Mister2088
Regular Contributor
Firstly, there is not such thing as 'set and forget', in my opinion as you should periodically check router for anything strange going on AND perhaps reboot, again, periodically.
I have been using Merlin for almost 2 years now. It has been very stable and offers a lot of flexibility. I love it. The great community has created a lot of good tools/scripts. For exmple, two that I use include scMerlin and Skynet.
Having said this, if you do wish to use skynet, then below is a step-wise method I used to set up skynet.
Word to the wise (@Tech9 has pointed most of these in the past, but I'll repeat anyway):
1. I use inbound and outbound blocking (although as the built in firewall should catch 99% of unsolicited inbound traffic).
Hence, IMO, the real value is outbound, to prevent an accidental connection by one of your users to a bad server. (I have had a few over time that my son inadvertently connected to via PS4)
2. You will see a lot of traffic blocked in the logs. Do NOT panic. You are not under attack as these are normal unsolicited traffic that the firewall normally blocks. As Skynet also blocks, these will show up in the logs. I tend to concentrate on Outbound, per point#1 above.
3. Some say skynet is overkill. Perhaps it is. I use because it does not hurt router performance and if it blocks even one malicious server, then it is worth using. YMMV.
4. The number of false-positives depend of the public IP blacklist(s) you use. So you will still need to check your logs periodically. Once good thing is there are published steps on how to add a false-positive as a whitelist entry (see steps 8 b and c below).
5. There are many public blacklists out there. Some good, some bad. My strategy is to use lists that are always maintained by the source and have low false-positives. (see steps 8d below if you plan to use your own).
So far, I have seen very few F-P's over the past 2 years of use. Here are the ones I use. YMMV. :
Pre-Steps:
Buy and Format (on laptop) a quality 32GB USB Stick OR an enclosed SSD.
Temporarily enable SSH with a non-default ssh port like 51111
Click USB Mode option to use 'USB 2.0' (3.0 may cause 2.4G wifi interference)
Reboot Router (does so automatically)
Core Steps:
Login via ssh port 51111 (via an app like putty)
1.Insert 32GB USB stick into the router
2. Via the ssh session: run “amtm”. Check for any script updates via 'u' command
3. format the USB stick using the 'fd' command.
Take it’s recommendations:
1 partition + ext4 with journaling and make sure to label the drive to something like 'SKYNETUSB'
After format has completed, the router will reboot.
4. Go back into ssh port 51111 and run 'amtm' again.
5. Install Disk Check Script ('dc')
6. Install Skynet via amtm Optiion 2.
6A. Follow Prompts and select Suggested defaults (including to filter all traffic (inbound and outbound), weekly BAN list updates.
Except: Disable weekly Skynet SW auto updates (manually do yourself as needed - as there has been the occasional bad release)
Select Swap Size: 1 GB. (Swap is rarely used with skynet and is almost always 0. Hence, 1 GB is plenty). However, if you are also using Diversion, then go with 2 GB Swap. This takes about 10 mins.
7. After Swap is created, Skynet will indicate it has been installed.
8. Open Skynet then after 2-3 mins (needs to settle), Modify configurations, per below:
Some configuration options you may wish to consider changing:
a. Import AiProtector lists (if you use AiProtector then keep as-is, disable otherwise)
b. Manually add WhiteListed IPs (if you have any that you always wish to allow)
c. Manually add Whitelisted Domains (if you have any that you always wish to allow)
d. I recommend using your own list. You can do this via creating a list in github. You can use my list to start with (but I may change from time to time).
How to use a custom list:
Go to Skynet Option 3 (Malware Ban List), then Option 2 (Change Filter List)
Paste your list: list should something like: https://raw.githubusercontent.com/<your github id>/<yourprojectname>/filter.list
Final steps:
9. Debug Option 2 to Ensure all tests passed and Skynet is running
10. Log into GUI, disable SSH (unless you really need it on - I only turn on when needed)
11. Reboot Router
12. It is recommended to also Power Cycle for 5 mins
I have been using Merlin for almost 2 years now. It has been very stable and offers a lot of flexibility. I love it. The great community has created a lot of good tools/scripts. For exmple, two that I use include scMerlin and Skynet.
