Is AiProtection not working on latest 384.11 Merlin's firmware???

[joe68000]

To elaborate on what Mutzil wrote: in Skynet go to Settings 11 and the enable Ban AIProtect under Option 7

Does AiProtect need to be enabled in order for Skynet to block the IPs?

 

[Delusion]

Does AiProtect need to be enabled in order for Skynet to block the IPs?

No but Skynet also add IPs from AiProtection ban list, its an addition , not requirement .

 

[Xentrk]

Hi Delusion,

Thanks a lot. This actually triggered it. I now can see reports in AiProtection. I'd usually get tons of reports every day, especially the ones from IPS. I don't personally believe that my ISP's spent money to install an expesive hardware/software to prevent all the attacks before they reach me. The reason i've posted this is that these last 2 days I'm being constantly accessed from few IPs (213.227.134.165 and 188.166.88.55) they try to access the router on port 8443 which is enabled to access from WAN. I had to change the port and I still see those IPs trying to establish the connection on port 8443. The firewall keeps dropping the packets.

Regards

Teymur

You can use this guide to help with the OpenVPN Server setup.

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

Needs a refresh to catch up with the new firmware version. But you should be able to figure it out. Yes, close that WAN port, even if you move it to some obscure number.

 

[martinr]

Does AiProtect need to be enabled in order for Skynet to block the IPs?

As Delusion has stated, but to expand a little, Skynet is a stand-alone piece of software. It doesn't need AIProtection to be on for Skynet to work. However, if you run AIProtection - and I run all its modules - Skynet has that option (Ban AIProtect) that allows the automatic “importing” into Skynet of the IP addresses that AIProtect blocks. A bit of intelligent learning on the part of Skynet. All going on in the background.

 

[mocnak]

for me AiProtection is not working too, just noticed it in previous version - 384.11 (not .2)

 

[QuikSilver]

for me AiProtection is not working too, just noticed it in previous version - 384.11 (not .2)

Can you give more information as to why you believe this to be the case? Do you have skynet on your router as well?

 

[mocnak]

Can you give more information as to why you believe this to be the case? Do you have skynet on your router as well?

I am not familiar with Skynet nor Diversion, so no, I only flashed firmware from Rmerlin and changed basic network settings that suits me, no custom blocking scripts are installed. All I can see is 0 hits for
Malicious Sites Blocking, Two-Way IPS and Infected Device Prevention and Blocking - all are turned on of course. I tried to download txt file from http://2016.eicar.org/85-0-Download.html, as mentioned in previous page of this thread - no hits.

 

[John35]

I am not familiar with Skynet nor Diversion, so no, I only flashed firmware from Rmerlin and changed basic network settings that suits me, no custom blocking scripts are installed. All I can see is 0 hits for
Malicious Sites Blocking, Two-Way IPS and Infected Device Prevention and Blocking - all are turned on of course. I tried to download txt file from http://2016.eicar.org/85-0-Download.html, as mentioned in previous page of this thread - no hits.

I also had 0 hits reported, downloaded (well, failed to) the file and still saw 0, but going to the Two-Way Protection Tab showed one and returning to the Network Protection tab had incremented the number of hits to 1.

 

[mocnak]

I also had 0 hits reported, downloaded (well, failed to) the file and still saw 0, but going to the Two-Way Protection Tab showed one and returning to the Network Protection tab had incremented the number of hits to 1.

yes, I used to get hits for all protections before, I dont know which version it stopped working, not checking it often. Now there are no hits for a month, maybe two.

 

[martinr]

I also had 0 hits reported, downloaded (well, failed to) the file and still saw 0, but going to the Two-Way Protection Tab showed one and returning to the Network Protection tab had incremented the number of hits to 1.

yes, I used to get hits for all protections before, I dont know which version it stopped working, not checking it often. Now there are no hits for a month, maybe two.

I checked mine: zero hits on all protection modules since 27 May. That was when I updated my firmware from 384.9 to 384.11_2 with a full L&LD M&M router reset. And the last AIProtection email I got was back on 8 Feb, so I would have been on 384.9 then.

Anyway, that last email was a block on the domain

brokercdn.com

so I put that in the browser address bar and immediately got the Trend Micro warning from the router. I then checked my AIProtection stats and the malicious site blocking had gone from zero to 5.

So, whilst I initially thought maybe AIProtection had stopped working for me, I’m now happy it is working and suspect that Skynet and Diversion are responsible for the much lower AIProtection hit rate on my router. (But I need to fix my AIProtection email alerts, which is a separate matter.)

 

[mocnak]

I checked mine: zero hits on all protection modules since 27 May. That was when I updated my firmware from 384.9 to 384.11_2 with a full L&LD M&M router reset. And the last AIProtection email I got was back on 8 Feb, so I would have been on 384.9 then.

Anyway, that last email was a block on the domain

brokercdn.com

so I put that in the browser address bar and immediately got the Trend Micro warning from the router. I then checked my AIProtection stats and the malicious site blocking had gone from zero to 5.

So, whilst I initially thought maybe AIProtection had stopped working for me, I’m now happy it is working and suspect that Skynet and Diversion are responsible for the much lower AIProtection hit rate on my router. (But I need to fix my AIProtection email alerts, which is a separate matter.)

I just checked AIProtection tab and I can see now 3 hits from today, and your link redirects me to ASUS's warning site, and malicious site count increased to 2, so I guess it's working now. strange though. Thanks for spending time on my "issue"

 

[martinr]

....,Thanks for spending time on my "issue"

Not at all: thanks for pointing it out. At one stage I thought it had indeed stopped working.

And welcome to the forum, too.

 

[dave14305]

But I need to fix my AIProtection email alerts, which is a separate matter.

Did this ever work for you? I tried setting it up with Gmail and an app password, but it always fails according to /tmp/email.log. I ended up erasing the credentials in the PM_SMTP_AUTH* nvram variables.

 

[martinr]

Did this ever work for you? I tried setting it up with Gmail and an app password, but it always fails according to /tmp/email.log. I ended up erasing the credentials in the PM_SMTP_AUTH* nvram variables.

Yes, it did, exactly as you described: with 2FA and an app password it had indeed worked, with the last email being on 8 Feb 2019. But since installing Skynet and Diversion, such emails were a rarity. I need to double check that I correctly set it up after my recent M&M router reset and report back.

 

[martinr]

Did this ever work for you? I tried setting it up with Gmail and an app password, but it always fails according to /tmp/email.log. I ended up erasing the credentials in the PM_SMTP_AUTH* nvram variables.

Silly me: I had forgotten to set it up after my reset. It now works.

After inserting the Gmail credentials and Applying, I got an email confirming this was the email address and telling me to click the link in the email to return to the AIProtection page in the webui, not that there was anything further to be done there; I guess it closed the loop.

I then entered my known AIProtection dodgy-domain trigger into my browser, got the warning page from the router and then went and checked the dedicated email account. And now the email alert is up and running.

(Thanks for the prompt to get it sorted.)

 

[dave14305]

Silly me: I had forgotten to set it up after my reset. It now works.

After inserting the Gmail credentials and Applying, I got an email confirming this was the email address and telling me to click the link in the email to return to the AIProtection page in the webui, not that there was anything further to be done there; I guess it closed the loop.

I then entered my known AIProtection dodgy-domain trigger into my browser, got the warning page from the router and then went and checked the dedicated email account. And now the email alert is up and running.

(Thanks for the prompt to get it sorted.)

Thanks. Upon further review I found an extra quote character in my password when I copied from my update-notification script. Working now!