Skynet What are some good current block lists? - Skynet

[Skeptical.me]

Crazy... I don't remember saying half of these things. Must have had one too many to drink last night!

I'm also a 100% Nord user, BTW.

Lucky you.

 

[SomeWhereOverTheRainBow]

Lucky you.

I don't think luck had anything to do with it.... see meme for the deets.

 

[Jack-Sparr0w]

SomeWhereOverTheRainBow​

What is the list for the countries you block, I've been using your malware list for some years now and its been awesome.

 

[Ubimo]

Ayee!!, but this is truely the biggest one...

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list

which is a combination of that entire filter list all aggregated, so there is a better use of ranges!

View attachment 54447

Do you recommend using the list you mentionioned above, instead of this? https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list

Edit:
When I use the "myfilter.list", my music-stream won't load (torontocast.com).
Whitelisting this domain does not help.

 

[SomeWhereOverTheRainBow]

Do you recommend using the list you mentionioned above, instead of this? https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list

Edit:
When I use the "myfilter.list", my music-stream won't load (torontocast.com).
Whitelisting this domain does not help.

drill torontocast.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 39039
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; torontocast.com.     IN      A

;; ANSWER SECTION:
torontocast.com.        1200    IN      A       172.67.134.140
torontocast.com.        1200    IN      A       104.21.6.61

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: ::1
;; WHEN: Mon Dec  4 01:52:05 2023
;; MSG SIZE  rcvd: 65

getent ahosts torontocast.com | awk '{if(!x[$1]++)print $1}'
2606:4700:3036::6815:63d
2606:4700:3031::ac43:868c
172.67.134.140
104.21.6.61

try:
### Whitelist for Cloudflare

firewall whitelist asn AS11670; firewall whitelist asn AS13335

My other suggestion would be to make sure you have CDN-Whitelisting turned on which should cover these same content delivery networks.

firewall settings cdnwhitelist enable

What other router services do you use? do you also use unbound?

 

[Ubimo]

@SomeWhereOverTheRainBow
Thank you for your suggestions, but none worked for me.
I'm listening to https://kathy.torontocast.com:1915/stream and this does not work with your "myfilter.list".
I enabled logging in Skynet and saw that an IP was blocked. I whitelisted the IP, now this stream is working again with your "myfilter.list".
Thanks again for your work!

Do you recommend to whitelist Cloudflare or general CDN-Whitelisting?

Edit: I just saw, that CDN-Whitelisting is enabled by default in Skynet.

 

[Jack-Sparr0w]

Does blocking country code UA effect this list

(https://iplists.firehol.org/files/blocklist_net_ua.ipset)

I tried to access website after with no avail. just wondering if router can use blocklist after country was blocked

 

[Viktor Jaep]

Does blocking country code UA effect this list

(https://iplists.firehol.org/files/blocklist_net_ua.ipset)

I tried to access website after with no avail. just wondering if router can use blocklist after country was blocked

I'm sure it would... Skynet gets its country IP block sets from some source, and I'm sure there's a pretty solid overlap with the IPSET blocklist that firehol generates.

 

[Jack-Sparr0w]

I noticed you block UA to, ever since the war I have been scared to unblock it. would it be advisable to unblock address for use of that list.

 

[Viktor Jaep]

I noticed you block UA to, ever since the war I have been scared to unblock it. would it be advisable to unblock address for use of that list.

I wouldn't unblock it just yet if you're worried about geopolitical cyber attacks stemming from this conflict. The other thing you want to consider is, whether or not you have any legitimate business needs that would require connections to servers in this country, or if you need to reach any services that are located there. If you don't, then it makes sense to just block it.

 

[Tomo]

Hi guys, can you recommend a basic list for Skynet that doesn't have problems with Roblox? I use the standard one with various country blocks but cyclically there are some Roblox servers that are blocked and i have to log in to add them to the white list, do you have any advice on this?

 

[Kingp1n]

Hi guys, can you recommend a basic list for Skynet that doesn't have problems with Roblox? I use the standard one with various country blocks but cyclically there are some Roblox servers that are blocked and i have to log in to add them to the white list, do you have any advice on this?

These helped me before with Diversion...might help with Skynet as well:


Post in thread 'Is default firewall good enough?' https://www.snbforums.com/threads/is-default-firewall-good-enough.76648/post-808572

 

[Tomo]

These helped me before with Diversion...might help with Skynet as well:


Post in thread 'Is default firewall good enough?' https://www.snbforums.com/threads/is-default-firewall-good-enough.76648/post-808572

i'll try them this weekend !!
Thank you.