Having said this, if you do wish to use skynet, then below is a step-wise method I used to set up skynet.
Word to the wise (@Tech9 has pointed most of these in the past, but I'll repeat anyway):
1. I use inbound and outbound blocking (although as the built in firewall should catch 99% of unsolicited inbound traffic).
Hence, IMO, the real value is outbound, to prevent an accidental connection by one of your users to a bad server. (I have had a few over time that my son inadvertently connected to via PS4)
2. You will see a lot of traffic blocked in the logs. Do NOT panic. You are not under attack as these are normal unsolicited traffic that the firewall normally blocks. As Skynet also blocks, these will show up in the logs. I tend to concentrate on Outbound, per point#1 above.
3. Some say skynet is overkill. Perhaps it is. I use because it does not hurt router performance and if it blocks even one malicious server, then it is worth using. YMMV.
4. The number of false-positives depend of the public IP blacklist(s) you use. So you will still need to check your logs periodically. Once good thing is there are published steps on how to add a false-positive as a whitelist entry (see steps 8 b and c below).
5. There are many public blacklists out there. Some good, some bad. My strategy is to use lists that are always maintained by the source and have low false-positives. (see steps 8d below if you plan to use your own).
So far, I have seen very few F-P's over the past 2 years of use. Here are the ones I use. YMMV. :
Pre-Steps:
Buy and Format (on laptop) a quality 32GB USB Stick OR an enclosed SSD.
Temporarily enable SSH with a non-default ssh port like 51111
Click USB Mode option to use 'USB 2.0' (3.0 may cause 2.4G wifi interference)
Reboot Router (does so automatically)
Core Steps:
Login via ssh port 51111 (via an app like putty)
1.Insert 32GB USB stick into the router
2. Via the ssh session: run “amtm”. Check for any script updates via 'u' command
3. format the USB stick using the 'fd' command.
Take it’s recommendations:
1 partition + ext4 with journaling and make sure to label the drive to something like 'SKYNETUSB'
After format has completed, the router will reboot.
4. Go back into ssh port 51111 and run 'amtm' again.
5. Install Disk Check Script ('dc')
6. Install Skynet via amtm Optiion 2.
6A. Follow Prompts and select Suggested defaults (including to filter all traffic (inbound and outbound), weekly BAN list updates.
Except: Disable weekly Skynet SW auto updates (manually do yourself as needed - as there has been the occasional bad release)
Select Swap Size: 1 GB. (Swap is rarely used with skynet and is almost always 0. Hence, 1 GB is plenty). However, if you are also using Diversion, then go with 2 GB Swap. This takes about 10 mins.
7. After Swap is created, Skynet will indicate it has been installed.
8. Open Skynet then after 2-3 mins (needs to settle), Modify configurations, per below:
Some configuration options you may wish to consider changing:
a. Import AiProtector lists (if you use AiProtector then keep as-is, disable otherwise)
b. Manually add WhiteListed IPs (if you have any that you always wish to allow)
c. Manually add Whitelisted Domains (if you have any that you always wish to allow)
d. I recommend using your own list. You can do this via creating a list in github. You can use my list to start with (but I may change from time to time).
How to use a custom list:
Go to Skynet Option 3 (Malware Ban List), then Option 2 (Change Filter List)
Paste your list: list should something like: https://raw.githubusercontent.com/<your github id>/<yourprojectname>/filter.list
Final steps:
9. Debug Option 2 to Ensure all tests passed and Skynet is running
10. Log into GUI, disable SSH (unless you really need it on - I only turn on when needed)
11. Reboot Router
12. It is recommended to also Power Cycle for 5 mins
