scripts/firewall-start.

I'm hesitant to scan /tmp/mnt as we previously had complaints from users who decide to attach large HDD's to their router. With that being said, I assumed running either the install or uninstall command to fix the (user created!) issue was quite straight forward, but I guess to others maybe its not?


In any case, I've pushed v7.2.1

Sync Get_WebUI_Page() with upstream
Detect new malware strand IOC's ( /jffs/chkupdate.sh )
Dynamically ban malware C&C servers if detected
Update missing USB help text

 

[leon]

Skynet can't "slow down" connections, it either blocks or doesn't block an IP address, there isn't any middle ground. If Skynet is blocking something, it will show up accordingly in your logs.

Thanks for the clarifications. Nonetheless, there is a significant speed test result different if Skynet is enabled or otherwise. Do you have any suggestions on how can I identify the casue and eliminate the speed gap having Skynet enabled vs disabled?

 

[Adamm]

Thanks for the clarifications. Nonetheless, there is a significant speed test result different if Skynet is enabled or otherwise. Do you have any suggestions on how can I identify the casue and eliminate the speed gap having Skynet enabled vs disabled?

Your issue has to be related to something else. If Skynet did cause a measurable slowdown, I'd be able to reproduce it and have tens of thousands of Skynet users posting about it over the last 6 years. The only suggestion I have is to nuke your router and start fresh.

 

[Cobra Kai]

If I had a problem with a slowdown or things broken, I found it was self inflicted or things I choose to do outside of the “normal stuff” inside AMTM. (Suricata, Let them eat Cake, etc.) I would rebuild daily to keep playing with different configurations and different setups until I found one which works for me. Yup, rebuild. I would read the forums and things posted to see where I got off the tracks. I learn something new everyday here. I have to agree, Skynet - haven’t seen it be the issue for sudden performance issues. Just my .02

 

[Smokey613]

I have never had Skynet cause any issues. It just works.

 

[dazedandlost]

I’m hoping to run skynet (thank you very much for making, and keeping, it available) because of the attraction of running a firewall on the router. I am in way above my pay grade and I would appreciate pointers and/or help. I will be happy to provide any details that would be helpful but I am leaving a lot out atm so as to be brief but somehow I have managed to foul up the install and/or cfg. The following is out of context and out of order. Uninstalling and reinstalling (after a dirty upgrade) did not help, nor did reading the faq or stfw. I did not read all 374 pages of this thread.

-----------the output of the install process includes:
[*] Private IP Detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT
Installing Skynet v7.2.1
Looking For Available Partitions
[1] --> /tmp/mnt/swpfile - (/dev/sda2)
[2] --> /tmp/mnt/extras - (/dev/sda3)
[3] --> /tmp/mnt/entware - (/dev/sda1)

Please Enter Partition Number Or e To Exit
[0-3]: 2

<--snip-->

[*] Updating chart.js Failed
[*] Updating chartjs-plugin-zoom.js Failed
[*] Updating hammerjs.js Failed
[*] Updating skynet.asp Failed

Restarting Firewall Service To Complete Installation

----------------the result of “/firewall” includes:
Router Model; RT-AC86U
Skynet Version; v7.2.1 (17/08/2020) (460ae9383266597dcbe0a8c9f2de29df)
iptables v1.4.15 - (eth0 @ 192.168.,,,.,,,)
ipset v6.32, protocol version: 6
IP Address; (192.168.,,,.,,,)
FW Version; 384.19_0 (Aug 14 2020) (4.1.27)
Install Dir; /tmp/mnt/extras/skynet (185.1G / 195.1G Space Available)
SWAP File; /tmp/mnt/swpfile/myswap.swp (2.0G)

++++++++++++++

--------------the result of “/jffs/scripts/firewall banmalware” is:

Downloading filter.list | [19s]
Refreshing Whitelists | [79]
Consolidating Blacklist | curl: no URL specified!
curl: try 'curl --help' for more information
[0s]

[*] List Content Error Detected - Stopping Banmalware
=============================================================================================================
[#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [banmalware] [113s]

+++++++

-----------The skynet tab is present in the firewall gui menu but clicking it produces a 404 file not found error in the gui for this url: https://192.168.,,,.,,,:,,,,/user4.asp
I did not find “user4.asp” anywhere that I looked.

 

[dave14305]

I’m hoping to run skynet (thank you very much for making, and keeping, it available) because of the attraction of running a firewall on the router. I am in way above my pay grade and I would appreciate pointers and/or help. I will be happy to provide any details that would be helpful but I am leaving a lot out atm so as to be brief but somehow I have managed to foul up the install and/or cfg. The following is out of context and out of order. Uninstalling and reinstalling (after a dirty upgrade) did not help, nor did reading the faq or stfw. I did not read all 374 pages of this thread.

Seems you're not curling properly, which may be the case if you're not from Canada.

What happens if you run this curl command?
curl -fvL https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list

 

[dazedandlost]

Thank you for your reply.

# curl -fvL https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list
* Trying 151.101.112.133:443...
* Connected to raw.githubusercontent.com (151.101.112.133) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=www.github.com
* start date: May 6 00:00:00 2020 GMT
* expire date: Apr 14 12:00:00 2022 GMT
* subjectAltName: host "raw.githubusercontent.com" matched cert's "*.githubusercontent.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
> GET /Adamm00/IPSet_ASUS/master/filter.list HTTP/1.1
> Host: raw.githubusercontent.com
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 721
< Cache-Control: max-age=300
< Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< Content-Type: text/plain; charset=utf-8
< ETag: "4c647bc0147430881511927f43ee5cb22a35a86bdc9d7e11bfd3847538509b36"
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< Via: 1.1 varnish (Varnish/6.0)
< X-GitHub-Request-Id: 148E:46B4:8C52B:A28A3:5F3D813C
< Accept-Ranges: bytes
< Date: Wed, 19 Aug 2020 21:26:53 GMT
< Via: 1.1 varnish
< X-Served-By: cache-hhn4046-HHN
< X-Cache: MISS, HIT
< X-Cache-Hits: 0, 2
< X-Timer: S1597872413.238414,VS0,VE0
< Vary: Authorization,Accept-Encoding
< Access-Control-Allow-Origin: *
< X-Fastly-Request-ID: 81f12edf62df2203c47738d43b8ecb9ab9c6559b
< Expires: Wed, 19 Aug 2020 21:31:53 GMT
< Source-Age: 112
<

https://iplists.firehol.org/files/alienvault_reputation.ipset

https://iplists.firehol.org/files/bds_atif.ipset

https://iplists.firehol.org/files/bi_any_2_30d.ipset

https://iplists.firehol.org/files/cybercrime.ipset

https://iplists.firehol.org/files/dyndns_ponmocup.ipset

https://iplists.firehol.org/files/et_block.netset

https://iplists.firehol.org/files/et_compromised.ipset

https://iplists.firehol.org/files/firehol_level2.netset

https://iplists.firehol.org/files/firehol_level3.netset

https://iplists.firehol.org/files/normshield_high_attack.ipset

https://iplists.firehol.org/files/normshield_high_bruteforce.ipset

https://iplists.firehol.org/files/spamhaus_edrop.netset

https://iplists.firehol.org/files/urlvir.ipset

* Connection #0 to host raw.githubusercontent.com left intact
/#

 

[dave14305]

Thank you for your reply.

Ok, so I was wrong.