 

[jorgsmash]

Ayee!!, but this is truely the biggest one...

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list

which is a combination of that entire filter list all aggregated, so there is a better use of ranges!

View attachment 54447

I'm trying to figure out the best lists to use to protect against outbound connections, say, if a computer/phone/IoT device on my network gets infected with malware or tries to reach out to something nasty. I'm pretty comfortable whitelisting IPs when things break, as I've had to go combing through the logs before to find IPs that are being blocked for something I need to access. The only struggle I have is bouncing between Skynet and AGH. I'm running AGH with a pretty large list, but that's just for domain resolution so not really doing the same as these "bad" IP block lists.

It looks like I had previously been set up to use https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list - which yielded

"364412 IPs (+0) -- 76785 Ranges Banned (+0) || 31079 Inbound -- 3757 Outbound Connections Blocked!"

Based on this thread I just switched to https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list - which yielded

"299411 IPs (+0) -- 109702 Ranges Banned (+0) || 31110 Inbound -- 3793 Outbound Connections Blocked!"

So. fewer IPs blocked, but more ranges blocked. Which would be preferred?

I also don't believe I was utilizing any country code blocking previously, so I ran a code snippet from here which added +57k to the "ranges banned"

I have also tried my hand at investigating the outbound connections blocked to try and see A) which device is reaching out to something being blocked and B) if it's cause for concern. Most of what I've found has been Netflix or Azure IPs in different countries, and a lot of the devices are smart TVs or IoT stuff, but still. I haven't had much luck in really nailing down why I have so many outbound blocks and if it's due to something bad. I have only used the "stats" feature when logged into the router via ssh.

I'm also a bit confused (feel like a noob) about the difference between the menu selections for "Malware Blacklist", "Import IP List", and "Deport IP List" As far as I can tell, the "Malware Blacklist" is the main list, which can only take one URL, not multiple, so it needs to be robust. But what do the Import and Deport options do?

 

[saison2023]

I'm also a bit confused (feel like a noob) about the difference between the menu selections for "Malware Blacklist", "Import IP List", and "Deport IP List" As far as I can tell, the "Malware Blacklist" is the main list, which can only take one URL, not multiple, so it needs to be robust. But what do the Import and Deport options do?

Happy to see that I am not the only to wonder.
I searched but was not able to find.

 

[Viktor Jaep]

So. fewer IPs blocked, but more ranges blocked. Which would be preferred?

The list with more ranges would be preferred. Understand that one single range may include 254 IP addresses, or even thousands or tens of thousands of IPs.

I have also tried my hand at investigating the outbound connections blocked to try and see A) which device is reaching out to something being blocked and B) if it's cause for concern. Most of what I've found has been Netflix or Azure IPs in different countries, and a lot of the devices are smart TVs or IoT stuff, but still. I haven't had much luck in really nailing down why I have so many outbound blocks and if it's due to something bad. I have only used the "stats" feature when logged into the router via ssh.

You can go under Stats (13) -> Search (2) -> Search Malware lists for IP (3) -> <insert IP in question> -> Top10 results (1) -> and it will show you exactly which malware list caused the block:

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 13

Select Stat Option:
[1]  --> Display
[2]  --> Search
[3]  --> Remove
[4]  --> Reset

[1-4]: 2

Search Options:
[1]  --> Based On Port x
[2]  --> Entries From Specific IP
[3]  --> Search Malwarelists For IP
[4]  --> Search Manualbans
[5]  --> Search For Outbound Entries From Local Device
[6]  --> Hourly Reports
[7]  --> Invalid Packets
[8]  --> Active Connections
[9]  --> IOT Packets

[1-9]: 3

[IP]: 35.203.211.9

Show Top x Results:
[1]  --> 10
[2]  --> 20
[3]  --> 50
[4]  --> Custom

[1-4]: 1

[$] /jffs/scripts/firewall stats search malware 35.203.211.9 10


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/ASUS-SSD/skynet/skynet.log - 6.1M
[i] Monitoring From May 7 21:00:03 To May 9 15:17:20
[i] 24897 Block Events Detected
[i] 4091 Unique IPs
[i] 0 Manual Bans Issued


=============================================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

35.203.211.9         | https://iplists.firehol.org/files/ciarmy.ipset


Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



=============================================================================================================


[#] 219919 IPs (+0) -- 70130 Ranges Banned (+0) || 12263 Inbound -- 4432 Outbound Connections Blocked! [stats] [62s]

I'm also a bit confused (feel like a noob) about the difference between the menu selections for "Malware Blacklist", "Import IP List", and "Deport IP List" As far as I can tell, the "Malware Blacklist" is the main list, which can only take one URL, not multiple, so it needs to be robust. But what do the Import and Deport options do?

The malware blacklist URL points to a hosted .txt file that contains multiple blacklist URLs, all contained within this file... like look at the contents of: https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list

If you want to import your own set of IP addresses to either a blacklist or whitelist, you can do that with the "Import IP List" function. It needs to be a text file with a single column of straight IPv4 IP addresses.

"Deport IP list" basically just exports the contents of either your blacklist or whitelist so you can edit/manage. Again, it exports a list of IPv4 IP addresses into a file.

Hope this helps!

 

[SomeWhereOverTheRainBow]

The malware blacklist URL points to a hosted .txt file that contains multiple blacklist URLs, all contained within this file... like look at the contents of: https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list

If you want to import your own set of IP addresses to either a blacklist or whitelist, you can do that with the "Import IP List" function. It needs to be a text file with a single column of straight IPv4 IP addresses.

"Deport IP list" basically just exports the contents of either your blacklist or whitelist so you can edit/manage. Again, it exports a list of IPv4 IP addresses into a file.

Hope this helps!

I concur, I would also caution on which list you choose. Make sure you choose what is best optimized for your use case. Also, consider how incorporation of such list impacts your routers overall network performance.

 

[jorgsmash]

The list with more ranges would be preferred. Understand that a one single range may include 254 IP addresses, or even thousands or tens of thousands of IPs.

You can go under Stats (13) -> Search (2) -> Search Malware lists for IP (3) -> <insert IP in question> -> Top10 results (1) -> and it will show you exactly which malware list caused the block:

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 13

Select Stat Option:
[1]  --> Display
[2]  --> Search
[3]  --> Remove
[4]  --> Reset

[1-4]: 2

Search Options:
[1]  --> Based On Port x
[2]  --> Entries From Specific IP
[3]  --> Search Malwarelists For IP
[4]  --> Search Manualbans
[5]  --> Search For Outbound Entries From Local Device
[6]  --> Hourly Reports
[7]  --> Invalid Packets
[8]  --> Active Connections
[9]  --> IOT Packets

[1-9]: 3

[IP]: 35.203.211.9

Show Top x Results:
[1]  --> 10
[2]  --> 20
[3]  --> 50
[4]  --> Custom

[1-4]: 1

[$] /jffs/scripts/firewall stats search malware 35.203.211.9 10


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/ASUS-SSD/skynet/skynet.log - 6.1M
[i] Monitoring From May 7 21:00:03 To May 9 15:17:20
[i] 24897 Block Events Detected
[i] 4091 Unique IPs
[i] 0 Manual Bans Issued


=============================================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

35.203.211.9         | https://iplists.firehol.org/files/ciarmy.ipset


Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



=============================================================================================================


[#] 219919 IPs (+0) -- 70130 Ranges Banned (+0) || 12263 Inbound -- 4432 Outbound Connections Blocked! [stats] [62s]

The malware blacklist URL points to a hosted .txt file that contains multiple blacklist URLs, all contained within this file... like look at the contents of: https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list

If you want to import your own set of IP addresses to either a blacklist or whitelist, you can do that with the "Import IP List" function. It needs to be a text file with a single column of straight IPv4 IP addresses.

"Deport IP list" basically just exports the contents of either your blacklist or whitelist so you can edit/manage. Again, it exports a list of IPv4 IP addresses into a file.

Hope this helps!

Thanks! I think that pretty much covers my questions. I'll play around with it some more!

 

[JuanGF]

Let me change the question: what are some good current allow lists?

In my case I would like to whitelist all TOR exit nodes in my firewall, there are well mantained ones like https://www.dan.me.uk/torlist/?exit but I don't think I can use a list to allow in Skynet, can I?

 

[SomeWhereOverTheRainBow]

Here you go.

https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst

You can using the

[5] --> Import IP List

Option.